program: r0 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000340)={'dummy0\x00', 0x0}) r2 = socket$packet(0x11, 0x2, 0x300) socket(0x10, 0x3, 0x1) openat$sysfs(0xffffffffffffff9c, 0x0, 0x202, 0x0) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000009c0)=ANY=[@ANYBLOB="0500000004000000ff0f000007"], 0x48) bpf$PROG_LOAD(0x5, &(0x7f0000000300)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000000000000b70400000000000085000000c300000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$MAP_UPDATE_ELEM_TAIL_CALL(0x2, &(0x7f0000000100)={{r3}, &(0x7f0000000000), &(0x7f00000000c0)}, 0x20) r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000740)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000200)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x1b, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000f40)={&(0x7f0000000f00)='kfree\x00', r4}, 0x10) bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000009c0)={0x1b, 0x0, 0x0, 0x40000, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) syz_emit_ethernet(0x16, &(0x7f0000000140)={@local, @link_local, @void, {@llc_tr={0x11, {@snap={0xaa, 0x1, "c2", "d5a2bb", 0x8808}}}}}, 0x0) setsockopt$packet_add_memb(r2, 0x107, 0x1, &(0x7f0000000000)={r1, 0x1, 0x6, @remote}, 0x10) r5 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r5, &(0x7f00000003c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000280)=@getchain={0x24, 0x11, 0x839, 0x70bd2d, 0x25dfdbff, {0x0, 0x0, 0x0, r1, {0xc}, {0xfff3, 0x8}}}, 0x24}}, 0x20040000) [ 74.806053][ T5301] Bluetooth: hci0: command tx timeout [ 74.908908][ T5317] dummy0: entered promiscuous mode [ 74.918682][ T5317] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'. [ 74.946719][ T5317] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 [ 74.954118][ T5317] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5317, name: syz.0.0 [ 74.957941][ T5317] preempt_count: 0, expected: 0 [ 74.960061][ T5317] RCU nest depth: 1, expected: 0 [ 74.962302][ T5317] 2 locks held by syz.0.0/5317: [ 74.964452][ T5317] #0: ffffffff8f503588 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_dellink+0x331/0x710 [ 74.969652][ T5317] #1: ffffffff8e13c9a0 (rcu_read_lock){....}-{1:3}, at: packet_notifier+0x78/0xa60 [ 74.973765][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-01972-g914873bc7df9 #0 PREEMPT(full) [ 74.973782][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.973790][ T5317] Call Trace: [ 74.973796][ T5317] [ 74.973803][ T5317] dump_stack_lvl+0x189/0x250 [ 74.973829][ T5317] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.973851][ T5317] ? print_lock_name+0xde/0x100 [ 74.973867][ T5317] __might_resched+0x495/0x610 [ 74.973888][ T5317] ? __pfx___might_resched+0x10/0x10 [ 74.973907][ T5317] ? call_rcu+0x6dd/0x990 [ 74.973923][ T5317] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.973943][ T5317] __mutex_lock+0x106/0xe80 [ 74.973962][ T5317] ? __pfx_call_rcu+0x10/0x10 [ 74.973980][ T5317] ? dev_set_promiscuity+0x10e/0x260 [ 74.973998][ T5317] ? __pfx___mutex_lock+0x10/0x10 [ 74.974022][ T5317] ? packet_notifier+0x78/0xa60 [ 74.974037][ T5317] ? __pfx_addrconf_ifdown+0x10/0x10 [ 74.974060][ T5317] dev_set_promiscuity+0x10e/0x260 [ 74.974081][ T5317] packet_notifier+0x292/0xa60 [ 74.974099][ T5317] ? packet_notifier+0x78/0xa60 [ 74.974113][ T5317] notifier_call_chain+0x1b3/0x3e0 [ 74.974137][ T5317] unregister_netdevice_many_notify+0x15d8/0x2330 [ 74.974168][ T5317] ? __pfx_unregister_netdevice_many_notify+0x10/0x10 [ 74.974184][ T5317] ? stack_depot_save_flags+0x429/0x900 [ 74.974239][ T5317] ? rtnl_dellink+0x331/0x710 [ 74.974258][ T5317] ? unregister_netdevice_queue+0x1b3/0x380 [ 74.974282][ T5317] ? __nla_parse+0x40/0x60 [ 74.974301][ T5317] ? __pfx_unregister_netdevice_queue+0x10/0x10 [ 74.974315][ T5317] rtnl_dellink+0x488/0x710 [ 74.974331][ T5317] ? __pfx_rtnl_dellink+0x10/0x10 [ 74.974408][ T5317] ? __pfx_rtnl_dellink+0x10/0x10 [ 74.974421][ T5317] rtnetlink_rcv_msg+0x7cf/0xb70 [ 74.974437][ T5317] ? rtnetlink_rcv_msg+0x1ab/0xb70 [ 74.974449][ T5317] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.974465][ T5317] ? ref_tracker_free+0x63a/0x7d0 [ 74.974477][ T5317] ? __copy_skb_header+0xa7/0x550 [ 74.974517][ T5317] netlink_rcv_skb+0x21c/0x490 [ 74.974535][ T5317] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.974549][ T5317] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.974576][ T5317] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.974596][ T5317] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.974615][ T5317] netlink_unicast+0x758/0x8d0 [ 74.974634][ T5317] netlink_sendmsg+0x805/0xb30 [ 74.974654][ T5317] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.974670][ T5317] ? aa_sock_msg_perm+0x94/0x160 [ 74.974687][ T5317] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.974699][ T5317] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.974711][ T5317] __sock_sendmsg+0x21c/0x270 [ 74.974732][ T5317] ____sys_sendmsg+0x505/0x830 [ 74.974752][ T5317] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.974774][ T5317] ? import_iovec+0x74/0xa0 [ 74.974790][ T5317] ___sys_sendmsg+0x21f/0x2a0 [ 74.974807][ T5317] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.974847][ T5317] ? __fget_files+0x2a/0x420 [ 74.974861][ T5317] ? __fget_files+0x3a0/0x420 [ 74.974883][ T5317] __x64_sys_sendmsg+0x19b/0x260 [ 74.974901][ T5317] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 74.974925][ T5317] ? do_syscall_64+0xba/0x220 [ 74.974940][ T5317] do_syscall_64+0xf6/0x220 [ 74.974953][ T5317] ? clear_bhb_loop+0x60/0xb0 [ 74.974970][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.974980][ T5317] RIP: 0033:0x7f3391f8e969 [ 74.974994][ T5317] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.975003][ T5317] RSP: 002b:00007f3392d35038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.975017][ T5317] RAX: ffffffffffffffda RBX: 00007f33921b6080 RCX: 00007f3391f8e969 [ 74.975024][ T5317] RDX: 0000000020040000 RSI: 00002000000003c0 RDI: 0000000000000009 [ 74.975032][ T5317] RBP: 00007f3392010ab1 R08: 0000000000000000 R09: 0000000000000000 [ 74.975040][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.975047][ T5317] R13: 0000000000000000 R14: 00007f33921b6080 R15: 00007fff4927f028 [ 74.975068][ T5317] [ 74.975186][ T5317] [ 75.149595][ T5317] ============================= [ 75.151792][ T5317] [ BUG: Invalid wait context ] [ 75.153977][ T5317] 6.15.0-syzkaller-01972-g914873bc7df9 #0 Tainted: G W [ 75.157607][ T5317] ----------------------------- [ 75.159745][ T5317] syz.0.0/5317 is trying to lock: [ 75.161949][ T5317] ffff88805222ed30 (&dev_instance_lock_key#3){+.+.}-{4:4}, at: dev_set_promiscuity+0x10e/0x260 [ 75.166467][ T5317] other info that might help us debug this: [ 75.169049][ T5317] context-{5:5} [ 75.170643][ T5317] 2 locks held by syz.0.0/5317: [ 75.172840][ T5317] #0: ffffffff8f503588 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_dellink+0x331/0x710 [ 75.176898][ T5317] #1: ffffffff8e13c9a0 (rcu_read_lock){....}-{1:3}, at: packet_notifier+0x78/0xa60 [ 75.181051][ T5317] stack backtrace: [ 75.182716][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Tainted: G W 6.15.0-syzkaller-01972-g914873bc7df9 #0 PREEMPT(full) [ 75.182736][ T5317] Tainted: [W]=WARN [ 75.182741][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.182749][ T5317] Call Trace: [ 75.182756][ T5317] [ 75.182809][ T5317] dump_stack_lvl+0x189/0x250 [ 75.182837][ T5317] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.182854][ T5317] ? __pfx__printk+0x10/0x10 [ 75.182865][ T5317] ? print_lock_name+0xde/0x100 [ 75.182877][ T5317] __lock_acquire+0xbcb/0xd20 [ 75.182892][ T5317] ? dev_set_promiscuity+0x10e/0x260 [ 75.182906][ T5317] lock_acquire+0x120/0x360 [ 75.182918][ T5317] ? dev_set_promiscuity+0x10e/0x260 [ 75.182931][ T5317] ? call_rcu+0x6dd/0x990 [ 75.182950][ T5317] __mutex_lock+0x182/0xe80 [ 75.182965][ T5317] ? dev_set_promiscuity+0x10e/0x260 [ 75.182978][ T5317] ? __pfx_call_rcu+0x10/0x10 [ 75.182994][ T5317] ? dev_set_promiscuity+0x10e/0x260 [ 75.183007][ T5317] ? __pfx___mutex_lock+0x10/0x10 [ 75.183024][ T5317] ? packet_notifier+0x78/0xa60 [ 75.183037][ T5317] ? __pfx_addrconf_ifdown+0x10/0x10 [ 75.183055][ T5317] dev_set_promiscuity+0x10e/0x260 [ 75.183070][ T5317] packet_notifier+0x292/0xa60 [ 75.183083][ T5317] ? packet_notifier+0x78/0xa60 [ 75.183102][ T5317] notifier_call_chain+0x1b3/0x3e0 [ 75.183123][ T5317] unregister_netdevice_many_notify+0x15d8/0x2330 [ 75.183150][ T5317] ? __pfx_unregister_netdevice_many_notify+0x10/0x10 [ 75.183170][ T5317] ? stack_depot_save_flags+0x429/0x900 [ 75.183186][ T5317] ? rtnl_dellink+0x331/0x710 [ 75.183199][ T5317] ? unregister_netdevice_queue+0x1b3/0x380 [ 75.183220][ T5317] ? __nla_parse+0x40/0x60 [ 75.183240][ T5317] ? __pfx_unregister_netdevice_queue+0x10/0x10 [ 75.183257][ T5317] rtnl_dellink+0x488/0x710 [ 75.183270][ T5317] ? __pfx_rtnl_dellink+0x10/0x10 [ 75.183305][ T5317] ? __pfx_rtnl_dellink+0x10/0x10 [ 75.183317][ T5317] rtnetlink_rcv_msg+0x7cf/0xb70 [ 75.183330][ T5317] ? rtnetlink_rcv_msg+0x1ab/0xb70 [ 75.183341][ T5317] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.183354][ T5317] ? ref_tracker_free+0x63a/0x7d0 [ 75.183369][ T5317] ? __copy_skb_header+0xa7/0x550 [ 75.183387][ T5317] netlink_rcv_skb+0x21c/0x490 [ 75.183401][ T5317] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 75.183413][ T5317] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 75.183428][ T5317] ? netlink_deliver_tap+0x2e/0x1b0 [ 75.183441][ T5317] ? netlink_deliver_tap+0x2e/0x1b0 [ 75.183457][ T5317] netlink_unicast+0x758/0x8d0 [ 75.183470][ T5317] netlink_sendmsg+0x805/0xb30 [ 75.183487][ T5317] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.183501][ T5317] ? aa_sock_msg_perm+0x94/0x160 [ 75.183516][ T5317] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 75.183528][ T5317] ? __pfx_netlink_sendmsg+0x10/0x10 [ 75.183542][ T5317] __sock_sendmsg+0x21c/0x270 [ 75.183561][ T5317] ____sys_sendmsg+0x505/0x830 [ 75.183577][ T5317] ? __pfx_____sys_sendmsg+0x10/0x10 [ 75.183593][ T5317] ? import_iovec+0x74/0xa0 [ 75.183608][ T5317] ___sys_sendmsg+0x21f/0x2a0 [ 75.183622][ T5317] ? __pfx____sys_sendmsg+0x10/0x10 [ 75.183655][ T5317] ? __fget_files+0x2a/0x420 [ 75.183673][ T5317] ? __fget_files+0x3a0/0x420 [ 75.183688][ T5317] __x64_sys_sendmsg+0x19b/0x260 [ 75.183702][ T5317] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 75.183718][ T5317] ? do_syscall_64+0xba/0x220 [ 75.183733][ T5317] do_syscall_64+0xf6/0x220 [ 75.183748][ T5317] ? clear_bhb_loop+0x60/0xb0 [ 75.183761][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.183773][ T5317] RIP: 0033:0x7f3391f8e969 [ 75.183804][ T5317] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.183816][ T5317] RSP: 002b:00007f3392d35038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 75.183831][ T5317] RAX: ffffffffffffffda RBX: 00007f33921b6080 RCX: 00007f3391f8e969 [ 75.183843][ T5317] RDX: 0000000020040000 RSI: 00002000000003c0 RDI: 0000000000000009 [ 75.183852][ T5317] RBP: 00007f3392010ab1 R08: 0000000000000000 R09: 0000000000000000 [ 75.183861][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.183868][ T5317] R13: 0000000000000000 R14: 00007f33921b6080 R15: 00007fff4927f028 [ 75.183880][ T5317] [ 75.381159][ T5317] dummy0 (unregistering): left promiscuous mode [ 76.449027][ T1313] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.451738][ T1313] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.847486][ T5301] Bluetooth: hci0: command tx timeout