program: socket$inet_icmp_raw(0x2, 0x3, 0x1) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5) close(0x4) syz_open_procfs$namespace(0x0, &(0x7f0000000080)='ns/ipc\x00') unshare(0x6a040000) r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=@newlink={0x30, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x12}, [@IFLA_MTU={0x8, 0x4, 0x5dd}, @IFLA_GROUP={0x8}]}, 0x30}}, 0x0) [ 74.316117][ T4658] Bluetooth: hci0: command tx timeout [ 74.697170][ T10] e1000 0000:00:06.0 eth0: Reset adapter [ 74.706189][ T5313] [ 74.707295][ T5313] ====================================================== [ 74.710196][ T5313] WARNING: possible circular locking dependency detected [ 74.713125][ T5313] 6.15.0-rc7-syzkaller-00144-gb1427432d3b6 #0 Not tainted [ 74.716126][ T5313] ------------------------------------------------------ [ 74.719179][ T5313] syz.0.0/5313 is trying to acquire lock: [ 74.721575][ T5313] ffff888033f016f0 ((work_completion)(&adapter->reset_task)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 74.726317][ T5313] [ 74.726317][ T5313] but task is already holding lock: [ 74.729378][ T5313] ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 [ 74.733132][ T5313] [ 74.733132][ T5313] which lock already depends on the new lock. [ 74.733132][ T5313] [ 74.737538][ T5313] [ 74.737538][ T5313] the existing dependency chain (in reverse order) is: [ 74.741960][ T5313] [ 74.741960][ T5313] -> #1 (rtnl_mutex){+.+.}-{4:4}: [ 74.745673][ T5313] lock_acquire+0x120/0x360 [ 74.748301][ T5313] __mutex_lock+0x182/0xe80 [ 74.750886][ T5313] e1000_reset_task+0x56/0xc0 [ 74.753464][ T5313] process_scheduled_works+0xadb/0x17a0 [ 74.756484][ T5313] worker_thread+0x8a0/0xda0 [ 74.759034][ T5313] kthread+0x70e/0x8a0 [ 74.761441][ T5313] ret_from_fork+0x4b/0x80 [ 74.763590][ T5313] ret_from_fork_asm+0x1a/0x30 [ 74.765939][ T5313] [ 74.765939][ T5313] -> #0 ((work_completion)(&adapter->reset_task)){+.+.}-{0:0}: [ 74.769859][ T5313] validate_chain+0xb9b/0x2140 [ 74.771908][ T5313] __lock_acquire+0xaac/0xd20 [ 74.773988][ T5313] lock_acquire+0x120/0x360 [ 74.776048][ T5313] __flush_work+0x6b8/0xbc0 [ 74.778120][ T5313] __cancel_work_sync+0xbe/0x110 [ 74.780102][ T5313] e1000_down+0x402/0x6b0 [ 74.782110][ T5313] e1000_close+0x17b/0xa10 [ 74.784138][ T5313] __dev_close_many+0x361/0x6f0 [ 74.786463][ T5313] __dev_change_flags+0x2c7/0x6d0 [ 74.788815][ T5313] netif_change_flags+0x88/0x1a0 [ 74.790960][ T5313] do_setlink+0xcb9/0x40d0 [ 74.792912][ T5313] rtnl_newlink+0x149f/0x1c70 [ 74.795064][ T5313] rtnetlink_rcv_msg+0x7cc/0xb70 [ 74.797199][ T5313] netlink_rcv_skb+0x219/0x490 [ 74.799283][ T5313] netlink_unicast+0x75b/0x8d0 [ 74.801381][ T5313] netlink_sendmsg+0x805/0xb30 [ 74.803559][ T5313] __sock_sendmsg+0x21c/0x270 [ 74.805911][ T5313] ____sys_sendmsg+0x505/0x830 [ 74.808177][ T5313] ___sys_sendmsg+0x21f/0x2a0 [ 74.810465][ T5313] __x64_sys_sendmsg+0x19b/0x260 [ 74.812779][ T5313] do_syscall_64+0xf6/0x210 [ 74.814893][ T5313] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.817592][ T5313] [ 74.817592][ T5313] other info that might help us debug this: [ 74.817592][ T5313] [ 74.821877][ T5313] Possible unsafe locking scenario: [ 74.821877][ T5313] [ 74.824929][ T5313] CPU0 CPU1 [ 74.827075][ T5313] ---- ---- [ 74.829329][ T5313] lock(rtnl_mutex); [ 74.831066][ T5313] lock((work_completion)(&adapter->reset_task)); [ 74.834788][ T5313] lock(rtnl_mutex); [ 