program:
r0 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7400}, 0x0)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$kcm(r1, &(0x7f0000000600)={0x0, 0x0, &(0x7f00000005c0)=[{&(0x7f0000000380)="2e00000010008188e6b62aa73772cc9f1ba1f848110000005e140602000000000e000a001000000002900000121f", 0x2e}], 0x1}, 0x0)
r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000640)=ANY=[@ANYBLOB="170000000000000004000000ff"], 0x48)
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r2, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000005900000095"], 0x0}, 0x90)
r3 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000001b40)='sched_switch\x00', r3}, 0x10)
sendmsg$kcm(r0, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000040)="2e00000010008188040f80ec59acbc0413a1f848110000005e140602000000000e000a000f00000002800000121f", 0x2e}], 0x1}, 0x0)

[   85.690265][ T5310] Bluetooth: hci0: command tx timeout
[   85.757346][ T5334] netlink: 'syz.0.0': attribute type 10 has an invalid length.
[   85.825380][ T5334] team0: Port device dummy0 added
[   85.851409][ T5334] netlink: 'syz.0.0': attribute type 10 has an invalid length.
[   85.863859][ T5334] 
[   85.865019][ T5334] ======================================================
[   85.868242][ T5334] WARNING: possible circular locking dependency detected
[   85.871367][ T5334] 6.16.0-syzkaller-04405-g4b290aae788e #0 Not tainted
[   85.874351][ T5334] ------------------------------------------------------
[   85.877438][ T5334] syz.0.0/5334 is trying to acquire lock:
[   85.879908][ T5334] ffff888043f5ce00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event+0x182/0xa20
[   85.884357][ T5334] 
[   85.884357][ T5334] but task is already holding lock:
[   85.887737][ T5334] ffff888011d3cd38 (&dev_instance_lock_key#3){+.+.}-{4:4}, at: do_setlink+0x388/0x41c0
[   85.891970][ T5334] 
[   85.891970][ T5334] which lock already depends on the new lock.
[   85.891970][ T5334] 
[   85.896510][ T5334] 
[   85.896510][ T5334] the existing dependency chain (in reverse order) is:
[   85.900545][ T5334] 
[   85.900545][ T5334] -> #1 (&dev_instance_lock_key#3){+.+.}-{4:4}:
[   85.904256][ T5334]        lock_acquire+0x120/0x360
[   85.906503][ T5334]        __mutex_lock+0x187/0x1340
[   85.908941][ T5334]        dev_set_mtu+0x10e/0x260
[   85.911010][ T5334]        team_add_slave+0x8b8/0x2840
[   85.913325][ T5334]        do_set_master+0x530/0x6d0
[   85.915606][ T5334]        do_setlink+0xcf0/0x41c0
[   85.917732][ T5334]        rtnl_newlink+0x160b/0x1c70
[   85.920123][ T5334]        rtnetlink_rcv_msg+0x7cc/0xb70
[   85.922842][ T5334]        netlink_rcv_skb+0x205/0x470
[   85.925092][ T5334]        netlink_unicast+0x75c/0x8e0
[   85.927200][ T5334]        netlink_sendmsg+0x805/0xb30
[   85.929444][ T5334]        __sock_sendmsg+0x21c/0x270
[   85.931694][ T5334]        ____sys_sendmsg+0x505/0x830
[   85.933895][ T5334]        ___sys_sendmsg+0x21f/0x2a0
[   85.936229][ T5334]        __x64_sys_sendmsg+0x19b/0x260
[   85.938581][ T5334]        do_syscall_64+0xfa/0x3b0
[   85.940758][ T5334]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.943467][ T5334] 
[   85.943467][ T5334] -> #0 (team->team_lock_key){+.+.}-{4:4}:
[   85.946881][ T5334]        validate_chain+0xb9b/0x2140
[   85.949082][ T5334]        __lock_acquire+0xab9/0xd20
