program: r0 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) bpf$PROG_LOAD(0x5, &(0x7f00000054c0)={0x3, 0x16, &(0x7f0000000b00)=ANY=[], &(0x7f0000000380)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls=0x18, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) sendmsg$nl_route_sched(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000140)=@newqdisc={0xffffffffffffffce, 0x24, 0xf0b, 0x0, 0x0, {0x60, 0x0, 0x0, r2, {0x0, 0x10}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_cake={{0x9}, {0x4}}]}, 0x34}}, 0x0) bpf$BPF_PROG_QUERY(0x10, 0x0, 0xfffffffffffffc3a) r3 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000340)='/proc/sys/net/ipv4/tcp_mtu_probing\x00', 0x1, 0x0) getsockname$packet(0xffffffffffffffff, 0x0, 0x0) ioctl$DRM_IOCTL_PRIME_HANDLE_TO_FD(0xffffffffffffffff, 0xc00c642d, &(0x7f0000000180)={0x0, 0x80000, 0xffffffffffffffff}) ioctl$DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD_FD(r4, 0xc01064c1, &(0x7f0000000300)) sendmsg$nl_route_sched(0xffffffffffffffff, 0x0, 0x0) pwritev2(r3, &(0x7f00000001c0)=[{&(0x7f0000000040)='4', 0x1}], 0x1, 0x0, 0x2, 0x4) r5 = socket$inet_mptcp(0x2, 0x1, 0x106) mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x0, 0x5d032, 0xffffffffffffffff, 0x0) r6 = syz_open_dev$sndpcmp(&(0x7f0000000000), 0x0, 0x0) r7 = socket$inet_udplite(0x2, 0x2, 0x88) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000340)={'veth0_vlan\x00', 0x0}) r9 = syz_init_net_socket$rose(0xb, 0x5, 0x0) ioctl$sock_inet_SIOCSIFDSTADDR(r9, 0x8918, 0x0) r10 = socket$inet6(0xa, 0x80002, 0x0) r11 = io_uring_setup(0x79a5, &(0x7f0000000240)={0x0, 0xa1a6, 0x8, 0x0, 0x7a2}) io_uring_register$IORING_UNREGISTER_PERSONALITY(r11, 0x19, 0x20000028, 0x0) setsockopt$inet6_mreq(r10, 0x29, 0x1b, &(0x7f0000000100)={@remote, r8}, 0x14) r12 = socket$inet6(0xa, 0x1, 0x100) bind$inet6(r12, &(0x7f00000000c0)={0xa, 0x4e21, 0xb, @empty}, 0x1c) connect$inet6(r12, &(0x7f0000000000)={0xa, 0x4e21, 0x0, @ipv4={'\x00', '\xff\xff', @dev={0xac, 0x14, 0x14, 0x39}}}, 0x1c) setsockopt$inet6_mreq(r10, 0x29, 0x1c, &(0x7f0000000200)={@private2, r8}, 0x14) ioctl$SNDRV_PCM_IOCTL_CHANNEL_INFO(r6, 0x80184132, 0x0) bind$inet(r5, &(0x7f0000000040)={0x2, 0x4e21, @empty}, 0x10) connect$inet(r5, &(0x7f0000000140)={0x2, 0x4e21, @empty}, 0x10) [ 68.551018][ T4671] Bluetooth: hci0: command tx timeout [ 68.611800][ T5326] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 68.654489][ T5326] [ 68.655540][ T5326] ====================================================== [ 68.658318][ T5326] WARNING: possible circular locking dependency detected [ 68.661181][ T5326] 6.15.0-rc2-syzkaller-00042-g1a1d569a75f3 #0 Not tainted [ 68.663784][ T5326] ------------------------------------------------------ [ 68.666273][ T5326] syz.0.0/5326 is trying to acquire lock: [ 68.668259][ T5326] ffffffff900fd588 (rtnl_mutex){+.+.}-{4:4}, at: smc_vlan_by_tcpsk+0x39b/0x4f0 [ 68.672053][ T5326] [ 68.672053][ T5326] but task is already holding lock: [ 68.674905][ T5326] ffff888053528258 (sk_lock-AF_INET6){+.+.}-{0:0}, at: smc_connect+0xb7/0xde0 [ 68.678277][ T5326] [ 68.678277][ T5326] which lock already depends on the new lock. [ 68.678277][ T5326] [ 68.682522][ T5326] [ 68.682522][ T5326] the existing dependency chain (in reverse order) is: [ 68.686158][ T5326] [ 68.686158][ T5326] -> #1 (sk_lock-AF_INET6){+.+.}-{0:0}: [ 68.689909][ T5326] lock_acquire+0x116/0x2f0 [ 68.692360][ T5326] lock_sock_nested+0x48/0x100 [ 68.694995][ T5326] do_ipv6_setsockopt+0xccd/0x3680 [ 68.697862][ T5326] ipv6_setsockopt+0x5d/0x170 [ 68.700213][ T5326] do_sock_setsockopt+0x3b1/0x710 [ 68.703047][ T5326] __x64_sys_setsockopt+0x1ee/0x280 [ 68.705272][ T5326] do_syscall_64+0xf3/0x230 [ 68.707188][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.709584][ T5326] [ 68.709584][ T5326] -> #0 (rtnl_mutex){+.