program: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000280)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bpq0, 0xffff, 'syz0\x00', @default, 0xfffffdba, 0x2, [@default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}]}) sendmsg$inet_sctp(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)=ANY=[@ANYRESOCT], 0x30}, 0x0) r3 = syz_open_procfs(0x0, &(0x7f0000000180)='oom_adj\x00') writev(r3, &(0x7f00000000c0)=[{&(0x7f0000000140)='15', 0x2}], 0x8) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x10001, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]}) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000440)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x8, 'syz1\x00', @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x7, 0x4, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast]}) syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)) (async) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000280)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bpq0, 0xffff, 'syz0\x00', @default, 0xfffffdba, 0x2, [@default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}]}) (async) sendmsg$inet_sctp(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000040)=ANY=[@ANYRESOCT], 0x30}, 0x0) (async) syz_open_procfs(0x0, &(0x7f0000000180)='oom_adj\x00') (async) writev(r3, &(0x7f00000000c0)=[{&(0x7f0000000140)='15', 0x2}], 0x8) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x10001, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]}) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000440)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x8, 'syz1\x00', @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0x7, 0x4, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast]}) (async) [ 73.540148][ T4665] Bluetooth: hci0: command tx timeout [ 73.628596][ T5315] syz.0.0 (5315): /proc/5314/oom_adj is deprecated, please use /proc/5314/oom_score_adj instead. [ 73.652943][ T5316] [ 73.653978][ T5316] ====================================================== [ 73.657246][ T5316] WARNING: possible circular locking dependency detected [ 73.660925][ T5316] syzkaller #0 Not tainted [ 73.663245][ T5316] ------------------------------------------------------ [ 73.666415][ T5316] syz.0.0/5316 is trying to acquire lock: [ 73.668922][ T5316] ffff8880387a9970 (&nr_node->node_lock){+...}-{3:3}, at: nr_rt_device_down+0x153/0x860 [ 73.673051][ T5316] [ 73.673051][ T5316] but task is already holding lock: [ 73.676059][ T5316] ffffffff8fd4aab8 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xbe/0x860 [ 73.679791][ T5316] [ 73.679791][ T5316] which lock already depends on the new lock. [ 73.679791][ T5316] [ 73.684126][ T5316] [ 73.684126][ T5316] the existing dependency chain (in reverse order) is: [ 73.687797][ T5316] [ 73.687797][ T5316] -> #2 (nr_node_list_lock){+...}-{3:3}: [ 73.690898][ T5316] _raw_spin_lock_bh+0x36/0x50 [ 73.693049][ T5316] nr_rt_device_down+0xbe/0x860 [ 73.695272][ T5316] nr_device_event+0x137/0x150 [ 73.697463][ T5316] notifier_call_chain+0x1be/0x400 [ 73.699889][ T5316] __dev_notify_flags+0x16d/0x310 [ 73.702104][ T5316] netif_change_flags+0xe8/0x1a0 [ 73.704474][ T5316] dev_change_flags+0x130/0x260 [ 73.706719][ T5316] dev_ioctl+0x7b4/0x1150 [ 73.709509][ T5316] sock_do_ioctl+0x23e/0x320 [ 73.711775][ T5316] sock_ioctl+0x5c6/0x7f0 [ 73.713910][ T5316] __se_sys_ioctl+0xfc/0x170 [ 73.716167][ T5316] do_syscall_64+0x14d/0xf80 [ 73.718319][ T5316] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.720972][ T5316] [ 73.720972][ T5316] -> #1 (nr_neigh_list_lock){+...}-{3:3}: [ 73.724039][ T5316] _raw_spin_lock_bh+0x36/0x50 [ 73.726091][ T5316] nr_remove_neigh+0x25/0xe0 [ 73.728026][ T5316] nr_add_node+0x1e41/0x2630 [ 73.730107][ T5316] nr_rt_ioctl+0xe59/0xf90 [ 73.732120][ T5316] sock_do_ioctl+0x101/0x320 [ 73.734147][ T5316] sock_ioctl+0x5c6/0x7f0 [ 73.736192][ T5316] __se_sys_ioctl+0xfc/0x170 [ 73.738266][ T5316] do_syscall_64+0x14d/0xf80 [ 73.740518][ T5316] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.743179][ T5316] [ 73.743179][ T5316] -> #0 (&nr_node->node_lock){+...