netlink: 'syz.5.1430': attribute type 13 has an invalid length. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 9740 at kernel/softirq.c:401 __local_bh_enable_ip+0x25c/0x37c kernel/softirq.c:401 Modules linked in: CPU: 0 PID: 9740 Comm: syz.5.1430 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 pstate: 224000c5 (nzCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : __local_bh_enable_ip+0x25c/0x37c kernel/softirq.c:401 lr : __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] lr : _raw_spin_unlock_bh+0x48/0x58 kernel/locking/spinlock.c:210 sp : ffff800020f56820 x29: ffff800020f56830 x28: dfff800000000000 x27: dfff800000000000 x26: fffffc00040009c0 x25: 1fffe0001b08c379 x24: 0000000000000000 x23: dfff800000000000 x22: 1fffe0001b08c379 x21: ffff80000febb310 x20: 0000000000000201 x19: ffff0000d8461bc8 x18: ffff800011b9bf60 x17: ffff80001835b000 x16: ffff8000082eef80 x15: ffff800017e3c000 x14: 0000000000000001 x13: 1fffe0001e373eb9 x12: 0000000000000000 x11: 0000000000000000 x10: ffff60001e373eba x9 : 0000000000000000 x8 : 0000000100000203 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800018707f90 x4 : 0000000000000008 x3 : ffff8000082ef094 x2 : 0000000000000001 x1 : 0000000000000201 x0 : ffff80000febb310 Call trace: __local_bh_enable_ip+0x25c/0x37c kernel/softirq.c:401 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x48/0x58 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] page_pool_producer_unlock net/core/page_pool.c:156 [inline] page_pool_recycle_in_ring net/core/page_pool.c:549 [inline] page_pool_put_defragged_page+0x5d4/0x9f8 net/core/page_pool.c:631 page_pool_put_page include/net/page_pool.h:326 [inline] page_pool_put_full_page include/net/page_pool.h:334 [inline] __xdp_return+0x3ac/0x518 net/core/xdp.c:384 xdp_return_frame+0x90/0x264 net/core/xdp.c:419 tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:570 [inline] ptr_ring_resize_multiple include/linux/ptr_ring.h:641 [inline] tun_queue_resize drivers/net/tun.c:3666 [inline] tun_device_event+0x8e4/0xe80 drivers/net/tun.c:3686 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:2014 [inline] call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] dev_change_tx_queue_len+0x174/0x2d4 net/core/dev.c:8862 do_setlink+0xd18/0x3434 net/core/rtnetlink.c:2859 rtnl_group_changelink net/core/rtnetlink.c:3366 [inline] __rtnl_newlink net/core/rtnetlink.c:3623 [inline] rtnl_newlink+0xd04/0x1a54 net/core/rtnetlink.c:3660 rtnetlink_rcv_msg+0x698/0xcdc net/core/rtnetlink.c:6157 netlink_rcv_skb+0x218/0x3e8 net/netlink/af_netlink.c:2511 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6175 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x60c/0x814 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6f4/0x9c0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] ____sys_sendmsg+0x5c8/0x938 net/socket.c:2518 ___sys_sendmsg net/socket.c:2572 [inline] __sys_sendmsg+0x288/0x374 net/socket.c:2601 __do_sys_sendmsg net/socket.c:2610 [inline] __se_sys_sendmsg net/socket.c:2608 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 irq event stamp: 3143 hardirqs last enabled at (3141): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (3141): [] _raw_spin_unlock_irqrestore+0x48/0xac kernel/locking/spinlock.c:194 hardirqs last disabled at (3142): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (3142): [] _raw_spin_lock_irqsave+0xa4/0xb0 kernel/locking/spinlock.c:162 softirqs last enabled at (3106): [] inet6_fill_ifla6_attrs+0xc8c/0x1ba8 net/ipv6/addrconf.c:5770 