+.}-{4:4}: [ 68.712116][ T5326] validate_chain+0xa69/0x24e0 [ 68.713927][ T5326] __lock_acquire+0xad5/0xd80 [ 68.715733][ T5326] lock_acquire+0x116/0x2f0 [ 68.717517][ T5326] __mutex_lock+0x1a5/0x10c0 [ 68.719353][ T5326] smc_vlan_by_tcpsk+0x39b/0x4f0 [ 68.721438][ T5326] __smc_connect+0x296/0x1920 [ 68.723285][ T5326] smc_connect+0x868/0xde0 [ 68.725202][ T5326] __sys_connect+0x28c/0x2d0 [ 68.727056][ T5326] __x64_sys_connect+0x7a/0x90 [ 68.729021][ T5326] do_syscall_64+0xf3/0x230 [ 68.731104][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.733811][ T5326] [ 68.733811][ T5326] other info that might help us debug this: [ 68.733811][ T5326] [ 68.737361][ T5326] Possible unsafe locking scenario: [ 68.737361][ T5326] [ 68.740129][ T5326] CPU0 CPU1 [ 68.742058][ T5326] ---- ---- [ 68.744136][ T5326] lock(sk_lock-AF_INET6); [ 68.746080][ T5326] lock(rtnl_mutex); [ 68.748472][ T5326] lock(sk_lock-AF_INET6); [ 68.751009][ T5326] lock(rtnl_mutex); [ 68.752519][ T5326] [ 68.752519][ T5326] *** DEADLOCK *** [ 68.752519][ T5326] [ 68.755592][ T5326] 1 lock held by syz.0.0/5326: [ 68.757459][ T5326] #0: ffff888053528258 (sk_lock-AF_INET6){+.+.}-{0:0}, at: smc_connect+0xb7/0xde0 [ 68.761086][ T5326] [ 68.761086][ T5326] stack backtrace: [ 68.763464][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.15.0-rc2-syzkaller-00042-g1a1d569a75f3 #0 PREEMPT(full) [ 68.763479][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.763487][ T5326] Call Trace: [ 68.763493][ T5326] [ 68.763499][ T5326] dump_stack_lvl+0x241/0x360 [ 68.763520][ T5326] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.763537][ T5326] ? __pfx__printk+0x10/0x10 [ 68.763553][ T5326] ? print_lock+0x171/0x1a0 [ 68.763568][ T5326] print_circular_bug+0x2e1/0x300 [ 68.763583][ T5326] check_noncircular+0x142/0x160 [ 68.763598][ T5326] validate_chain+0xa69/0x24e0 [ 68.763616][ T5326] __lock_acquire+0xad5/0xd80 [ 68.763629][ T5326] lock_acquire+0x116/0x2f0 [ 68.763638][ T5326] ? smc_vlan_by_tcpsk+0x39b/0x4f0 [ 68.763654][ T5326] ? kasan_save_track+0x51/0x80 [ 68.763708][ T5326] __mutex_lock+0x1a5/0x10c0 [ 68.763723][ T5326] ? smc_vlan_by_tcpsk+0x39b/0x4f0 [ 68.763740][ T5326] ? smc_vlan_by_tcpsk+0x39b/0x4f0 [ 68.763753][ T5326] ? __pfx___mutex_lock+0x10/0x10 [ 68.763769][ T5326] smc_vlan_by_tcpsk+0x39b/0x4f0 [ 68.763782][ T5326] ? __pfx_smc_vlan_by_tcpsk+0x10/0x10 [ 68.763796][ T5326] ? __kmalloc_cache_noprof+0x236/0x370 [ 68.763810][ T5326] ? __smc_connect+0x1c7/0x1920 [ 68.763821][ T5326] __smc_connect+0x296/0x1920 [ 68.763834][ T5326] ? do_raw_spin_unlock+0x58/0x8b0 [ 68.763850][ T5326] smc_connect+0x868/0xde0 [ 68.763862][ T5326] __sys_connect+0x28c/0x2d0 [ 68.763879][ T5326] ? __pfx___sys_connect+0x10/0x10 [ 68.763899][ T5326] __x64_sys_connect+0x7a/0x90 [ 68.763915][ T5326] do_syscall_64+0xf3/0x230 [ 68.763928][ T5326] ? clear_bhb_loop+0x45/0xa0 [ 68.763940][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.763951][ T5326] RIP: 0033:0x7fdecb78e169 [ 68.763963][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.763972][ T5326] RSP: 002b:00007fdecc5ef038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 68.763984][ T5326] RAX: ffffffffffffffda RBX: 00007fdecb9b5fa0 RCX: 00007fdecb78e169 [ 68.763992][ T5326] RDX: 000000000000001c RSI: 0000200000000000 RDI: 000000000000000d [ 68.764000][ T5326] RBP: 00007fdecb810a68 R08: 0000000000000000 R09: 0000000000000000 [ 68.764006][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.764013][ T5326] R13: 0000000000000000 R14: 00007fdecb9b5fa0 R15: 00007ffe352a1aa8 [ 68.764023][ T5326]