}-{3:3}: [ 73.746311][ T5316] __lock_acquire+0x15a5/0x2cf0 [ 73.748397][ T5316] lock_acquire+0xf0/0x2e0 [ 73.750311][ T5316] _raw_spin_lock_bh+0x36/0x50 [ 73.752308][ T5316] nr_rt_device_down+0x153/0x860 [ 73.754543][ T5316] nr_device_event+0x137/0x150 [ 73.756720][ T5316] notifier_call_chain+0x1be/0x400 [ 73.759007][ T5316] __dev_notify_flags+0x16d/0x310 [ 73.761284][ T5316] netif_change_flags+0xe8/0x1a0 [ 73.763599][ T5316] dev_change_flags+0x130/0x260 [ 73.765841][ T5316] dev_ioctl+0x7b4/0x1150 [ 73.767963][ T5316] sock_do_ioctl+0x23e/0x320 [ 73.770136][ T5316] sock_ioctl+0x5c6/0x7f0 [ 73.772287][ T5316] __se_sys_ioctl+0xfc/0x170 [ 73.774584][ T5316] do_syscall_64+0x14d/0xf80 [ 73.776811][ T5316] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.779462][ T5316] [ 73.779462][ T5316] other info that might help us debug this: [ 73.779462][ T5316] [ 73.783573][ T5316] Chain exists of: [ 73.783573][ T5316] &nr_node->node_lock --> nr_neigh_list_lock --> nr_node_list_lock [ 73.783573][ T5316] [ 73.789424][ T5316] Possible unsafe locking scenario: [ 73.789424][ T5316] [ 73.792538][ T5316] CPU0 CPU1 [ 73.794874][ T5316] ---- ---- [ 73.797108][ T5316] lock(nr_node_list_lock); [ 73.799013][ T5316] lock(nr_neigh_list_lock); [ 73.802050][ T5316] lock(nr_node_list_lock); [ 73.805121][ T5316] lock(&nr_node->node_lock); [ 73.807187][ T5316] [ 73.807187][ T5316] *** DEADLOCK *** [ 73.807187][ T5316] [ 73.810669][ T5316] 3 locks held by syz.0.0/5316: [ 73.812705][ T5316] #0: ffffffff8fbce6c8 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7a4/0x1150 [ 73.816377][ T5316] #1: ffffffff8fd4aa58 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x860 [ 73.820555][ T5316] #2: ffffffff8fd4aab8 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xbe/0x860 [ 73.824588][ T5316] [ 73.824588][ T5316] stack backtrace: [ 73.827108][ T5316] CPU: 0 UID: 0 PID: 5316 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.827122][ T5316] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.827129][ T5316] Call Trace: [ 73.827136][ T5316] [ 73.827141][ T5316] dump_stack_lvl+0xe8/0x150 [ 73.827190][ T5316] print_circular_bug+0x2e1/0x300 [ 73.827209][ T5316] check_noncircular+0x12e/0x150 [ 73.827226][ T5316] __lock_acquire+0x15a5/0x2cf0 [ 73.827244][ T5316] lock_acquire+0xf0/0x2e0 [ 73.827257][ T5316] ? nr_rt_device_down+0x153/0x860 [ 73.827275][ T5316] ? nr_rt_device_down+0x153/0x860 [ 73.827288][ T5316] _raw_spin_lock_bh+0x36/0x50 [ 73.827302][ T5316] ? nr_rt_device_down+0x153/0x860 [ 73.827316][ T5316] nr_rt_device_down+0x153/0x860 [ 73.827330][ T5316] ? nr_device_event+0x12f/0x150 [ 73.827345][ T5316] nr_device_event+0x137/0x150 [ 73.827359][ T5316] notifier_call_chain+0x1be/0x400 [ 73.827377][ T5316] __dev_notify_flags+0x16d/0x310 [ 73.827392][ T5316] ? __pfx___dev_notify_flags+0x10/0x10 [ 73.827404][ T5316] ? __dev_change_flags+0x4c6/0x690 [ 73.827416][ T5316] ? kasan_quarantine_put+0xbb/0x1f0 [ 73.827434][ T5316] ? __pfx___dev_change_flags+0x10/0x10 [ 73.827447][ T5316] ? full_name_hash+0x92/0xe0 [ 73.827476][ T5316] netif_change_flags+0xe8/0x1a0 [ 73.827490][ T5316] dev_change_flags+0x130/0x260 [ 73.827504][ T5316] dev_ioctl+0x7b4/0x1150 [ 73.827516][ T5316] sock_do_ioctl+0x23e/0x320 [ 73.827532][ T5316] ? __pfx_sock_do_ioctl+0x10/0x10 [ 73.827546][ T5316] ? do_futex+0x333/0x420 [ 73.827592][ T5316] sock_ioctl+0x5c6/0x7f0 [ 73.827613][ T5316] ? __pfx_sock_ioctl+0x10/0x10 [ 73.827627][ T5316] ? __fget_files+0x2a/0x420 [ 73.827641][ T5316] ? __fget_files+0x3a0/0x420 [ 73.827653][ T5316] ? __fget_files+0x2a/0x420 [ 73.827666][ T5316] ? bpf_lsm_file_ioctl+0x9/0x20 [ 73.827679][ T5316] ? __pfx_sock_ioctl+0x10/0x10 [ 73.827692][ T5316] __se_sys_ioctl+0xfc/0x170 [ 73.827714][ T5316] do_syscall_64+0x14d/0xf80 [ 73.827729][ T5316] ? trace_irq_disable+0x3b/0x150 [ 73.827744][ T5316] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.827755][ T5316] ? clear_bhb_loop+0x40/0x90 [ 73.827767][ T5316] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.827779][ T5316] RIP: 0033:0x7f212b79c629 [ 73.827791][ T5316] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.827800][ T5316] RSP: 002b:00007f212c62d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.827812][ T5316] RAX: ffffffffffffffda RBX: 00007f212ba16090 RCX: 00007f212b79c629 [ 73.827820][ T5316] RDX: 0000200000000000 RSI: 0000000000008914 RDI: 0000000000000007 [ 73.827827][ T5316] RBP: 00007f212b832b39 R08: 0000000000000000 R09: 0000000000000000 [ 73.827834][ T5316] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 73.827840][ T5316] R13: 00007f212ba16128 R14: 00007f212ba16090 R15: 00007ffce499bc88 [ 73.827851][ T5316]