softirqs last disabled at (3143): [] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (3143): [] page_pool_producer_lock net/core/page_pool.c:144 [inline] softirqs last disabled at (3143): [] page_pool_recycle_in_ring net/core/page_pool.c:545 [inline] softirqs last disabled at (3143): [] page_pool_put_defragged_page+0x2dc/0x9f8 net/core/page_pool.c:631 ---[ end trace 0000000000000000 ]--- ======================================================== WARNING: possible irq lock inversion dependency detected syzkaller #0 Tainted: G W -------------------------------------------------------- syz.5.1430/9740 just changed the state of lock: ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: ptr_ring_resize_multiple include/linux/ptr_ring.h:640 [inline] ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: tun_queue_resize drivers/net/tun.c:3666 [inline] ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: tun_device_event+0x6c0/0xe80 drivers/net/tun.c:3686 but this lock was taken by another, SOFTIRQ-safe lock in the past: (k-slock-AF_INET6){+.-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&r->producer_lock#2); local_irq_disable(); lock(k-slock-AF_INET6); lock(&r->producer_lock#2); lock(k-slock-AF_INET6); *** DEADLOCK *** 3 locks held by syz.5.1430/9740: #0: ffff800017890988 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:74 [inline] #0: ffff800017890988 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x650/0xcdc net/core/rtnetlink.c:6154 #1: ffff0000d0146920 (&r->consumer_lock){+.+.}-{2:2}, at: ptr_ring_resize_multiple include/linux/ptr_ring.h:639 [inline] #1: ffff0000d0146920 (&r->consumer_lock){+.+.}-{2:2}, at: tun_queue_resize drivers/net/tun.c:3666 [inline] #1: ffff0000d0146920 (&r->consumer_lock){+.+.}-{2:2}, at: tun_device_event+0x69c/0xe80 drivers/net/tun.c:3686 #2: ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #2: ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: ptr_ring_resize_multiple include/linux/ptr_ring.h:640 [inline] #2: ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: tun_queue_resize drivers/net/tun.c:3666 [inline] #2: ffff0000d01468a0 (&r->producer_lock#2){+.+.}-{2:2}, at: tun_device_event+0x6c0/0xe80 drivers/net/tun.c:3686 the shortest dependencies between 2nd lock and 1st lock: -> (k-slock-AF_INET6){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] lock_sock_nested+0x88/0x130 net/core/sock.c:3499 lock_sock include/net/sock.h:1805 [inline] tcp_sock_set_nodelay+0x34/0x10c net/ipv4/tcp.c:3420 rds_tcp_listen_init+0x148/0x3b8 net/rds/tcp_listen.c:279 rds_tcp_init_net+0x128/0x2e4 net/rds/tcp.c:573 ops_init+0x2b0/0x53c net/core/net_namespace.c:138 __register_pernet_operations net/core/net_namespace.c:1209 [inline] register_pernet_operations+0x24c/0x538 net/core/net_namespace.c:1282 register_pernet_device+0x3c/0x9c net/core/net_namespace.c:1369 rds_tcp_init+0x74/0xe0 net/rds/tcp.c:731 do_one_initcall+0x278/0x9e0 init/main.c:1310 do_initcall_level+0x154/0x214 init/main.c:1383 do_initcalls+0x58/0xac init/main.c:1399 do_basic_setup+0x8c/0xa0 init/main.c:1418 kernel_init_freeable+0x35c/0x4f0 init/main.c:1638 kernel_init+0x24/0x1d8 init/main.c:1526 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 IN-SOFTIRQ-W at: lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] sk_clone_lock+0x294/0xd88 net/core/sock.c:2268 inet_csk_clone_lock+0x34/0x384 net/ipv4/inet_connection_sock.c:1174 tcp_create_openreq_child+0x44/0x115c net/ipv4/tcp_minisocks.c:469 tcp_v6_syn_recv_sock+0x354/0x1538 