program: socket$inet_icmp_raw(0x2, 0x3, 0x1) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5) close(0x4) syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00') unshare(0x6a040000) r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x12}, [@IFLA_MTU={0x8, 0x4, 0x5e0}, @IFLA_GROUP={0x8}]}, 0x30}}, 0x0) [ 85.886212][ T4664] Bluetooth: hci0: command tx timeout [ 86.246027][ T5323] e1000 0000:00:06.0 eth0: Reset adapter [ 86.248907][ T5326] [ 86.249945][ T5326] ====================================================== [ 86.252663][ T5326] WARNING: possible circular locking dependency detected [ 86.255105][ T5326] 6.15.0-rc7-syzkaller-00144-gb1427432d3b6 #0 Not tainted [ 86.257631][ T5326] ------------------------------------------------------ [ 86.260236][ T5326] syz.0.0/5326 is trying to acquire lock: [ 86.262487][ T5326] ffff8880354116f0 ((work_completion)(&adapter->reset_task)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.267509][ T5326] [ 86.267509][ T5326] but task is already holding lock: [ 86.270754][ T5326] ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 [ 86.274495][ T5326] [ 86.274495][ T5326] which lock already depends on the new lock. [ 86.274495][ T5326] [ 86.278602][ T5326] [ 86.278602][ T5326] the existing dependency chain (in reverse order) is: [ 86.282063][ T5326] [ 86.282063][ T5326] -> #1 (rtnl_mutex){+.+.}-{4:4}: [ 86.285204][ T5326] lock_acquire+0x120/0x360 [ 86.287468][ T5326] __mutex_lock+0x182/0xe80 [ 86.289585][ T5326] e1000_reset_task+0x56/0xc0 [ 86.291799][ T5326] process_scheduled_works+0xadb/0x17a0 [ 86.294376][ T5326] worker_thread+0x8a0/0xda0 [ 86.296473][ T5326] kthread+0x70e/0x8a0 [ 86.298300][ T5326] ret_from_fork+0x4b/0x80 [ 86.300254][ T5326] ret_from_fork_asm+0x1a/0x30 [ 86.302401][ T5326] [ 86.302401][ T5326] -> #0 ((work_completion)(&adapter->reset_task)){+.+.}-{0:0}: [ 86.307185][ T5326] validate_chain+0xb9b/0x2140 [ 86.309548][ T5326] __lock_acquire+0xaac/0xd20 [ 86.311862][ T5326] lock_acquire+0x120/0x360 [ 86.314114][ T5326] __flush_work+0x6b8/0xbc0 [ 86.316316][ T5326] __cancel_work_sync+0xbe/0x110 [ 86.318755][ T5326] e1000_down+0x402/0x6b0 [ 86.320983][ T5326] e1000_close+0x17b/0xa10 [ 86.323135][ T5326] __dev_close_many+0x361/0x6f0 [ 86.325417][ T5326] __dev_change_flags+0x2c7/0x6d0 [ 86.327875][ T5326] netif_change_flags+0x88/0x1a0 [ 86.330275][ T5326] do_setlink+0xcb9/0x40d0 [ 86.332489][ T5326] rtnl_newlink+0x149f/0x1c70 [ 86.334797][ T5326] rtnetlink_rcv_msg+0x7cc/0xb70 [ 86.337217][ T5326] netlink_rcv_skb+0x219/0x490 [ 86.339592][ T5326] netlink_unicast+0x75b/0x8d0 [ 86.341913][ T5326] netlink_sendmsg+0x805/0xb30 [ 86.344259][ T5326] __sock_sendmsg+0x21c/0x270 [ 86.346513][ T5326] ____sys_sendmsg+0x505/0x830 [ 86.348846][ T5326] ___sys_sendmsg+0x21f/0x2a0 [ 86.351095][ T5326] __x64_sys_sendmsg+0x19b/0x260 [ 86.353520][ T5326] do_syscall_64+0xf6/0x210 [ 86.355818][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.358621][ T5326] [ 86.358621][ T5326] other info that might help us debug this: [ 86.358621][ T5326] [ 86.363099][ T5326] Possible unsafe locking scenario: [ 86.363099][ T5326] [ 86.366434][ T5326] CPU0 CPU1 [ 86.368859][ T5326] ---- ---- [ 86.371248][ T5326] lock(rtnl_mutex); [ 86.373093][ T5326] lock((work_completion)(&adapter->reset_task)); [ 86.376998][ T5326] lock(rtnl_mutex); [ 86.379921][ T5326] lock((work_completion)(&adapter->reset_task)); [ 86.382831][ T5326] [ 86.382831][ T5326] *** DEADLOCK *** [ 86.382831][ T5326] [ 86.386232][ T5326] 2 locks held by syz.0.0/5326: [ 86.388403][ T5326] #0: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 [ 86.392205][ T5326] #1: ffffffff8df3dee0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.396080][ T5326] [ 86.396080][ T5326] stack backtrace: [ 86.398678][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.15.0-rc7-syzkaller-00144-gb1427432d3b6 #0 PREEMPT(full) [ 86.398722][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.398740][ T5326] Call Trace: [ 86.398795][ T5326] [ 86.398802][ T5326] dump_stack_lvl+0x189/0x250 [ 86.398830][ T5326] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.398846][ T5326] ? __pfx__printk+0x10/0x10 [ 86.398857][ T5326] ? print_lock_name+0xde/0x100 [ 86.398877][ T5326] print_circular_bug+0x2ee/0x310 [ 86.398892][ T5326] check_noncircular+0x134/0x160 [ 86.398906][ T5326] validate_chain+0xb9b/0x2140 [ 86.398917][ T5326] ? do_raw_spin_lock+0x121/0x290 [ 86.398932][ T5326] ? look_up_lock_class+0x74/0x170 [ 86.398946][ T5326] ? register_lock_class+0x51/0x320 [ 86.398964][ T5326] __lock_acquire+0xaac/0xd20 [ 86.398982][ T5326] ? __flush_work+0xd2/0xbc0 [ 86.398995][ T5326] lock_acquire+0x120/0x360 [ 86.399011][ T5326] ? __flush_work+0xd2/0xbc0 [ 86.399024][ T5326] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.399036][ T5326] ? __flush_work+0xd2/0xbc0 [ 86.399047][ T5326] __flush_work+0x6b8/0xbc0 [ 86.399059][ T5326] ? __flush_work+0xd2/0xbc0 [ 86.399071][ T5326] ? __flush_work+0xd2/0xbc0 [ 86.399083][ T5326] ? __pfx___flush_work+0x10/0x10 [ 86.399095][ T5326] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.399109][ T5326] ? __pfx___cancel_work+0x10/0x10 [ 86.399121][ T5326] ? __local_bh_enable_ip+0x12d/0x1c0 [ 86.399134][ T5326] __cancel_work_sync+0xbe/0x110 [ 86.399147][ T5326] e1000_down+0x402/0x6b0 [ 86.399183][ T5326] ? e1000_down+0xb2/0x6b0 [ 86.399199][ T5326] ? e1000_free_all_tx_resources+0x1b0/0x280 [ 86.399219][ T5326] e1000_close+0x17b/0xa10 [ 86.399234][ T5326] ? do_raw_spin_unlock+0x4d/0x240 [ 86.399246][ T5326] ? dev_deactivate_many+0xb82/0xd40 [ 86.399260][ T5326] ? __pfx_e1000_close+0x10/0x10 [ 86.399278][ T5326] ? dev_deactivate_many+0x258/0xd40 [ 86.399292][ T5326] ? __pfx_e1000_close+0x10/0x10 [ 86.399309][ T5326] __dev_close_many+0x361/0x6f0 [ 86.399338][ T5326] ? __pfx___dev_close_many+0x10/0x10 [ 86.399353][ T5326] __dev_change_flags+0x2c7/0x6d0 [ 86.399371][ T5326] ? __pfx_netif_set_mtu_ext+0x10/0x10 [ 86.399414][ T5326] ? __pfx___dev_change_flags+0x10/0x10 [ 86.399427][ T5326] ? netif_state_change+0x256/0x3a0 [ 86.399437][ T5326] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 86.399453][ T5326] netif_change_flags+0x88/0x1a0 [ 86.399469][ T5326] do_setlink+0xcb9/0x40d0 [ 86.399488][ T5326] ? __pfx_do_setlink+0x10/0x10 [ 86.399500][ T5326] ? do_raw_spin_lock+0x121/0x290 [ 86.399516][ T5326] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.399530][ T5326] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 86.399541][ T5326] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.399555][ T5326] ? rcu_is_watching+0x15/0xb0 [ 86.399566][ T5326] ? __mutex_lock+0xa6d/0xe80 [ 86.399580][ T5326] ? __mutex_lock+0x51b/0xe80 [ 86.399594][ T5326] ? rtnl_newlink+0x8db/0x1c70 [ 86.399607][ T5326] ? __pfx___mutex_lock+0x10/0x10 [ 86.399623][ T5326] ? ns_capable+0x8a/0xf0 [ 86.399634][ T5326] ? rtnl_link_get_net_capable+0x16a/0x350 [ 86.399650][ T5326] rtnl_newlink+0x149f/0x1c70 [ 86.399665][ T5326] ? __pfx_rtnl_newlink+0x10/0x10 [ 86.399678][ T5326] ? _raw_spin_unlock_irqrestore+0x85/0x110 [ 86.399690][ T5326] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.399705][ T5326] ? __lock_acquire+0xaac/0xd20 [ 86.399723][ T5326] ? __lock_acquire+0xaac/0xd20 [ 86.399741][ T5326] ? is_bpf_text_address+0x26/0x2b0 [ 86.399757][ T5326] ? is_bpf_text_address+0x292/0x2b0 [ 86.399772][ T5326] ? is_bpf_text_address+0x26/0x2b0 [ 86.399795][ T5326] ? aa_get_newest_label+0xf7/0x5d0 [ 86.399810][ T5326] ? __lock_acquire+0xaac/0xd20 [ 86.399832][ T5326] ? __pfx_rtnl_newlink+0x10/0x10 [ 86.399846][ T5326] rtnetlink_rcv_msg+0x7cc/0xb70 [ 86.399861][ T5326] ? kasan_save_track+0x4f/0x80 [ 86.399875][ T5326] ? rtnetlink_rcv_msg+0x1ab/0xb70 [ 86.399887][ T5326] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 86.399899][ T5326] ? __lock_acquire+0xaac/0xd20 [ 86.399917][ T5326] netlink_rcv_skb+0x219/0x490 [ 86.399933][ T5326] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 86.399947][ T5326] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 86.399965][ T5326] ? netlink_deliver_tap+0x2e/0x1b0 [ 86.399977][ T5326] ? netlink_deliver_tap+0x2e/0x1b0 [ 86.399991][ T5326] netlink_unicast+0x75b/0x8d0 [ 86.400005][ T5326] netlink_sendmsg+0x805/0xb30 [ 86.400021][ T5326] ? __pfx_netlink_sendmsg+0x10/0x10 [ 86.400034][ T5326] ? aa_sock_msg_perm+0x94/0x160 [ 86.400045][ T5326] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 86.400058][ T5326] ? __pfx_netlink_sendmsg+0x10/0x10 [ 86.400072][ T5326] __sock_sendmsg+0x21c/0x270 [ 86.400084][ T5326] ____sys_sendmsg+0x505/0x830 [ 86.400101][ T5326] ? __pfx_____sys_sendmsg+0x10/0x10 [ 86.400118][ T5326] ? import_iovec+0x74/0xa0 [ 86.400134][ T5326] ___sys_sendmsg+0x21f/0x2a0 [ 86.400149][ T5326] ? __pfx____sys_sendmsg+0x10/0x10 [ 86.400173][ T5326] ? __fget_files+0x2a/0x420 [ 86.400187][ T5326] ? __fget_files+0x3a0/0x420 [ 86.400204][ T5326] __x64_sys_sendmsg+0x19b/0x260 [ 86.400220][ T5326] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 86.400238][ T5326] ? do_syscall_64+0xba/0x210 [ 86.400253][ T5326] do_syscall_64+0xf6/0x210 [ 86.400278][ T5326] ? clear_bhb_loop+0x60/0xb0 [ 86.400291][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.400302][ T5326] RIP: 0033:0x7fe61078e969 [ 86.400363][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.400375][ T5326] RSP: 002b:00007fe611583038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 86.400388][ T5326] RAX: ffffffffffffffda RBX: 00007fe6109b5fa0 RCX: 00007fe61078e969 [ 86.400397][ T5326] RDX: 0000000000000000 RSI: 0000200000000140 RDI: 0000000000000004 [ 86.400404][ T5326] RBP: 00007fe610810ab1 R08: 0000000000000000 R09: 0000000000000000 [ 86.400411][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.400417][ T5326] R13: 0000000000000000 R14: 00007fe6109b5fa0 R15: 00007ffcd9f839a8 [ 86.400426][ T5326] [ 86.681212][ T10] cfg80211: failed to load regulatory.db [ 87.945732][ T4664] Bluetooth: hci0: command tx timeout [ 90.026234][ T4664] Bluetooth: hci0: command tx timeout [ 92.105647][ T4664] Bluetooth: hci0: command tx timeout