bond0: Enslaving bond3 as an active interface with an up link
audit: type=1800 audit(1639416176.133:5): pid=10146 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14002 res=0
============================================
WARNING: possible recursive locking detected
4.14.257-syzkaller #0 Not tainted
--------------------------------------------
syz-executor.0/10124 is trying to acquire lock:
 (&(&bond->stats_lock)->rlock#3/3){+.+.}, at: [<ffffffff83cacc07>] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457

but task is already holding lock:
 (&(&bond->stats_lock)->rlock#3/3){+.+.}, at: [<ffffffff83cacc07>] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(&bond->stats_lock)->rlock#3/3);
  lock(&(&bond->stats_lock)->rlock#3/3);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

3 locks held by syz-executor.0/10124:
 #0:  (rtnl_mutex){+.+.}, at: [<ffffffff85c8442d>] rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0:  (rtnl_mutex){+.+.}, at: [<ffffffff85c8442d>] rtnetlink_rcv_msg+0x31d/0xb10 net/core/rtnetlink.c:4315
 #1:  (&(&bond->stats_lock)->rlock#3/3){+.+.}, at: [<ffffffff83cacc07>] bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457
 #2:  (rcu_read_lock){....}, at: [<ffffffff83cacbeb>] bond_get_nest_level drivers/net/bonding/bond_main.c:3446 [inline]
 #2:  (rcu_read_lock){....}, at: [<ffffffff83cacbeb>] bond_get_stats+0x9b/0x440 drivers/net/bonding/bond_main.c:3457

stack backtrace:
CPU: 0 PID: 10124 Comm: syz-executor.0 Not tainted 4.14.257-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_deadlock_bug kernel/locking/lockdep.c:1800 [inline]
 check_deadlock kernel/locking/lockdep.c:1847 [inline]
 validate_chain kernel/locking/lockdep.c:2448 [inline]
 __lock_acquire.cold+0x180/0x97c kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 _raw_spin_lock_nested+0x30/0x40 kernel/locking/spinlock.c:362
 bond_get_stats+0xb7/0x440 drivers/net/bonding/bond_main.c:3457
 dev_get_stats+0xa5/0x280 net/core/dev.c:8019
 bond_get_stats+0x1da/0x440 drivers/net/bonding/bond_main.c:3463
 dev_get_stats+0xa5/0x280 net/core/dev.c:8019
 rtnl_fill_stats+0x48/0xa90 net/core/rtnetlink.c:1079
 rtnl_fill_ifinfo+0xe16/0x3050 net/core/rtnetlink.c:1385
 rtmsg_ifinfo_build_skb+0x8e/0x130 net/core/rtnetlink.c:2913
 rtmsg_ifinfo_event net/core/rtnetlink.c:2943 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:2934 [inline]
 rtnetlink_event+0xee/0x1a0 net/core/rtnetlink.c:4364
 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
 call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
 call_netdevice_notifiers net/core/dev.c:1683 [inline]
 netdev_features_change net/core/dev.c:1296 [inline]
 netdev_change_features+0x7e/0xa0 net/core/dev.c:7457
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
 bond_compute_features+0x444/0x860 drivers/net/bonding/bond_main.c:1122
 bond_slave_netdev_event drivers/net/bonding/bond_main.c:3191 [inline]
 bond_netdev_event+0x664/0xbd0 drivers/net/bonding/bond_main.c:3232
 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
 call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
 call_netdevice_notifiers net/core/dev.c:1683 [inline]
 netdev_features_change net/core/dev.c:1296 [inline]
 netdev_change_features+0x7e/0xa0 net/core/dev.c:7457
 bond_compute_features+0x444/0x860 drivers/net/bonding/bond_main.c:1122
 bond_enslave+0x37fb/0x4cf0 drivers/net/bonding/bond_main.c:1757
 do_set_master+0x19e/0x200 net/core/rtnetlink.c:1961
 rtnl_newlink+0x136f/0x1860 net/core/rtnetlink.c:2757
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4320
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2441
 netlink_unicast_kernel net/netlink/af_netlink.c:1294 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1320
 netlink_sendmsg+0x638/0xb90 net/netlink/af_netlink.c:1886
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f431ef67e99
RSP: 002b:00007f431d8bc168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f431f07b030 RCX: 00007f431ef67e99
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 00007f431efc2031 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcf4f4b15f R14: 00007f431d8bc300 R15: 0000000000022000
audit: type=1800 audit(1639416176.973:6): pid=10187 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13994 res=0
bond3: making interface vlan4 the new active one
bond3: Enslaving vlan4 as an active interface with an up link
syz-executor.0 (10124) used greatest stack depth: 23792 bytes left
audit: type=1800 audit(1639416177.153:7): pid=10212 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=14007 res=0
raw_sendmsg: syz-executor.4 forgot to set AF_INET. Fix it!
audit: type=1800 audit(1639416177.363:8): pid=10241 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13890 res=0
audit: type=1800 audit(1639416177.583:9): pid=10265 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.3" name="bus" dev="sda1" ino=13989 res=0
ubi0: attaching mtd0
ubi0: scanning is finished
ubi0: empty MTD device detected
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 1089210369
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'.
ubi0: background thread "ubi_bgt0d" started, PID 10431
ubi0: detaching mtd0
ubi0: mtd0 is detached
netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'.
ubi0: attaching mtd0
ubi0: scanning is finished
netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'.
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1089210369
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
ubi0: detaching mtd0
ubi0: background thread "ubi_bgt0d" started, PID 10505
ubi0: mtd0 is detached
netlink: 3 bytes leftover after parsing attributes in process `syz-executor.5'.
ubi0: attaching mtd0
ubi0: scanning is finished
hfsplus: unable to find HFS+ superblock
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
======================================================
WARNING: the mand mount option is being deprecated and
         will be removed in v5.15!
======================================================
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1089210369
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
ubi0: detaching mtd0
ubi0: background thread "ubi_bgt0d" started, PID 10567
ubi0: mtd0 is detached
ubi0: attaching mtd0
hfsplus: unable to find HFS+ superblock
ubi0: scanning is finished
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
hfsplus: unable to find HFS+ superblock
ubi0: attached mtd0 (name "mtdram test device", size 0 MiB)
ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes
ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1
ubi0: VID header offset: 64 (aligned 64), data offset: 128
ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23
ubi0: max/mean erase counter: 1/1, WL threshold: 4096, image sequence number: 1089210369
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0
ubi0: background thread "ubi_bgt0d" started, PID 10628
ubi0: detaching mtd0
ubi0: mtd0 is detached
netem: change failed
hfsplus: unable to find HFS+ superblock
EXT4-fs (loop4): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue
input: syz1 as /devices/virtual/input/input5
input: syz1 as /devices/virtual/input/input6
input: syz1 as /devices/virtual/input/input7
input: syz1 as /devices/virtual/input/input8
audit: type=1800 audit(1639416184.574:10): pid=10807 uid=0 auid=4294967295 ses=4294967295 op="collect_data" cause="failed(directio)" comm="syz-executor.5" name="bus" dev="sda1" ino=13935 res=0