net/ipv6/tcp_ipv6.c:1281 tcp_check_req+0xcd4/0x142c net/ipv4/tcp_minisocks.c:781 tcp_v6_rcv+0x12f0/0x2000 net/ipv6/tcp_ipv6.c:1678 ip6_protocol_deliver_rcu+0x928/0x11cc net/ipv6/ip6_input.c:438 ip6_input_finish+0x164/0x294 net/ipv6/ip6_input.c:483 NF_HOOK+0x2dc/0x36c include/linux/netfilter.h:302 ip6_input+0x90/0xa8 net/ipv6/ip6_input.c:492 dst_input include/net/dst.h:463 [inline] ip6_rcv_finish+0x1f4/0x220 net/ipv6/ip6_input.c:79 NF_HOOK+0x2dc/0x36c include/linux/netfilter.h:302 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5619 [inline] __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:5733 process_backlog+0x408/0x710 net/core/dev.c:6061 __napi_poll+0xb4/0x3f0 net/core/dev.c:6628 napi_poll net/core/dev.c:6695 [inline] net_rx_action+0x514/0xb18 net/core/dev.c:6809 handle_softirqs+0x318/0xc60 kernel/softirq.c:596 run_ksoftirqd+0x7c/0x2ac kernel/softirq.c:968 smpboot_thread_fn+0x4b0/0x964 kernel/smpboot.c:164 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 INITIAL USE at: lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x54/0x6c kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] lock_sock_nested+0x88/0x130 net/core/sock.c:3499 lock_sock include/net/sock.h:1805 [inline] tcp_sock_set_nodelay+0x34/0x10c net/ipv4/tcp.c:3420 rds_tcp_listen_init+0x148/0x3b8 net/rds/tcp_listen.c:279 rds_tcp_init_net+0x128/0x2e4 net/rds/tcp.c:573 ops_init+0x2b0/0x53c net/core/net_namespace.c:138 __register_pernet_operations net/core/net_namespace.c:1209 [inline] register_pernet_operations+0x24c/0x538 net/core/net_namespace.c:1282 register_pernet_device+0x3c/0x9c net/core/net_namespace.c:1369 rds_tcp_init+0x74/0xe0 net/rds/tcp.c:731 do_one_initcall+0x278/0x9e0 init/main.c:1310 do_initcall_level+0x154/0x214 init/main.c:1383 do_initcalls+0x58/0xac init/main.c:1399 do_basic_setup+0x8c/0xa0 init/main.c:1418 kernel_init_freeable+0x35c/0x4f0 init/main.c:1638 kernel_init+0x24/0x1d8 init/main.c:1526 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 } ... key at: [] af_family_kern_slock_keys+0xa0/0x380 ... acquired at: __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] ptr_ring_produce include/linux/ptr_ring.h:128 [inline] tun_net_xmit+0x9d0/0x1320 drivers/net/tun.c:1133 __netdev_start_xmit include/linux/netdevice.h:4894 [inline] netdev_start_xmit include/linux/netdevice.h:4908 [inline] xmit_one net/core/dev.c:3695 [inline] dev_hard_start_xmit+0x234/0x8cc net/core/dev.c:3711 sch_direct_xmit+0x210/0x474 net/sched/sch_generic.c:345 __dev_xmit_skb net/core/dev.c:3932 [inline] __dev_queue_xmit+0x13bc/0x3118 net/core/dev.c:4337 dev_queue_xmit include/linux/netdevice.h:3051 [inline] neigh_resolve_output+0x550/0x650 net/core/neighbour.c:1568 neigh_output include/net/neighbour.h:545 [inline] ip6_finish_output2+0xd5c/0x1840 net/ipv6/ip6_output.c:138 __ip6_finish_output net/ipv6/ip6_output.c:205 [inline] ip6_finish_output+0x594/0x92c net/ipv6/ip6_output.c:216 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x274/0x500 net/ipv6/ip6_output.c:237 dst_output include/net/dst.h:453 [inline] NF_HOOK include/linux/netfilter.h:302 [inline] ndisc_send_skb+0xc30/0x164c net/ipv6/ndisc.c:513 ndisc_send_ns net/ipv6/ndisc.c:671 [inline] ndisc_solicit+0x29c/0x52c net/ipv6/ndisc.c:763 neigh_probe+0xc4/0x124 net/core/neighbour.c:1080 __neigh_event_send+0xd00/0x1490 net/core/neighbour.c:1247 neigh_event_send_probe include/net/neighbour.h:469 [inline] neigh_event_send include/net/neighbour.h:475 [inline] neigh_resolve_output+0x180/0x650 net/core/neighbour.c:1552 