syzbot

============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
kworker/u4:27/8326 is trying to acquire lock:
ffff88805cf818d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88805cf818d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
ffff88805cf818d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: sch_direct_xmit+0x15a/0x4a0 net/sched/sch_generic.c:343

but task is already holding lock:
ffff8880300924d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff8880300924d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
ffff8880300924d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: sch_direct_xmit+0x15a/0x4a0 net/sched/sch_generic.c:343

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&qdisc_xmit_lock_key#3);
  lock(&qdisc_xmit_lock_key#3);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

12 locks held by kworker/u4:27/8326:
 #0: ffff88802b81a938 ((wq_completion)bond1#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88802b81a938 ((wq_completion)bond1#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc900041efd00 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc900041efd00 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #2: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #2: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: bond_alb_monitor+0xf2/0x17f0 drivers/net/bonding/bond_alb.c:1547
 #3: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #3: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #3: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x245/0x35a0 net/core/dev.c:4350
 #4: ffff88801dfcd258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #4: ffff88801dfcd258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #4: ffff88801dfcd258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3843 [inline]
 #4: ffff88801dfcd258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x1106/0x35a0 net/core/dev.c:4391
 #5: ffff8880300924d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #5: ffff8880300924d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
 #5: ffff8880300924d8 (&qdisc_xmit_lock_key#3){+.-.}-{2:2}, at: sch_direct_xmit+0x15a/0x4a0 net/sched/sch_generic.c:343
 #6: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #6: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #6: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45c/0x11d0 net/ipv4/ip_output.c:228
 #7: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #7: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #7: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: arp_xmit+0x23/0x270 net/ipv4/arp.c:661
 #8: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #8: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #8: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x245/0x35a0 net/core/dev.c:4350
 #9: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #9: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #9: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: br_dev_xmit+0x186/0x17f0 net/bridge/br_device.c:50
 #10: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #10: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
 #10: ffffffff8cd2ff80 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x245/0x35a0 net/core/dev.c:4350
 #11: ffff88807a94e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #11: ffff88807a94e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #11: ffff88807a94e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3843 [inline]
 #11: ffff88807a94e258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x1106/0x35a0 net/core/dev.c:4391

stack backtrace:
CPU: 0 PID: 8326 Comm: kworker/u4:27 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: bond1 bond_alb_monitor
Call Trace:
 <TASK>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 check_deadlock kernel/locking/lockdep.c:3062 [inline]
 validate_chain kernel/locking/lockdep.c:3856 [inline]
 __lock_acquire+0x5d40/0x7c80 kernel/locking/lockdep.c:5137
 lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 __netif_tx_lock include/linux/netdevice.h:4406 [inline]
 sch_direct_xmit+0x15a/0x4a0 net/sched/sch_generic.c:343
 __dev_xmit_skb net/core/dev.c:3856 [inline]
 __dev_queue_xmit+0x173e/0x35a0 net/core/dev.c:4391
 dev_queue_xmit include/linux/netdevice.h:3113 [inline]
 br_dev_queue_push_xmit+0x6a6/0x850 net/bridge/br_forward.c:53
 NF_HOOK+0x340/0x3d0 include/linux/netfilter.h:304
 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66
 NF_HOOK+0x340/0x3d0 include/linux/netfilter.h:304
 __br_forward+0x41f/0x600 net/bridge/br_forward.c:115
 deliver_clone net/bridge/br_forward.c:131 [inline]
 maybe_deliver+0xb5/0x150 net/bridge/br_forward.c:191
 br_flood+0x31b/0x680 net/bridge/br_forward.c:237
 br_dev_xmit+0xa56/0x17f0 net/bridge/br_device.c:90
 __netdev_start_xmit include/linux/netdevice.h:4943 [inline]
 netdev_start_xmit include/linux/netdevice.h:4957 [inline]
 xmit_one net/core/dev.c:3619 [inline]
 dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3635
 __dev_queue_xmit+0x1a64/0x35a0 net/core/dev.c:4425
 NF_HOOK+0x307/0x390 include/linux/netfilter.h:-1
 arp_xmit+0x16c/0x270 net/ipv4/arp.c:663
 arp_solicit+0xbe5/0xe20 net/ipv4/arp.c:392
 neigh_probe net/core/neighbour.c:1080 [inline]
 __neigh_event_send+0xf0a/0x14c0 net/core/neighbour.c:1247
 neigh_event_send_probe include/net/neighbour.h:467 [inline]
 neigh_event_send include/net/neighbour.h:473 [inline]
 neigh_resolve_output+0x19b/0x730 net/core/neighbour.c:1552
 neigh_output include/net/neighbour.h:543 [inline]
 ip_finish_output2+0xd21/0x11d0 net/ipv4/ip_output.c:235
 iptunnel_xmit+0x53e/0x9c0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1c12/0x2360 net/ipv4/ip_tunnel.c:844
 erspan_xmit+0x9c0/0x1440 net/ipv4/ip_gre.c:729
 __netdev_start_xmit include/linux/netdevice.h:4943 [inline]
 netdev_start_xmit include/linux/netdevice.h:4957 [inline]
 xmit_one net/core/dev.c:3619 [inline]
 dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3635
 sch_direct_xmit+0x252/0x4a0 net/sched/sch_generic.c:345
 __dev_xmit_skb net/core/dev.c:3856 [inline]
 __dev_queue_xmit+0x173e/0x35a0 net/core/dev.c:4391
 dev_queue_xmit include/linux/netdevice.h:3113 [inline]
 alb_send_lp_vid+0x2e7/0x4c0 drivers/net/bonding/bond_alb.c:949
 alb_send_learning_packets+0x10e/0x2c0 drivers/net/bonding/bond_alb.c:1012
 bond_alb_monitor+0x3e5/0x17f0 drivers/net/bonding/bond_alb.c:1564
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>