program:
r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
r1 = socket$tipc(0x1e, 0x2, 0x0)
setsockopt$TIPC_GROUP_JOIN(r1, 0x10f, 0x87, &(0x7f00000000c0)={0x42, 0x1000004, 0x3}, 0x10)
bind$tipc(r1, 0x0, 0x0)
close(r1)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000280)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bpq0, 0xfffd, 'syz0\x00', @default, 0xfffffdb8, 0x2, [@default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast]})
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x6, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]})
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]})
r4 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$SIOCNRDECOBS(r0, 0x89e2)
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000000c0)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0xb9, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, 0xd, 0x0, [@null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @null, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
ioctl$sock_ifreq(r4, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})

[   85.266994][ T5305] Bluetooth: hci0: command tx timeout
[   85.378810][ T5330] 
[   85.380032][ T5330] ======================================================
[   85.383080][ T5330] WARNING: possible circular locking dependency detected
[   85.385924][ T5330] 6.16.0-rc3-syzkaller-00121-gf02769e7f272 #0 Not tainted
[   85.388901][ T5330] ------------------------------------------------------
[   85.391901][ T5330] syz.0.0/5330 is trying to acquire lock:
[   85.394391][ T5330] ffffffff8f6689b8 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xa9/0x720
[   85.398789][ T5330] 
[   85.398789][ T5330] but task is already holding lock:
[   85.402114][ T5330] ffffffff8f668958 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720
[   85.406327][ T5330] 
[   85.406327][ T5330] which lock already depends on the new lock.
[   85.406327][ T5330] 
[   85.410845][ T5330] 
[   85.410845][ T5330] the existing dependency chain (in reverse order) is:
[   85.414796][ T5330] 
[   85.414796][ T5330] -> #2 (nr_neigh_list_lock){+...}-{3:3}:
[   85.418209][ T5330]        lock_acquire+0x120/0x360
[   85.420356][ T5330]        _raw_spin_lock_bh+0x36/0x50
[   85.422695][ T5330]        nr_rt_ioctl+0x390/0xd50
[   85.424946][ T5330]        sock_do_ioctl+0xd9/0x300
[   85.427165][ T5330]        sock_ioctl+0x576/0x790
[   85.429106][ T5330]        __se_sys_ioctl+0xf9/0x170
[   85.431436][ T5330]        do_syscall_64+0xfa/0x3b0
[   85.433677][ T5330]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.436401][ T5330] 
[   85.436401][ T5330] -> #1 (&nr_node->node_lock){+...}-{3:3}:
[   85.439695][ T5330]        lock_acquire+0x120/0x360
[   85.442008][ T5330]        _raw_spin_lock_bh+0x36/0x50
[   85.444671][ T5330]        nr_rt_ioctl+0x193/0xd50
[   85.446905][ T5330]        sock_do_ioctl+0xd9/0x300
[   85.449033][ T5330]        sock_ioctl+0x576/0x790
[   85.451319][ T5330]        __se_sys_ioctl+0xf9/0x170
[   85.453823][ T5330]        do_syscall_64+0xfa/0x3b0
[   85.456329][ T5330]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.459280][ T5330] 
[   85.459280][ T5330] -> #0 (nr_node_list_lock){+...}-{3:3}:
[   85.462447][ T5330]        validate_chain+0xb9b/0x2140
[   85.464837][ T5330]        __lock_acquire+0xab9/0xd20
[   85.466990][ T5330]        lock_acquire+0x120/0x360
[   85.469306][ T5330]        _raw_spin_lock_bh+0x36/0x50
[   85.471908][ T5330]        nr_rt_device_down+0xa9/0x720
[   85.474596][ T5330]        nr_device_event+0x137/0x150