neigh_output include/net/neighbour.h:545 [inline] ip6_finish_output2+0xd5c/0x1840 net/ipv6/ip6_output.c:138 __ip6_finish_output net/ipv6/ip6_output.c:205 [inline] ip6_finish_output+0x594/0x92c net/ipv6/ip6_output.c:216 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x274/0x500 net/ipv6/ip6_output.c:237 dst_output include/net/dst.h:453 [inline] ip6_local_out+0x120/0x15c net/ipv6/output_core.c:161 ip6_send_skb+0x1a0/0x4e4 net/ipv6/ip6_output.c:2016 ip6_push_pending_frames+0xd0/0x118 net/ipv6/ip6_output.c:2037 icmpv6_push_pending_frames+0x278/0x3fc net/ipv6/icmp.c:311 icmp6_send+0xf34/0x1474 net/ipv6/icmp.c:632 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_pkt_drop+0x524/0x844 net/ipv6/route.c:4564 ip6_pkt_discard+0x28/0x3c net/ipv6/route.c:4571 dst_input include/net/dst.h:463 [inline] ip6_rcv_finish+0x1f4/0x220 net/ipv6/ip6_input.c:79 NF_HOOK+0x2dc/0x36c include/linux/netfilter.h:302 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5619 [inline] __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:5733 netif_receive_skb_internal net/core/dev.c:5819 [inline] netif_receive_skb+0x1e8/0x924 net/core/dev.c:5878 tun_rx_batched+0x48c/0x5dc drivers/net/tun.c:-1 tun_get_user+0x1fe8/0x3298 drivers/net/tun.c:1998 tun_chr_write_iter+0xfc/0x200 drivers/net/tun.c:2044 call_write_iter include/linux/fs.h:2265 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x3ec/0x7f0 fs/read_write.c:584 ksys_write+0x12c/0x224 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:646 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 -> (&r->producer_lock#2){+.+.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] ptr_ring_produce include/linux/ptr_ring.h:128 [inline] tun_net_xmit+0x9d0/0x1320 drivers/net/tun.c:1133 __netdev_start_xmit include/linux/netdevice.h:4894 [inline] netdev_start_xmit include/linux/netdevice.h:4908 [inline] xmit_one net/core/dev.c:3695 [inline] dev_hard_start_xmit+0x234/0x8cc net/core/dev.c:3711 sch_direct_xmit+0x210/0x474 net/sched/sch_generic.c:345 __dev_xmit_skb net/core/dev.c:3932 [inline] __dev_queue_xmit+0x13bc/0x3118 net/core/dev.c:4337 dev_queue_xmit include/linux/netdevice.h:3051 [inline] neigh_resolve_output+0x550/0x650 net/core/neighbour.c:1568 neigh_output include/net/neighbour.h:545 [inline] ip6_finish_output2+0xd5c/0x1840 net/ipv6/ip6_output.c:138 __ip6_finish_output net/ipv6/ip6_output.c:205 [inline] ip6_finish_output+0x594/0x92c net/ipv6/ip6_output.c:216 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x274/0x500 net/ipv6/ip6_output.c:237 dst_output include/net/dst.h:453 [inline] NF_HOOK+0x15c/0x444 include/linux/netfilter.h:302 mld_sendpack+0x88c/0x10ec net/ipv6/mcast.c:1825 mld_send_initial_cr+0x1dc/0x26c net/ipv6/mcast.c:2244 ipv6_mc_dad_complete+0x74/0x214 net/ipv6/mcast.c:2252 addrconf_dad_completed+0x600/0xb28 net/ipv6/addrconf.c:4276 addrconf_dad_work+0x93c/0x10d4 net/ipv6/addrconf.c:-1 process_one_work+0x7f8/0x13a4 kernel/workqueue.c:2292 worker_thread+0x8c4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 SOFTIRQ-ON-W at: trace_hardirqs_on+0x164/0x23c kernel/trace/trace_preemptirq.c:49 __local_bh_enable_ip+0x1f8/0x37c kernel/softirq.c:426 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x48/0x58 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] page_pool_producer_unlock net/core/page_pool.c:156 [inline] page_pool_recycle_in_ring net/core/page_pool.c:549 [inline] page_pool_put_defragged_page+0x5d4/0x9f8 net/core/page_pool.c:631 page_pool_put_page include/net/page_pool.h:326 [inline] page_pool_put_full_page include/net/page_pool.h:334 [inline] __xdp_return+0x3ac/0x518 net/core/xdp.c:384 xdp_return_frame+0x90/0x264 net/core/xdp.c:419 tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:570 [inline] ptr_ring_resize_multiple include/linux/ptr_ring.h:641 [inline] tun_queue_resize drivers/net/tun.c:3666 [inline] tun_device_event+0x8e4/0xe80 drivers/net/tun.c:3686 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:2014 [inline] call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] dev_change_tx_queue_len+0x174/0x2d4 net/core/dev.c:8862 do_setlink+0xd18/0x3434 net/core/rtnetlink.c:2859 rtnl_group_changelink net/core/rtnetlink.c:3366 [inline] __rtnl_newlink net/core/rtnetlink.c:3623 [inline] rtnl_newlink+0xd04/0x1a54 net/core/rtnetlink.c:3660 rtnetlink_rcv_msg+0x698/0xcdc net/core/rtnetlink.c:6157 netlink_rcv_skb+0x218/0x3e8 net/netlink/af_netlink.c:2511 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6175 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x60c/0x814 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6f4/0x9c0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] ____sys_sendmsg+0x5c8/0x938 net/socket.c:2518 ___sys_sendmsg net/socket.c:2572 [inline] __sys_sendmsg+0x288/0x374 net/socket.c:2601 __do_sys_sendmsg net/socket.c:2610 [inline] __se_sys_sendmsg net/socket.c:2608 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 INITIAL USE at: lock_acquire+0x20c/0x63c kernel/locking/lockdep.c:5662 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] ptr_ring_resize include/linux/ptr_ring.h:601 [inline] tun_attach+0x710/0x11fc drivers/net/tun.c:791 tun_net_init+0x394/0x494 drivers/net/tun.c:1007 register_netdevice+0x4a0/0x1614 net/core/dev.c:10169 tun_set_iff+0x62c/0xb80 drivers/net/tun.c:2851 __tun_chr_ioctl+0x768/0x1de0 drivers/net/tun.c:3114 tun_chr_ioctl+0x38/0x4c drivers/net/tun.c:3401 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 } ... key at: [] ptr_ring_init.__key+0x0/0x20 ... acquired at: mark_lock+0x224/0x320 kernel/locking/lockdep.c:4628 mark_held_locks kernel/locking/lockdep.c:4230 [inline] __trace_hardirqs_on_caller kernel/locking/lockdep.c:4256 [inline] lockdep_hardirqs_on_prepare+0x38c/0x7a8 kernel/locking/lockdep.c:4315 trace_hardirqs_on+0x164/0x23c kernel/trace/trace_preemptirq.c:49 __local_bh_enable_ip+0x1f8/0x37c kernel/softirq.c:426 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x48/0x58 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] page_pool_producer_unlock net/core/page_pool.c:156 [inline] page_pool_recycle_in_ring net/core/page_pool.c:549 [inline] page_pool_put_defragged_page+0x5d4/0x9f8 net/core/page_pool.c:631 page_pool_put_page include/net/page_pool.h:326 [inline] page_pool_put_full_page include/net/page_pool.h:334 [inline] __xdp_return+0x3ac/0x518 net/core/xdp.c:384 xdp_return_frame+0x90/0x264 net/core/xdp.c:419 tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:570 [inline] ptr_ring_resize_multiple include/linux/ptr_ring.h:641 [inline] tun_queue_resize drivers/net/tun.c:3666 [inline] tun_device_event+0x8e4/0xe80 drivers/net/tun.c:3686 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:2014 [inline] call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] dev_change_tx_queue_len+0x174/0x2d4 net/core/dev.c:8862 do_setlink+0xd18/0x3434 net/core/rtnetlink.c:2859 rtnl_group_changelink net/core/rtnetlink.c:3366 [inline] __rtnl_newlink net/core/rtnetlink.c:3623 [inline] rtnl_newlink+0xd04/0x1a54 net/core/rtnetlink.c:3660 