program: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r2 = socket$inet_mptcp(0x2, 0x1, 0x106) setsockopt$inet_int(r2, 0x0, 0x33, 0x0, 0x0) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000180)={0x0, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bpq0, 0x4, 'syz1\x00', @null, 0xfffffffd, 0x5, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]}) r4 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000100)={0x1, @null, @bpq0, 0xffffffff, 'syz1\x00', @null, 0xfff, 0x3, [@default, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]}) ioctl$sock_netrom_SIOCDELRT(r4, 0x890c, &(0x7f0000000680)={0x1, @null, @bpq0, 0x89, 'syz1\x00', @null, 0x2, 0x8, [@null, @default, @null, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @bcast, @bcast]}) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) r6 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) r7 = ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) ioctl$KVM_X86_SETUP_MCE(r7, 0x4008ae9c, &(0x7f0000000200)={0x2, 0x0, 0x1}) ioctl$KVM_SET_MSRS(r7, 0xc008ae88, &(0x7f0000000000)={0x1, 0x0, [{0xbb5, 0x0, 0x100000003}]}) syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)) (async) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) socket$inet_mptcp(0x2, 0x1, 0x106) (async) setsockopt$inet_int(r2, 0x0, 0x33, 0x0, 0x0) (async) syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000180)={0x0, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bpq0, 0x4, 'syz1\x00', @null, 0xfffffffd, 0x5, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]}) (async) syz_init_net_socket$netrom(0x6, 0x5, 0x0) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000100)={0x1, @null, @bpq0, 0xffffffff, 'syz1\x00', @null, 0xfff, 0x3, [@default, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]}) (async) ioctl$sock_netrom_SIOCDELRT(r4, 0x890c, &(0x7f0000000680)={0x1, @null, @bpq0, 0x89, 'syz1\x00', @null, 0x2, 0x8, [@null, @default, @null, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @bcast, @bcast]}) (async) openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) (async) ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) (async) ioctl$KVM_CREATE_VCPU(r6, 0xae41, 0x0) (async) ioctl$KVM_X86_SETUP_MCE(r7, 0x4008ae9c, &(0x7f0000000200)={0x2, 0x0, 0x1}) (async) ioctl$KVM_SET_MSRS(r7, 0xc008ae88, &(0x7f0000000000)={0x1, 0x0, [{0xbb5, 0x0, 0x100000003}]}) (async) [ 73.471012][ T4667] Bluetooth: hci0: command tx timeout [ 73.560048][ T5319] [ 73.561421][ T5319] ====================================================== [ 73.564767][ T5319] WARNING: possible circular locking dependency detected [ 73.567867][ T5319] syzkaller #0 Not tainted [ 73.569866][ T5319] ------------------------------------------------------ [ 73.573007][ T5319] syz.0.0/5319 is trying to acquire lock: [ 73.575373][ T5319] ffffffff8fb2a8f8 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xbe/0x860 [ 73.579397][ T5319] [ 73.579397][ T5319] but task is already holding lock: [ 73.582583][ T5319] ffffffff8fb2a898 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x860 [ 73.586556][ T5319] [ 73.586556][ T5319] which lock already depends on the new lock. [ 73.586556][ T5319] [ 73.590953][ T5319] [ 73.590953][ T5319] the existing dependency chain (in reverse order) is: [ 73.594566][ T5319] [ 73.594566][ T5319] -> #2 (nr_neigh_list_lock){+...}-{3:3}: [ 73.598005][ T5319] _raw_spin_lock_bh+0x36/0x50 [ 73.600335][ T5319] nr_del_node+0x57d/0xbb0 [ 73.602467][ T5319] nr_rt_ioctl+0xb34/0xf90 [ 73.604660][ T5319] sock_do_ioctl+0x101/0x320 [ 73.607010][ T5319] sock_ioctl+0x5c6/0x7f0 [ 73.609547][ T5319] __se_sys_ioctl+0xfc/0x170 [ 73.612379][ T5319] do_syscall_64+0xe2/0xf80 [ 73.614706][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.617485][ T5319] [ 73.617485][ T5319] -> #1 (&nr_node->node_lock){+...}-{3:3}: [ 73.620872][ T5319] _raw_spin_lock_bh+0x36/0x50 [ 73.623291][ T5319] nr_del_node+0x2a9/0xbb0 [ 73.625567][ T5319] nr_rt_ioctl+0xb34/0xf90 [ 73.627789][ T5319] sock_do_ioctl+0x101/0x320 [ 73.629932][ T5319] sock_ioctl+0x5c6/0x7f0 [ 73.632126][ T5319] __se_sys_ioctl+0xfc/0x170 [ 73.634229][ T5319] do_syscall_64+0xe2/0xf80 [ 73.636492][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.639355][ T5319] [ 73.639355][ T5319] -> #0 (nr_node_list_lock){+...