program:
r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r4 = openat$ipvs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/net/ipv4/vs/sync_threshold\x00', 0x2, 0x0)
read$FUSE(r4, 0x0, 0x0)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000))
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000340)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bpq0, 0xffff, 'syz0\x00', @default, 0xfffffdba, 0x2, [@default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null]})
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x10001, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]}) (async)
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x10001, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]})
landlock_create_ruleset(&(0x7f0000000180)={0x2008, 0x2, 0x1}, 0x18, 0x0) (async)
r5 = landlock_create_ruleset(&(0x7f0000000180)={0x2008, 0x2, 0x1}, 0x18, 0x0)
landlock_restrict_self(r5, 0x1)
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async)
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]})
ioctl$SIOCNRDECOBS(r0, 0x89e2) (async)
ioctl$SIOCNRDECOBS(r0, 0x89e2)
r6 = socket$nl_route(0x10, 0x3, 0x0)
syz_init_net_socket$x25(0x9, 0x5, 0x0) (async)
r7 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
ioctl$sock_ifreq(r7, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) (async)
ioctl$sock_ifreq(r7, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})
connect$rose(0xffffffffffffffff, &(0x7f0000000000)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, 0x1, @default}, 0x1c)
r8 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r8, 0x8914, &(0x7f0000000000)) (async)
ioctl$sock_netdev_private(r8, 0x8914, &(0x7f0000000000))
r9 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_rose_SIOCADDRT(r9, 0x890b, &(0x7f0000000440)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @netrom={'nr', 0x0}, 0x3, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
ioctl$sock_rose_SIOCDELRT(r9, 0x890c, &(0x7f00000000c0)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x6, @null, @bpq0, 0x1, [@bcast, @default, @default, @default, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]})
ioctl$BTRFS_IOC_QGROUP_LIMIT(r1, 0x8030942b, &(0x7f0000000240)={0x1, {0x8, 0x100, 0xff, 0x0, 0x3a}})
sendmsg$nl_route(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000740)=ANY=[@ANYBLOB="3c00000010004b0401000000000000007a000000", @ANYRES32=0x0, @ANYBLOB="00000000000000001c0012800b00010062726964676500000c0002800800080000000000"], 0x3c}}, 0x0)
r10 = openat$full(0xffffffffffffff9c, &(0x7f00000000c0), 0x40200, 0x0)
ioctl$sock_rose_SIOCDELRT(r10, 0x890c, &(0x7f0000000100)={@remote={0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x2, @default, @bpq0, 0x7, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @bcast, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @bcast]})

[   75.793237][ T5299] Bluetooth: hci0: command tx timeout
[   75.898572][ T5320] 
[   75.899636][ T5320] ======================================================
[   75.902639][ T5320] WARNING: possible circular locking dependency detected
[   75.905771][ T5320] 6.16.0-rc3-syzkaller-00072-gee88bddf7f2f #0 Not tainted
[   75.908758][ T5320] ------------------------------------------------------
[   75.911979][ T5320] syz.0.0/5320 is trying to acquire lock:
[   75.914496][ T5320] ffffffff8f6689b8 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xa9/0x720
[   75.918419][ T5320] 
[   75.918419][ T5320] but task is already holding lock:
[   75.921433][ T5320] ffffffff8f668958 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720
[   75.925414][ T5320] 
[   75.925414][ T5320] which lock already depends on the new lock.
[   75.925414][ T5320] 
[   75.930772][ T5320] 
[   75.930772][ T5320] the existing dependency chain (in reverse order) is:
[   75.934999][ T5320] 
[   75.934999][ T5320] -> #2 (nr_neigh_list_lock){+...}-{3:3}:
[   75.938399][ T5320]        lock_acquire+0x120/0x360
[   75.940751][ T5320]        _raw_spin_lock_bh+0x36/0x50
[   75.943187][ T5320]        nr_rt_ioctl+0x390/0xd50
[   75.945073][ T5320]        sock_do_ioctl+0xd9/0x300
[   75.947304][ T5320]        sock_ioctl+0x576/0x790
[   75.949335][ T5320]        __se_sys_ioctl+0xf9/0x170