rtnetlink_rcv_msg+0x698/0xcdc net/core/rtnetlink.c:6157 netlink_rcv_skb+0x218/0x3e8 net/netlink/af_netlink.c:2511 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6175 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x60c/0x814 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6f4/0x9c0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] ____sys_sendmsg+0x5c8/0x938 net/socket.c:2518 ___sys_sendmsg net/socket.c:2572 [inline] __sys_sendmsg+0x288/0x374 net/socket.c:2601 __do_sys_sendmsg net/socket.c:2610 [inline] __se_sys_sendmsg net/socket.c:2608 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 stack backtrace: CPU: 0 PID: 9740 Comm: syz.5.1430 Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call trace: dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 dump_stack+0x1c/0x5c lib/dump_stack.c:113 print_irq_inversion_bug+0x2e4/0x328 kernel/locking/lockdep.c:4036 check_usage_backwards kernel/locking/lockdep.c:-1 [inline] mark_lock_irq+0x770/0xab0 kernel/locking/lockdep.c:4192 mark_lock+0x224/0x320 kernel/locking/lockdep.c:4628 mark_held_locks kernel/locking/lockdep.c:4230 [inline] __trace_hardirqs_on_caller kernel/locking/lockdep.c:4256 [inline] lockdep_hardirqs_on_prepare+0x38c/0x7a8 kernel/locking/lockdep.c:4315 trace_hardirqs_on+0x164/0x23c kernel/trace/trace_preemptirq.c:49 __local_bh_enable_ip+0x1f8/0x37c kernel/softirq.c:426 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x48/0x58 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] page_pool_producer_unlock net/core/page_pool.c:156 [inline] page_pool_recycle_in_ring net/core/page_pool.c:549 [inline] page_pool_put_defragged_page+0x5d4/0x9f8 net/core/page_pool.c:631 page_pool_put_page include/net/page_pool.h:326 [inline] page_pool_put_full_page include/net/page_pool.h:334 [inline] __xdp_return+0x3ac/0x518 net/core/xdp.c:384 xdp_return_frame+0x90/0x264 net/core/xdp.c:419 tun_ptr_free drivers/net/tun.c:617 [inline] __ptr_ring_swap_queue include/linux/ptr_ring.h:570 [inline] ptr_ring_resize_multiple include/linux/ptr_ring.h:641 [inline] tun_queue_resize drivers/net/tun.c:3666 [inline] tun_device_event+0x8e4/0xe80 drivers/net/tun.c:3686 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:2014 [inline] call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] dev_change_tx_queue_len+0x174/0x2d4 net/core/dev.c:8862 do_setlink+0xd18/0x3434 net/core/rtnetlink.c:2859 rtnl_group_changelink net/core/rtnetlink.c:3366 [inline] __rtnl_newlink net/core/rtnetlink.c:3623 [inline] rtnl_newlink+0xd04/0x1a54 net/core/rtnetlink.c:3660 rtnetlink_rcv_msg+0x698/0xcdc net/core/rtnetlink.c:6157 netlink_rcv_skb+0x218/0x3e8 net/netlink/af_netlink.c:2511 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6175 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x60c/0x814 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6f4/0x9c0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] ____sys_sendmsg+0x5c8/0x938 net/socket.c:2518 ___sys_sendmsg net/socket.c:2572 [inline] __sys_sendmsg+0x288/0x374 net/socket.c:2601 __do_sys_sendmsg net/socket.c:2610 [inline] __se_sys_sendmsg net/socket.c:2608 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 ------------[ cut here ]------------ raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 0 PID: 9740 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x44 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 0 PID: 9740 Comm: syz.5.1430 Tainted: G W syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : warn_bogus_irq_restore+0x34/0x44 