[   85.476868][ T5330]        notifier_call_chain+0x1b3/0x3e0
[   85.479218][ T5330]        dev_close_many+0x29c/0x410
[   85.481393][ T5330]        netif_close+0x158/0x210
[   85.483466][ T5330]        dev_close+0x10a/0x220
[   85.485437][ T5330]        bpq_device_event+0x2f4/0x600
[   85.487759][ T5330]        notifier_call_chain+0x1b3/0x3e0
[   85.490074][ T5330]        dev_close_many+0x29c/0x410
[   85.492350][ T5330]        netif_close+0x158/0x210
[   85.494306][ T5330]        dev_close+0x10a/0x220
[   85.496490][ T5330]        bond_setup_by_slave+0x5f/0x3f0
[   85.498874][ T5330]        bond_enslave+0x7a0/0x3a20
[   85.501042][ T5330]        bond_do_ioctl+0x635/0x9b0
[   85.503277][ T5330]        dev_ifsioc+0x908/0xf00
[   85.505498][ T5330]        dev_ioctl+0x7b4/0x1150
[   85.507568][ T5330]        sock_do_ioctl+0x22c/0x300
[   85.509638][ T5330]        sock_ioctl+0x576/0x790
[   85.511679][ T5330]        __se_sys_ioctl+0xf9/0x170
[   85.513822][ T5330]        do_syscall_64+0xfa/0x3b0
[   85.516014][ T5330]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.518684][ T5330] 
[   85.518684][ T5330] other info that might help us debug this:
[   85.518684][ T5330] 
[   85.523058][ T5330] Chain exists of:
[   85.523058][ T5330]   nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock
[   85.523058][ T5330] 
[   85.528728][ T5330]  Possible unsafe locking scenario:
[   85.528728][ T5330] 
[   85.531794][ T5330]        CPU0                    CPU1
[   85.533926][ T5330]        ----                    ----
[   85.536163][ T5330]   lock(nr_neigh_list_lock);
[   85.538243][ T5330]                                lock(&nr_node->node_lock);
[   85.541329][ T5330]                                lock(nr_neigh_list_lock);
[   85.544326][ T5330]   lock(nr_node_list_lock);
[   85.546318][ T5330] 
[   85.546318][ T5330]  *** DEADLOCK ***
[   85.546318][ T5330] 
[   85.549816][ T5330] 2 locks held by syz.0.0/5330:
[   85.552018][ T5330]  #0: ffffffff8f50ff48 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7a4/0x1150
[   85.555900][ T5330]  #1: ffffffff8f668958 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720
[   85.560124][ T5330] 
[   85.560124][ T5330] stack backtrace:
[   85.562579][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00121-gf02769e7f272 #0 PREEMPT(full) 
[   85.562597][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.562605][ T5330] Call Trace:
[   85.562612][ T5330]  <TASK>
[   85.562618][ T5330]  dump_stack_lvl+0x189/0x250
[   85.562647][ T5330]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.562664][ T5330]  ? __pfx__printk+0x10/0x10
[   85.562675][ T5330]  ? print_lock_name+0xde/0x100
[   85.562686][ T5330]  print_circular_bug+0x2ee/0x310
[   85.562699][ T5330]  check_noncircular+0x134/0x160
[   85.562711][ T5330]  validate_chain+0xb9b/0x2140
[   85.562722][ T5330]  ? rt6_disable_ip+0x6b3/0x720
[   85.562738][ T5330]  ? __lock_acquire+0xab9/0xd20
[   85.562754][ T5330]  __lock_acquire+0xab9/0xd20
[   85.562770][ T5330]  ? nr_rt_device_down+0xa9/0x720
[   85.562785][ T5330]  lock_acquire+0x120/0x360
[   85.562799][ T5330]  ? nr_rt_device_down+0xa9/0x720
[   85.562816][ T5330]  ? nr_rt_device_down+0xa9/0x720
[   85.562831][ T5330]  _raw_spin_lock_bh+0x36/0x50
[   85.562842][ T5330]  ? nr_rt_device_down+0xa9/0x720
[   85.562852][ T5330]  nr_rt_device_down+0xa9/0x720
[   85.562861][ T5330]  ? do_raw_spin_unlock+0x4d/0x240
[   85.562869][ T5330]  nr_device_event+0x137/0x150
[   85.562879][ T5330]  notifier_call_chain+0x1b3/0x3e0