[   75.951815][ T5320]        do_syscall_64+0xfa/0x3b0
[   75.954344][ T5320]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.957256][ T5320] 
[   75.957256][ T5320] -> #1 (&nr_node->node_lock){+...}-{3:3}:
[   75.960617][ T5320]        lock_acquire+0x120/0x360
[   75.962802][ T5320]        _raw_spin_lock_bh+0x36/0x50
[   75.964994][ T5320]        nr_rt_ioctl+0x193/0xd50
[   75.967197][ T5320]        sock_do_ioctl+0xd9/0x300
[   75.969425][ T5320]        sock_ioctl+0x576/0x790
[   75.971821][ T5320]        __se_sys_ioctl+0xf9/0x170
[   75.974185][ T5320]        do_syscall_64+0xfa/0x3b0
[   75.976346][ T5320]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.979158][ T5320] 
[   75.979158][ T5320] -> #0 (nr_node_list_lock){+...}-{3:3}:
[   75.982545][ T5320]        validate_chain+0xb9b/0x2140
[   75.984906][ T5320]        __lock_acquire+0xab9/0xd20
[   75.987324][ T5320]        lock_acquire+0x120/0x360
[   75.989727][ T5320]        _raw_spin_lock_bh+0x36/0x50
[   75.991970][ T5320]        nr_rt_device_down+0xa9/0x720
[   75.994252][ T5320]        nr_device_event+0x137/0x150
[   75.996427][ T5320]        notifier_call_chain+0x1b3/0x3e0
[   75.998924][ T5320]        dev_close_many+0x29c/0x410
[   76.001285][ T5320]        netif_close+0x158/0x210
[   76.003519][ T5320]        dev_close+0x10a/0x220
[   76.005694][ T5320]        bpq_device_event+0x2f4/0x600
[   76.008032][ T5320]        notifier_call_chain+0x1b3/0x3e0
[   76.010296][ T5320]        dev_close_many+0x29c/0x410
[   76.012655][ T5320]        netif_close+0x158/0x210
[   76.014741][ T5320]        dev_close+0x10a/0x220
[   76.016880][ T5320]        bond_setup_by_slave+0x5f/0x3f0
[   76.019502][ T5320]        bond_enslave+0x7a0/0x3a20
[   76.022123][ T5320]        bond_do_ioctl+0x635/0x9b0
[   76.024544][ T5320]        dev_ifsioc+0x908/0xf00
[   76.026826][ T5320]        dev_ioctl+0x7b4/0x1150
[   76.029020][ T5320]        sock_do_ioctl+0x22c/0x300
[   76.031311][ T5320]        sock_ioctl+0x576/0x790
[   76.033515][ T5320]        __se_sys_ioctl+0xf9/0x170
[   76.035851][ T5320]        do_syscall_64+0xfa/0x3b0
[   76.038239][ T5320]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.041326][ T5320] 
[   76.041326][ T5320] other info that might help us debug this:
[   76.041326][ T5320] 
[   76.045851][ T5320] Chain exists of:
[   76.045851][ T5320]   nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock
[   76.045851][ T5320] 
[   76.051900][ T5320]  Possible unsafe locking scenario:
[   76.051900][ T5320] 
[   76.055221][ T5320]        CPU0                    CPU1
[   76.057908][ T5320]        ----                    ----
[   76.060613][ T5320]   lock(nr_neigh_list_lock);
[   76.062695][ T5320]                                lock(&nr_node->node_lock);
[   76.066000][ T5320]                                lock(nr_neigh_list_lock);
[   76.069272][ T5320]   lock(nr_node_list_lock);
[   76.071459][ T5320] 
[   76.071459][ T5320]  *** DEADLOCK ***
[   76.071459][ T5320] 
[   76.074887][ T5320] 2 locks held by syz.0.0/5320:
[   76.077062][ T5320]  #0: ffffffff8f50ff48 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7a4/0x1150
[   76.080938][ T5320]  #1: ffffffff8f668958 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720
[   76.085396][ T5320] 
[   76.085396][ T5320] stack backtrace:
[   76.088069][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00072-gee88bddf7f2f #0 PREEMPT(full) 
[   76.088086][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.088094][ T5320] Call Trace:
[   76.088102][ T5320]  <TASK>
[   76.088108][ T5320]  dump_stack_lvl+0x189/0x250
[   76.088130][ T5320]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.088146][ T5320]  ? __pfx__printk+0x10/0x10
[   76.088158][ T5320]  ? print_lock_name+0xde/0x100
[   76.088170][ T5320]  print_circular_bug+0x2ee/0x310
[   76.088183][ T5320]  check_noncircular+0x134/0x160
[   76.088194][ T5320]  validate_chain+0xb9b/0x2140
[   76.088206][ T5320]  ? rt6_disable_ip+0x6b3/0x720
[   76.088223][ T5320]  ? __lock_acquire+0xab9/0xd20
[   76.088237][ T5320]  __lock_acquire+0xab9/0xd20
[   76.088253][ T5320]  ? nr_rt_device_down+0xa9/0x720
[   76.088269][ T5320]  lock_acquire+0x120/0x360
[   76.088283][ T5320]  ? nr_rt_device_down+0xa9/0x720
[   76.088300][ T5320]  ? nr_rt_device_down+0xa9/0x720
[   76.088315][ T5320]  _raw_spin_lock_bh+0x36/0x50
[   76.088331][ T5320]  ? nr_rt_device_down+0xa9/0x720
[   76.088345][ T5320]  nr_rt_device_down+0xa9/0x720
[   76.088361][ T5320]  ? do_raw_spin_unlock+0x4d/0x240
[   76.088374][ T5320]  nr_device_event+0x137/0x150
[   76.088390][ T5320]  notifier_call_chain+0x1b3/0x3e0
[   76.088409][ T5320]  dev_close_many+0x29c/0x410
[   76.088422][ T5320]  ? __pfx_dev_close_many+0x10/0x10
[   76.088431][ T5320]  ? __try_to_del_timer_sync+0x34a/0x3a0
[   76.088444][ T5320]  ? bond_netdev_event+0x227/0xe80
[   76.088457][ T5320]  netif_close+0x158/0x210
[   76.088467][ T5320]  ? __pfx_netif_close+0x10/0x10
[   76.088476][ T5320]  ? tun_device_event+0x77/0x1020
[   76.088494][ T5320]  dev_close+0x10a/0x220
[   76.088507][ T5320]  bpq_device_event+0x2f4/0x600
[   76.088520][ T5320]  notifier_call_chain+0x1b3/0x3e0
[   76.088537][ T5320]  dev_close_many+0x29c/0x410
[   76.088549][ T5320]  ? __pfx_dev_close_many+0x10/0x10
[   76.088561][ T5320]  netif_close+0x158/0x210
[   76.088571][ T5320]  ? __pfx_netif_close+0x10/0x10
[   76.088580][ T5320]  ? do_raw_spin_lock+0x121/0x290
[   76.088592][ T5320]  ? __local_bh_enable_ip+0x12d/0x1c0
[   76.088607][ T5320]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.088666][ T5320]  dev_close+0x10a/0x220
[   76.088677][ T5320]  bond_setup_by_slave+0x5f/0x3f0
[   76.088693][ T5320]  bond_enslave+0x7a0/0x3a20
[   76.088705][ T5320]  ? arch_stack_walk+0xfc/0x150
[   76.088718][ T5320]  ? __pfx_bond_enslave+0x10/0x10
[   76.088733][ T5320]  ? apparmor_capable+0x137/0x1b0
[   76.088749][ T5320]  ? full_name_hash+0x92/0xe0
[   76.088764][ T5320]  ? netdev_name_node_lookup+0xdf/0x120
[   76.088780][ T5320]  bond_do_ioctl+0x635/0x9b0
[   76.088797][ T5320]  ? __pfx_bond_do_ioctl+0x10/0x10
[   76.088810][ T5320]  ? trace_contention_end+0x39/0x120
[   76.088821][ T5320]  ? __mutex_lock+0x330/0xe80
[   76.088839][ T5320]  ? full_name_hash+0x92/0xe0
[   76.088852][ T5320]  ? netdev_name_node_lookup+0xdf/0x120
[   76.088867][ T5320]  dev_ifsioc+0x908/0xf00
[   76.088880][ T5320]  ? dev_load+0x21/0x1f0
[   76.088890][ T5320]  dev_ioctl+0x7b4/0x1150
[   76.088900][ T5320]  sock_do_ioctl+0x22c/0x300
[   76.088917][ T5320]  ? __pfx_sock_do_ioctl+0x10/0x10
[   76.088938][ T5320]  ? __lock_acquire+0xab9/0xd20
[   76.088957][ T5320]  sock_ioctl+0x576/0x790
[   76.088972][ T5320]  ? __pfx_sock_ioctl+0x10/0x10
[   76.088987][ T5320]  ? __fget_files+0x2a/0x420
[   76.088999][ T5320]  ? __fget_files+0x3a0/0x420
[   76.089009][ T5320]  ? __fget_files+0x2a/0x420
[   76.089021][ T5320]  ? bpf_lsm_file_ioctl+0x9/0x20
[   76.089037][ T5320]  ? __pfx_sock_ioctl+0x10/0x10
[   76.089051][ T5320]  __se_sys_ioctl+0xf9/0x170
[   76.089067][ T5320]  do_syscall_64+0xfa/0x3b0
[   76.089084][ T5320]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.089095][ T5320]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.089106][ T5320]  ? clear_bhb_loop+0x60/0xb0
[   76.089117][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.089128][ T5320] RIP: 0033:0x7f15ff78e929
[   76.089140][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.089150][ T5320] RSP: 002b:00007f16005ad038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   76.089162][ T5320] RAX: ffffffffffffffda RBX: 00007f15ff9b6080 RCX: 00007f15ff78e929
[   76.089170][ T5320] RDX: 0000200000000180 RSI: 0000000000008990 RDI: 000000000000000d
[   76.089177][ T5320] RBP: 00007f15ff810b39 R08: 0000000000000000 R09: 0000000000000000
[   76.089183][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   76.089189][ T5320] R13: 0000000000000000 R14: 00007f15ff9b6080 R15: 00007fffd25157a8
[   76.089203][ T5320]  </TASK>
[   76.311054][ T1314] ieee802154 phy0 wpan0: encryption failed: -22
[   76.313929][ T1314] ieee802154 phy1 wpan1: encryption failed: -22
[   76.409589][ T5320] 8021q: adding VLAN 0 to HW filter on device bond0
[   76.417669][ T5320] bond0: (slave rose0): Enslaving as an active interface with an up link
[   76.421755][ T5319] bond0: (slave rose0): Error: Device is in use and cannot be enslaved