kernel/locking/irqflag-debug.c:10 lr : warn_bogus_irq_restore+0x34/0x44 kernel/locking/irqflag-debug.c:10 sp : ffff800020f56980 x29: ffff800020f56980 x28: 0000000000000000 x27: 1fffe0001a028d30 x26: 0000000000000002 x25: dfff800000000000 x24: 1fffe0001a028d31 x23: 0000000000000000 x22: ffff0000d0b3e100 x21: ffff0000d0146988 x20: ffff0000d0146908 x19: 0000000000000000 x18: ffff800011b9bf60 x17: 0000000000000000 x16: ffff80000804309c x15: 0000000000000002 x14: 0000000000000001 x13: 1ffff000041eac80 x12: 0000000000080000 x11: 000000000007ffff x10: ffff800023f69000 x9 : 720b8c740b99e000 x8 : 720b8c740b99e000 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800020f56418 x4 : ffff800015304cc0 x3 : ffff800008319678 x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: warn_bogus_irq_restore+0x34/0x44 kernel/locking/irqflag-debug.c:10 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] _raw_spin_unlock_irqrestore+0xa0/0xac kernel/locking/spinlock.c:194 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] ptr_ring_resize_multiple include/linux/ptr_ring.h:644 [inline] tun_queue_resize drivers/net/tun.c:3666 [inline] tun_device_event+0xbf8/0xe80 drivers/net/tun.c:3686 notifier_call_chain kernel/notifier.c:87 [inline] raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:455 call_netdevice_notifiers_info net/core/dev.c:2014 [inline] call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] call_netdevice_notifiers net/core/dev.c:2066 [inline] dev_change_tx_queue_len+0x174/0x2d4 net/core/dev.c:8862 do_setlink+0xd18/0x3434 net/core/rtnetlink.c:2859 rtnl_group_changelink net/core/rtnetlink.c:3366 [inline] __rtnl_newlink net/core/rtnetlink.c:3623 [inline] rtnl_newlink+0xd04/0x1a54 net/core/rtnetlink.c:3660 rtnetlink_rcv_msg+0x698/0xcdc net/core/rtnetlink.c:6157 netlink_rcv_skb+0x218/0x3e8 net/netlink/af_netlink.c:2511 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6175 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x60c/0x814 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6f4/0x9c0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] ____sys_sendmsg+0x5c8/0x938 net/socket.c:2518 ___sys_sendmsg net/socket.c:2572 [inline] __sys_sendmsg+0x288/0x374 net/socket.c:2601 __do_sys_sendmsg net/socket.c:2610 [inline] __se_sys_sendmsg net/socket.c:2608 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 irq event stamp: 3144 hardirqs last enabled at (3141): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (3141): [] _raw_spin_unlock_irqrestore+0x48/0xac kernel/locking/spinlock.c:194 hardirqs last disabled at (3142): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (3142): [] _raw_spin_lock_irqsave+0xa4/0xb0 kernel/locking/spinlock.c:162 softirqs last enabled at (3144): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (3144): [] page_pool_producer_unlock net/core/page_pool.c:156 [inline] softirqs last enabled at (3144): [] page_pool_recycle_in_ring net/core/page_pool.c:549 [inline] softirqs last enabled at (3144): [] page_pool_put_defragged_page+0x5d4/0x9f8 net/core/page_pool.c:631 softirqs last disabled at (3143): [] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (3143): [] page_pool_producer_lock net/core/page_pool.c:144 [inline] softirqs last disabled at (3143): [] page_pool_recycle_in_ring net/core/page_pool.c:545 [inline] softirqs last disabled at (3143): [] page_pool_put_defragged_page+0x2dc/0x9f8 net/core/page_pool.c:631 ---[ end trace 0000000000000000 ]--- IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready