ipt_REJECT: TCP_RESET invalid for non-tcp
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.4.7470/714 is trying to acquire lock:
ffff88801df07158 (&nr_netdev_xmit_lock_key){+...}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline]
ffff88801df07158 (&nr_netdev_xmit_lock_key){+...}-{3:3}, at: __netif_tx_lock include/linux/netdevice.h:4746 [inline]
ffff88801df07158 (&nr_netdev_xmit_lock_key){+...}-{3:3}, at: __dev_queue_xmit+0x12de/0x3890 net/core/dev.c:4843

but task is already holding lock:
ffff888029b0ef70 (&nr_node->node_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
ffff888029b0ef70 (&nr_node->node_lock){+...}-{3:3}, at: nr_node_lock include/net/netrom.h:152 [inline]
ffff888029b0ef70 (&nr_node->node_lock){+...}-{3:3}, at: nr_route_frame+0x36e/0x8f0 net/netrom/nr_route.c:795

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&nr_node->node_lock){+...}-{3:3}:
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
       _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178
       spin_lock_bh include/linux/spinlock.h:347 [inline]
       nr_node_lock include/net/netrom.h:152 [inline]
       nr_rt_device_down+0x153/0x860 net/netrom/nr_route.c:519
       nr_device_event+0x137/0x150 net/netrom/af_netrom.c:126
       notifier_call_chain+0x1be/0x400 kernel/notifier.c:85
       call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
       call_netdevice_notifiers net/core/dev.c:2301 [inline]
       netif_close_many+0x2ae/0x420 net/core/dev.c:1804
       netif_close+0x160/0x220 net/core/dev.c:1817
       dev_close+0x10a/0x220 net/core/dev_api.c:220
       bpq_device_event+0x377/0x6a0 drivers/net/hamradio/bpqether.c:528
       notifier_call_chain+0x1be/0x400 kernel/notifier.c:85
       call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
       call_netdevice_notifiers net/core/dev.c:2301 [inline]
       netif_close_many+0x2ae/0x420 net/core/dev.c:1804
       netif_close+0x160/0x220 net/core/dev.c:1817
       dev_close+0x10a/0x220 net/core/dev_api.c:220
       bond_setup_by_slave+0x5f/0x3e0 drivers/net/bonding/bond_main.c:1563
       bond_enslave+0x847/0x3c40 drivers/net/bonding/bond_main.c:1974
       bond_do_ioctl+0x6ec/0x8d0 drivers/net/bonding/bond_main.c:4627
       dev_siocbond net/core/dev_ioctl.c:492 [inline]
       dev_ifsioc+0x961/0x1280 net/core/dev_ioctl.c:642
       dev_ioctl+0x7b4/0x1150 net/core/dev_ioctl.c:814
       sock_do_ioctl+0x23e/0x320 net/socket.c:1268
       sock_ioctl+0x5c6/0x7f0 net/socket.c:1375
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (nr_node_list_lock){+...}-{3:3}:
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline]
       _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178
       spin_lock_bh include/linux/spinlock.h:347 [inline]
       nr_node_get net/netrom/nr_route.c:49 [inline]
       nr_route_frame+0x2ec/0x8f0 net/netrom/nr_route.c:792
       nr_xmit+0x47/0xf0 net/netrom/nr_dev.c:144
       __netdev_start_xmit include/linux/netdevice.h:5325 [inline]
       netdev_start_xmit include/linux/netdevice.h:5334 [inline]
       xmit_one net/core/dev.c:3883 [inline]
       dev_hard_start_xmit+0x2d8/0x870 net/core/dev.c:3899
       __dev_queue_xmit+0x16d1/0x3890 net/core/dev.c:4849
       dev_queue_xmit include/linux/netdevice.h:3385 [inline]
       tx+0x6b/0x190 drivers/block/aoe/aoenet.c:62
       kthread+0x1e0/0x3f0 drivers/block/aoe/aoecmd.c:1241
       kthread+0x388/0x470 kernel/kthread.c:436
       ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

-> #0 (&nr_netdev_xmit_lock_key){+...}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain kernel/locking/lockdep.c:3908 [inline]
       __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
       lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
       __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
       _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
       spin_lock include/linux/spinlock.h:341 [inline]
       __netif_tx_lock include/linux/netdevice.h:4746 [inline]
       __dev_queue_xmit+0x12de/0x3890 net/core/dev.c:4843
       __bond_start_xmit drivers/net/bonding/bond_main.c:-1 [inline]
       bond_start_xmit+0xd6e/0x1960 drivers/net/bonding/bond_main.c:5593
       __netdev_start_xmit include/linux/netdevice.h:5325 [inline]
       netdev_start_xmit include/linux/netdevice.h:5334 [inline]
       xmit_one net/core/dev.c:3883 [inline]
       dev_hard_start_xmit+0x2d8/0x870 net/core/dev.c:3899
       __dev_queue_xmit+0x16d1/0x3890 net/core/dev.c:4849
       dev_queue_xmit include/linux/netdevice.h:3385 [inline]
       bpq_xmit+0x60b/0x840 drivers/net/hamradio/bpqether.c:273
       __netdev_start_xmit include/linux/netdevice.h:5325 [inline]
       netdev_start_xmit include/linux/netdevice.h:5334 [inline]
       xmit_one net/core/dev.c:3883 [inline]
       dev_hard_start_xmit+0x2d8/0x870 net/core/dev.c:3899
       __dev_queue_xmit+0x16d1/0x3890 net/core/dev.c:4849
       ax25_std_establish_data_link+0x9b/0x110 net/ax25/ax25_std_subr.c:-1
       ax25_send_frame+0x85b/0x9f0 net/ax25/ax25_out.c:-1
       nr_route_frame+0x593/0x8f0 net/netrom/nr_route.c:830
       nr_transmit_buffer+0xe7/0x1b0 net/netrom/nr_out.c:211
       nr_establish_data_link+0x62/0xb0 net/netrom/nr_out.c:229
       nr_connect+0x8c9/0xf60 net/netrom/af_netrom.c:723
       __sys_connect_file net/socket.c:2089 [inline]
       __sys_connect+0x312/0x450 net/socket.c:2108
       __do_sys_connect net/socket.c:2114 [inline]
       __se_sys_connect net/socket.c:2111 [inline]
       __x64_sys_connect+0x7a/0x90 net/socket.c:2111
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &nr_netdev_xmit_lock_key --> nr_node_list_lock --> &nr_node->node_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&nr_node->node_lock);
                               lock(nr_node_list_lock);
                               lock(&nr_node->node_lock);
  lock(&nr_netdev_xmit_lock_key);