}-{3:3}: [ 73.642812][ T5319] __lock_acquire+0x15a5/0x2cf0 [ 73.644801][ T5319] lock_acquire+0x106/0x330 [ 73.646722][ T5319] _raw_spin_lock_bh+0x36/0x50 [ 73.649030][ T5319] nr_rt_device_down+0xbe/0x860 [ 73.651302][ T5319] nr_device_event+0x137/0x150 [ 73.653906][ T5319] notifier_call_chain+0x19d/0x3a0 [ 73.657047][ T5319] __dev_notify_flags+0x16d/0x310 [ 73.659600][ T5319] netif_change_flags+0xe8/0x1a0 [ 73.662157][ T5319] dev_change_flags+0x130/0x260 [ 73.664564][ T5319] dev_ioctl+0x7b4/0x1150 [ 73.666610][ T5319] sock_do_ioctl+0x23e/0x320 [ 73.668903][ T5319] sock_ioctl+0x5c6/0x7f0 [ 73.671086][ T5319] __se_sys_ioctl+0xfc/0x170 [ 73.673416][ T5319] do_syscall_64+0xe2/0xf80 [ 73.675679][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.678503][ T5319] [ 73.678503][ T5319] other info that might help us debug this: [ 73.678503][ T5319] [ 73.683075][ T5319] Chain exists of: [ 73.683075][ T5319] nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock [ 73.683075][ T5319] [ 73.689029][ T5319] Possible unsafe locking scenario: [ 73.689029][ T5319] [ 73.692325][ T5319] CPU0 CPU1 [ 73.694656][ T5319] ---- ---- [ 73.696889][ T5319] lock(nr_neigh_list_lock); [ 73.698844][ T5319] lock(&nr_node->node_lock); [ 73.702099][ T5319] lock(nr_neigh_list_lock); [ 73.705128][ T5319] lock(nr_node_list_lock); [ 73.707029][ T5319] [ 73.707029][ T5319] *** DEADLOCK *** [ 73.707029][ T5319] [ 73.710760][ T5319] 2 locks held by syz.0.0/5319: [ 73.713135][ T5319] #0: ffffffff8f9ae448 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7a4/0x1150 [ 73.717171][ T5319] #1: ffffffff8fb2a898 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x860 [ 73.721338][ T5319] [ 73.721338][ T5319] stack backtrace: [ 73.723859][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 73.723874][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 73.723881][ T5319] Call Trace: [ 73.723889][ T5319] [ 73.723920][ T5319] dump_stack_lvl+0xe8/0x150 [ 73.723974][ T5319] print_circular_bug+0x2e1/0x300 [ 73.723987][ T5319] check_noncircular+0x12e/0x150 [ 73.724000][ T5319] __lock_acquire+0x15a5/0x2cf0 [ 73.724019][ T5319] ? nr_rt_device_down+0xbe/0x860 [ 73.724055][ T5319] lock_acquire+0x106/0x330 [ 73.724069][ T5319] ? nr_rt_device_down+0xbe/0x860 [ 73.724083][ T5319] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 73.724096][ T5319] ? nr_rt_device_down+0xbe/0x860 [ 73.724108][ T5319] _raw_spin_lock_bh+0x36/0x50 [ 73.724124][ T5319] ? nr_rt_device_down+0xbe/0x860 [ 73.724137][ T5319] nr_rt_device_down+0xbe/0x860 [ 73.724159][ T5319] nr_device_event+0x137/0x150 [ 73.724172][ T5319] notifier_call_chain+0x19d/0x3a0 [ 73.724185][ T5319] __dev_notify_flags+0x16d/0x310 [ 73.724198][ T5319] ? __pfx___dev_notify_flags+0x10/0x10 [ 73.724209][ T5319] ? __dev_change_flags+0x4c6/0x690 [ 73.724221][ T5319] ? __pfx___dev_change_flags+0x10/0x10 [ 73.724233][ T5319] ? full_name_hash+0x92/0xe0 [ 73.724251][ T5319] netif_change_flags+0xe8/0x1a0 [ 73.724264][ T5319] dev_change_flags+0x130/0x260 [ 73.724276][ T5319] dev_ioctl+0x7b4/0x1150 [ 73.724287][ T5319] sock_do_ioctl+0x23e/0x320 [ 73.724302][ T5319] ? __pfx_sock_do_ioctl+0x10/0x10 [ 73.724316][ T5319] ? do_futex+0x333/0x420 [ 73.724351][ T5319] sock_ioctl+0x5c6/0x7f0 [ 73.724365][ T5319] ? __pfx_sock_ioctl+0x10/0x10 [ 73.724378][ T5319] ? __fget_files+0x2a/0x420 [ 73.724405][ T5319] ? __fget_files+0x3a0/0x420 [ 73.724415][ T5319] ? __fget_files+0x2a/0x420 [ 73.724426][ T5319] ? bpf_lsm_file_ioctl+0x9/0x20 [ 73.724460][ T5319] ? __pfx_sock_ioctl+0x10/0x10 [ 73.724474][ T5319] __se_sys_ioctl+0xfc/0x170 [ 73.724488][ T5319] do_syscall_64+0xe2/0xf80 [ 73.724499][ T5319] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.724509][ T5319] ? trace_irq_disable+0x37/0x100 [ 73.724540][ T5319] ? clear_bhb_loop+0x60/0xb0 [ 73.724550][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.724561][ T5319] RIP: 0033:0x7f79caf9aeb9 [ 73.724573][ T5319] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 73.724583][ T5319] RSP: 002b:00007f79cbe88028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 73.724595][ T5319] RAX: ffffffffffffffda RBX: 00007f79cb216090 RCX: 00007f79caf9aeb9 [ 73.724603][ T5319] RDX: 0000200000000000 RSI: 0000000000008914 RDI: 0000000000000008 [ 73.724610][ T5319] RBP: 00007f79cb008c1f R08: 0000000000000000 R09: 0000000000000000 [ 73.724617][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 73.724623][ T5319] R13: 00007f79cb216128 R14: 00007f79cb216090 R15: 00007ffdb82a2278 [ 73.724635][ T5319]