[   85.562890][ T5330]  dev_close_many+0x29c/0x410
[   85.562898][ T5330]  ? __pfx_dev_close_many+0x10/0x10
[   85.562907][ T5330]  ? __try_to_del_timer_sync+0x34a/0x3a0
[   85.562919][ T5330]  ? bond_netdev_event+0x227/0xe80
[   85.562931][ T5330]  netif_close+0x158/0x210
[   85.562941][ T5330]  ? __pfx_netif_close+0x10/0x10
[   85.562951][ T5330]  ? tun_device_event+0x77/0x1020
[   85.562970][ T5330]  dev_close+0x10a/0x220
[   85.562982][ T5330]  bpq_device_event+0x2f4/0x600
[   85.562995][ T5330]  notifier_call_chain+0x1b3/0x3e0
[   85.563014][ T5330]  dev_close_many+0x29c/0x410
[   85.563026][ T5330]  ? __pfx_dev_close_many+0x10/0x10
[   85.563039][ T5330]  netif_close+0x158/0x210
[   85.563049][ T5330]  ? __pfx_netif_close+0x10/0x10
[   85.563058][ T5330]  ? do_raw_spin_lock+0x121/0x290
[   85.563070][ T5330]  ? __local_bh_enable_ip+0x12d/0x1c0
[   85.563087][ T5330]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.563101][ T5330]  dev_close+0x10a/0x220
[   85.563113][ T5330]  bond_setup_by_slave+0x5f/0x3f0
[   85.563127][ T5330]  bond_enslave+0x7a0/0x3a20
[   85.563140][ T5330]  ? arch_stack_walk+0xfc/0x150
[   85.563155][ T5330]  ? __pfx_bond_enslave+0x10/0x10
[   85.563169][ T5330]  ? apparmor_capable+0x137/0x1b0
[   85.563186][ T5330]  ? full_name_hash+0x92/0xe0
[   85.563200][ T5330]  ? netdev_name_node_lookup+0xdf/0x120
[   85.563214][ T5330]  bond_do_ioctl+0x635/0x9b0
[   85.563233][ T5330]  ? __pfx_bond_do_ioctl+0x10/0x10
[   85.563246][ T5330]  ? trace_contention_end+0x39/0x120
[   85.563256][ T5330]  ? __mutex_lock+0x330/0xe80
[   85.563275][ T5330]  ? full_name_hash+0x92/0xe0
[   85.563290][ T5330]  ? netdev_name_node_lookup+0xdf/0x120
[   85.563306][ T5330]  dev_ifsioc+0x908/0xf00
[   85.563319][ T5330]  ? dev_load+0x21/0x1f0
[   85.563327][ T5330]  dev_ioctl+0x7b4/0x1150
[   85.563337][ T5330]  sock_do_ioctl+0x22c/0x300
[   85.563352][ T5330]  ? __pfx_sock_do_ioctl+0x10/0x10
[   85.563365][ T5330]  ? __lock_acquire+0xab9/0xd20
[   85.563383][ T5330]  sock_ioctl+0x576/0x790
[   85.563397][ T5330]  ? __pfx_sock_ioctl+0x10/0x10
[   85.563411][ T5330]  ? __fget_files+0x2a/0x420
[   85.563421][ T5330]  ? __fget_files+0x3a0/0x420
[   85.563428][ T5330]  ? __fget_files+0x2a/0x420
[   85.563435][ T5330]  ? bpf_lsm_file_ioctl+0x9/0x20
[   85.563445][ T5330]  ? __pfx_sock_ioctl+0x10/0x10
[   85.563453][ T5330]  __se_sys_ioctl+0xf9/0x170
[   85.563467][ T5330]  do_syscall_64+0xfa/0x3b0
[   85.563482][ T5330]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.563497][ T5330]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.563507][ T5330]  ? clear_bhb_loop+0x60/0xb0
[   85.563518][ T5330]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.563528][ T5330] RIP: 0033:0x7f214638e929
[   85.563540][ T5330] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   85.563549][ T5330] RSP: 002b:00007f21471a9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   85.563562][ T5330] RAX: ffffffffffffffda RBX: 00007f21465b5fa0 RCX: 00007f214638e929
[   85.563570][ T5330] RDX: 0000200000000180 RSI: 0000000000008990 RDI: 0000000000000008
[   85.563577][ T5330] RBP: 00007f2146410b39 R08: 0000000000000000 R09: 0000000000000000
[   85.563583][ T5330] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.563590][ T5330] R13: 0000000000000000 R14: 00007f21465b5fa0 R15: 00007ffc0da16d58
[   85.563599][ T5330]  </TASK>
[   85.851871][ T5330] 8021q: adding VLAN 0 to HW filter on device bond0
[   85.859308][ T5330] bond0: (slave rose0): Enslaving as an active interface with an up link