 *** DEADLOCK ***

6 locks held by syz.4.7470/714:
 #0: ffff8880a0620260 (sk_lock-AF_NETROM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
 #0: ffff8880a0620260 (sk_lock-AF_NETROM){+.+.}-{0:0}, at: nr_connect+0x822/0xf60 net/netrom/af_netrom.c:712
 #1: ffff888029b0ef70 (&nr_node->node_lock){+...}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:347 [inline]
 #1: ffff888029b0ef70 (&nr_node->node_lock){+...}-{3:3}, at: nr_node_lock include/net/netrom.h:152 [inline]
 #1: ffff888029b0ef70 (&nr_node->node_lock){+...}-{3:3}, at: nr_route_frame+0x36e/0x8f0 net/netrom/nr_route.c:795
 #2: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #2: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:903 [inline]
 #2: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x277/0x3890 net/core/dev.c:4773
 #3: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #3: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:903 [inline]
 #3: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x277/0x3890 net/core/dev.c:4773
 #4: ffffffff8e75e620 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8e75e620 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8e75e620 (rcu_read_lock){....}-{1:3}, at: bond_start_xmit+0xc9/0x1960 drivers/net/bonding/bond_main.c:5591
 #5: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #5: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:903 [inline]
 #5: ffffffff8e75e680 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x277/0x3890 net/core/dev.c:4773

stack backtrace:
CPU: 1 UID: 0 PID: 714 Comm: syz.4.7470 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
 check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain kernel/locking/lockdep.c:3908 [inline]
 __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
 lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:341 [inline]
 __netif_tx_lock include/linux/netdevice.h:4746 [inline]
 __dev_queue_xmit+0x12de/0x3890 net/core/dev.c:4843
 __bond_start_xmit drivers/net/bonding/bond_main.c:-1 [inline]
 bond_start_xmit+0xd6e/0x1960 drivers/net/bonding/bond_main.c:5593
 __netdev_start_xmit include/linux/netdevice.h:5325 [inline]
 netdev_start_xmit include/linux/netdevice.h:5334 [inline]
 xmit_one net/core/dev.c:3883 [inline]
 dev_hard_start_xmit+0x2d8/0x870 net/core/dev.c:3899
 __dev_queue_xmit+0x16d1/0x3890 net/core/dev.c:4849
 dev_queue_xmit include/linux/netdevice.h:3385 [inline]
 bpq_xmit+0x60b/0x840 drivers/net/hamradio/bpqether.c:273
 __netdev_start_xmit include/linux/netdevice.h:5325 [inline]
 netdev_start_xmit include/linux/netdevice.h:5334 [inline]
 xmit_one net/core/dev.c:3883 [inline]
 dev_hard_start_xmit+0x2d8/0x870 net/core/dev.c:3899
 __dev_queue_xmit+0x16d1/0x3890 net/core/dev.c:4849
 ax25_std_establish_data_link+0x9b/0x110 net/ax25/ax25_std_subr.c:-1
 ax25_send_frame+0x85b/0x9f0 net/ax25/ax25_out.c:-1
 nr_route_frame+0x593/0x8f0 net/netrom/nr_route.c:830
 nr_transmit_buffer+0xe7/0x1b0 net/netrom/nr_out.c:211
 nr_establish_data_link+0x62/0xb0 net/netrom/nr_out.c:229
 nr_connect+0x8c9/0xf60 net/netrom/af_netrom.c:723
 __sys_connect_file net/socket.c:2089 [inline]
 __sys_connect+0x312/0x450 net/socket.c:2108
 __do_sys_connect net/socket.c:2114 [inline]
 __se_sys_connect net/socket.c:2111 [inline]
 __x64_sys_connect+0x7a/0x90 net/socket.c:2111
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f937799c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9378894028 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007f9377c15fa0 RCX: 00007f937799c799
RDX: 0000000000000048 RSI: 0000200000000000 RDI: 0000000000000005
RBP: 00007f9377a32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f9377c16038 R14: 00007f9377c15fa0 R15: 00007ffda21705d8
 </TASK>