74.837511][ T5313] lock((work_completion)(&adapter->reset_task)); [ 74.840316][ T5313] [ 74.840316][ T5313] *** DEADLOCK *** [ 74.840316][ T5313] [ 74.843714][ T5313] 2 locks held by syz.0.0/5313: [ 74.846262][ T5313] #0: ffffffff8f2fab48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 [ 74.850678][ T5313] #1: ffffffff8df3dee0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 74.854527][ T5313] [ 74.854527][ T5313] stack backtrace: [ 74.857035][ T5313] CPU: 0 UID: 0 PID: 5313 Comm: syz.0.0 Not tainted 6.15.0-rc7-syzkaller-00144-gb1427432d3b6 #0 PREEMPT(full) [ 74.857053][ T5313] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.857061][ T5313] Call Trace: [ 74.857068][ T5313] [ 74.857074][ T5313] dump_stack_lvl+0x189/0x250 [ 74.857096][ T5313] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.857110][ T5313] ? __pfx__printk+0x10/0x10 [ 74.857121][ T5313] ? print_lock_name+0xde/0x100 [ 74.857137][ T5313] print_circular_bug+0x2ee/0x310 [ 74.857149][ T5313] check_noncircular+0x134/0x160 [ 74.857162][ T5313] validate_chain+0xb9b/0x2140 [ 74.857171][ T5313] ? do_raw_spin_lock+0x121/0x290 [ 74.857185][ T5313] ? look_up_lock_class+0x74/0x170 [ 74.857198][ T5313] ? register_lock_class+0x51/0x320 [ 74.857214][ T5313] __lock_acquire+0xaac/0xd20 [ 74.857230][ T5313] ? __flush_work+0xd2/0xbc0 [ 74.857240][ T5313] lock_acquire+0x120/0x360 [ 74.857255][ T5313] ? __flush_work+0xd2/0xbc0 [ 74.857267][ T5313] ? _raw_spin_unlock_irq+0x23/0x50 [ 74.857280][ T5313] ? __flush_work+0xd2/0xbc0 [ 74.857292][ T5313] __flush_work+0x6b8/0xbc0 [ 74.857303][ T5313] ? __flush_work+0xd2/0xbc0 [ 74.857315][ T5313] ? __flush_work+0xd2/0xbc0 [ 74.857326][ T5313] ? __pfx___flush_work+0x10/0x10 [ 74.857338][ T5313] ? __pfx_wq_barrier_func+0x10/0x10 [ 74.857351][ T5313] ? __pfx___cancel_work+0x10/0x10 [ 74.857362][ T5313] ? __local_bh_enable_ip+0x12d/0x1c0 [ 74.857373][ T5313] __cancel_work_sync+0xbe/0x110 [ 74.857385][ T5313] e1000_down+0x402/0x6b0 [ 74.857400][ T5313] ? e1000_down+0xb2/0x6b0 [ 74.857414][ T5313] ? e1000_free_all_tx_resources+0x1b0/0x280 [ 74.857429][ T5313] e1000_close+0x17b/0xa10 [ 74.857443][ T5313] ? do_raw_spin_unlock+0x4d/0x240 [ 74.857455][ T5313] ? dev_deactivate_many+0xb82/0xd40 [ 74.857468][ T5313] ? __pfx_e1000_close+0x10/0x10 [ 74.857482][ T5313] ? dev_deactivate_many+0x258/0xd40 [ 74.857495][ T5313] ? __pfx_e1000_close+0x10/0x10 [ 74.857509][ T5313] __dev_close_many+0x361/0x6f0 [ 74.857524][ T5313] ? __pfx___dev_close_many+0x10/0x10 [ 74.857537][ T5313] __dev_change_flags+0x2c7/0x6d0 [ 74.857550][ T5313] ? __pfx_netif_set_mtu_ext+0x10/0x10 [ 74.857563][ T5313] ? __pfx___dev_change_flags+0x10/0x10 [ 74.857576][ T5313] ? netif_state_change+0x256/0x3a0 [ 74.857586][ T5313] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 74.857631][ T5313] netif_change_flags+0x88/0x1a0 [ 74.857647][ T5313] do_setlink+0xcb9/0x40d0 [ 74.857664][ T5313] ? __pfx_do_setlink+0x10/0x10 [ 74.857676][ T5313] ? do_raw_spin_lock+0x121/0x290 [ 74.857689][ T5313] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.857702][ T5313] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 74.857713][ T5313] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 74.857725][ T5313] ? rcu_is_watching+0x15/0xb0 [ 74.857736][ T5313] ? __mutex_lock+0xa6d/0xe80 [ 74.857748][ T5313] ? __mutex_lock+0x51b/0xe80 [ 74.857761][ T5313] ? rtnl_newlink+0x8db/0x1c70 [ 74.857773][ T5313] ? __pfx___mutex_lock+0x10/0x10 [ 74.857787][ T5313] ? ns_capable+0x8a/0xf0 [ 74.857796][ T5313] ? rtnl_link_get_net_capable+0x16a/0x350 [ 74.857807][ T5313] rtnl_newlink+0x149f/0x1c70 [ 74.857821][ T5313] ? __pfx_rtnl_newlink+0x10/0x10 [ 74.857832][ T5313] ? is_bpf_text_address+0x26/0x2b0 [ 74.857847][ T5313] ? is_bpf_text_address+0x292/0x2b0 [ 74.857861][ T5313] ? __lock_acquire+0xaac/0xd20 [ 74.857877][ T5313] ? __lock_acquire+0xaac/0xd20 [ 74.857894][ T5313] ? is_bpf_text_address+0x26/0x2b0 [ 74.857909][ T5313] ? is_bpf_text_address+0x292/0x2b0 [ 74.857923][ T5313] ? is_bpf_text_address+0x26/0x2b0 [ 74.857937][ T5313] ? aa_get_newest_label+0xf7/0x5d0 [ 74.857957][ T5313] ? __lock_acquire+0xaac/0xd20 [ 74.857977][ T5313] ? __pfx_rtnl_newlink+0x10/0x10 [ 74.857989][ T5313] rtnetlink_rcv_msg+0x7cc/0xb70 [ 74.858001][ T5313] ? kasan_save_track+0x4f/0x80 [ 74.858013][ T5313] ? rtnetlink_rcv_msg+0x1ab/0xb70 [ 74.858024][ T5313] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.858036][ T5313] ? __lock_acquire+0xaac/0xd20 [ 74.858052][ T5313] netlink_rcv_skb+0x219/0x490 [ 74.858066][ T5313] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 74.858078][ T5313] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 74.858094][ T5313] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.858105][ T5313] ? netlink_deliver_tap+0x2e/0x1b0 [ 74.858120][ T5313] netlink_unicast+0x75b/0x8d0 [ 74.858133][ T5313] netlink_sendmsg+0x805/0xb30 [ 74.858148][ T5313] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.858160][ T5313] ? aa_sock_msg_perm+0x94/0x160 [ 74.858172][ T5313] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 74.858183][ T5313] ? __pfx_netlink_sendmsg+0x10/0x10 [ 74.858195][ T5313] __sock_sendmsg+0x21c/0x270 [ 74.858206][ T5313] ____sys_sendmsg+0x505/0x830 [ 74.858221][ T5313] ? __pfx_____sys_sendmsg+0x10/0x10 [ 74.858236][ T5313] ? import_iovec+0x74/0xa0 [ 74.858251][ T5313] ___sys_sendmsg+0x21f/0x2a0 [ 74.858265][ T5313] ? __pfx____sys_sendmsg+0x10/0x10 [ 74.858286][ T5313] ? __fget_files+0x2a/0x420 [ 74.858299][ T5313] ? __fget_files+0x3a0/0x420 [ 74.858313][ T5313] __x64_sys_sendmsg+0x19b/0x260 [ 74.858328][ T5313] ? __pfx___x64_sys_sendmsg+0x10/0x10 [ 74.858345][ T5313] ? do_syscall_64+0xba/0x210 [ 74.858359][ T5313] do_syscall_64+0xf6/0x210 [ 74.858372][ T5313] ? clear_bhb_loop+0x60/0xb0 [ 74.858384][ T5313] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.858394][ T5313] RIP: 0033:0x7f3840d8e969 [ 74.858406][ T5313] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.858414][ T5313] RSP: 002b:00007f383d1f5038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 74.858426][ T5313] RAX: ffffffffffffffda RBX: 00007f3840fb5fa0 RCX: 00007f3840d8e969 [ 74.858435][ T5313] RDX: 0000000000000000 RSI: 0000200000000140 RDI: 0000000000000004 [ 74.858442][ T5313] RBP: 00007f3840e10ab1 R08: 0000000000000000 R09: 0000000000000000 [ 74.858448][ T5313] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.858454][ T5313] R13: 0000000000000000 R14: 00007f3840fb5fa0 R15: 00007ffeeb207b68 [ 74.858464][ T5313] [ 76.376772][ T4658] Bluetooth: hci0: command tx timeout [ 76.379595][ T1312] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.382353][ T1312] ieee802154 phy1 wpan1: encryption failed: -22 [ 78.456224][ T4658] Bluetooth: hci0: command tx timeout [ 80.536062][ T4658] Bluetooth: hci0: command tx timeout