[   85.951387][ T5334]        lock_acquire+0x120/0x360
[   85.953509][ T5334]        __mutex_lock+0x187/0x1340
[   85.955593][ T5334]        team_device_event+0x182/0xa20
[   85.957852][ T5334]        notifier_call_chain+0x1b6/0x3e0
[   85.960196][ T5334]        __dev_notify_flags+0x18d/0x2e0
[   85.962568][ T5334]        netif_change_flags+0xe8/0x1a0
[   85.964862][ T5334]        do_setlink+0xc55/0x41c0
[   85.966945][ T5334]        rtnl_newlink+0x160b/0x1c70
[   85.969094][ T5334]        rtnetlink_rcv_msg+0x7cc/0xb70
[   85.971489][ T5334]        netlink_rcv_skb+0x205/0x470
[   85.973754][ T5334]        netlink_unicast+0x75c/0x8e0
[   85.976083][ T5334]        netlink_sendmsg+0x805/0xb30
[   85.978314][ T5334]        __sock_sendmsg+0x21c/0x270
[   85.980456][ T5334]        ____sys_sendmsg+0x505/0x830
[   85.982722][ T5334]        ___sys_sendmsg+0x21f/0x2a0
[   85.984895][ T5334]        __x64_sys_sendmsg+0x19b/0x260
[   85.987236][ T5334]        do_syscall_64+0xfa/0x3b0
[   85.989465][ T5334]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.992482][ T5334] 
[   85.992482][ T5334] other info that might help us debug this:
[   85.992482][ T5334] 
[   85.997837][ T5334]  Possible unsafe locking scenario:
[   85.997837][ T5334] 
[   86.000987][ T5334]        CPU0                    CPU1
[   86.003378][ T5334]        ----                    ----
[   86.005609][ T5334]   lock(&dev_instance_lock_key#3);
[   86.007861][ T5334]                                lock(team->team_lock_key);
[   86.010830][ T5334]                                lock(&dev_instance_lock_key#3);
[   86.013967][ T5334]   lock(team->team_lock_key);
[   86.016125][ T5334] 
[   86.016125][ T5334]  *** DEADLOCK ***
[   86.016125][ T5334] 
[   86.019532][ T5334] 2 locks held by syz.0.0/5334:
[   86.021639][ T5334]  #0: ffffffff8f506548 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70
[   86.025869][ T5334]  #1: ffff888011d3cd38 (&dev_instance_lock_key#3){+.+.}-{4:4}, at: do_setlink+0x388/0x41c0
[   86.030214][ T5334] 
[   86.030214][ T5334] stack backtrace:
[   86.032883][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted 6.16.0-syzkaller-04405-g4b290aae788e #0 PREEMPT(full) 
[   86.032908][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.032920][ T5334] Call Trace:
[   86.032928][ T5334]  <TASK>
[   86.032936][ T5334]  dump_stack_lvl+0x189/0x250
[   86.032955][ T5334]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.032966][ T5334]  ? __pfx__printk+0x10/0x10
[   86.032981][ T5334]  ? print_lock_name+0xde/0x100
[   86.033002][ T5334]  print_circular_bug+0x2ee/0x310
[   86.033038][ T5334]  check_noncircular+0x134/0x160
[   86.033062][ T5334]  validate_chain+0xb9b/0x2140
[   86.033077][ T5334]  ? __lock_acquire+0xab9/0xd20
[   86.033094][ T5334]  __lock_acquire+0xab9/0xd20
[   86.033111][ T5334]  ? team_device_event+0x182/0xa20
[   86.033126][ T5334]  lock_acquire+0x120/0x360
[   86.033151][ T5334]  ? team_device_event+0x182/0xa20
[   86.033169][ T5334]  __mutex_lock+0x187/0x1340
[   86.033186][ T5334]  ? team_device_event+0x182/0xa20
[   86.033196][ T5334]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   86.033210][ T5334]  ? team_device_event+0x182/0xa20
[   86.033221][ T5334]  ? __pfx___mutex_lock+0x10/0x10
[   86.033233][ T5334]  ? __timer_delete_sync+0x218/0x2d0
[   86.033260][ T5334]  team_device_event+0x182/0xa20
[   86.033278][ T5334]  notifier_call_chain+0x1b6/0x3e0
[   86.033295][ T5334]  __dev_notify_flags+0x18d/0x2e0
[   86.033312][ T5334]  ? __pfx___dev_notify_flags+0x10/0x10
[   86.033329][ T5334]  ? __dev_change_flags+0x4cc/0x6d0
[   86.033347][ T5334]  ? __pfx___dev_change_flags+0x10/0x10
[   86.033358][ T5334]  ? finish_task_switch+0x266/0x950
[   86.033373][ T5334]  netif_change_flags+0xe8/0x1a0
[   86.033385][ T5334]  do_setlink+0xc55/0x41c0
[   86.033404][ T5334]  ? __lock_acquire+0xab9/0xd20
[   86.033421][ T5334]  ? __pfx_do_setlink+0x10/0x10
[   86.033435][ T5334]  ? __lock_acquire+0xab9/0xd20
[   86.033453][ T5334]  ? _raw_spin_unlock_irqrestore+0x85/0x110
[   86.033462][ T5334]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.033472][ T5334]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   86.033481][ T5334]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   86.033491][ T5334]  ? rcu_is_watching+0x15/0xb0
[   86.033502][ T5334]  ? __mutex_lock+0xd0d/0x1340
[   86.033517][ T5334]  ? __mutex_lock+0x5b6/0x1340
[   86.033531][ T5334]  ? rtnl_newlink+0x8db/0x1c70
[   86.033545][ T5334]  ? __pfx___mutex_lock+0x10/0x10
[   86.033560][ T5334]  ? ns_capable+0x8a/0xf0
[   86.033570][ T5334]  ? rtnl_link_get_net_capable+0x16a/0x350
[   86.033588][ T5334]  rtnl_newlink+0x160b/0x1c70
[   86.033604][ T5334]  ? netlink_sendmsg+0x805/0xb30
[   86.033616][ T5334]  ? __pfx_rtnl_newlink+0x10/0x10
[   86.033633][ T5334]  ? kasan_quarantine_put+0xdd/0x220
[   86.033703][ T5334]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.033719][ T5334]  ? nlmon_xmit+0xb0/0x100
[   86.033732][ T5334]  ? kmem_cache_free+0x18f/0x400
[   86.033747][ T5334]  ? __local_bh_enable_ip+0x12d/0x1c0
[   86.033759][ T5334]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.033772][ T5334]  ? __local_bh_enable_ip+0x12d/0x1c0
[   86.033781][ T5334]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   86.033791][ T5334]  ? __dev_queue_xmit+0x27e/0x3a70
[   86.033806][ T5334]  ? __lock_acquire+0xab9/0xd20
[   86.033826][ T5334]  ? __pfx_rtnl_newlink+0x10/0x10
[   86.033840][ T5334]  rtnetlink_rcv_msg+0x7cc/0xb70
[   86.033854][ T5334]  ? rtnetlink_rcv_msg+0x1ab/0xb70
[   86.033867][ T5334]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   86.033880][ T5334]  ? ref_tracker_free+0x63a/0x7d0
[   86.033893][ T5334]  ? __copy_skb_header+0xa7/0x550
[   86.033903][ T5334]  ? __pfx_ref_tracker_free+0x10/0x10
[   86.033917][ T5334]  ? __skb_clone+0x63/0x7a0
[   86.033930][ T5334]  netlink_rcv_skb+0x205/0x470
[   86.033948][ T5334]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   86.033962][ T5334]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   86.033980][ T5334]  ? netlink_deliver_tap+0x2e/0x1b0
[   86.033994][ T5334]  ? netlink_deliver_tap+0x2e/0x1b0
[   86.034016][ T5334]  netlink_unicast+0x75c/0x8e0
[   86.034034][ T5334]  netlink_sendmsg+0x805/0xb30
[   86.034047][ T5334]  ? __pfx_netlink_sendmsg+0x10/0x10
[   86.034058][ T5334]  ? aa_sock_msg_perm+0x94/0x160
[   86.034068][ T5334]  ? bpf_lsm_socket_sendmsg+0x9/0x20
[   86.034082][ T5334]  ? __pfx_netlink_sendmsg+0x10/0x10
[   86.034090][ T5334]  __sock_sendmsg+0x21c/0x270
[   86.034102][ T5334]  ____sys_sendmsg+0x505/0x830
[   86.034113][ T5334]  ? __pfx_____sys_sendmsg+0x10/0x10
[   86.034125][ T5334]  ? import_iovec+0x74/0xa0
[   86.034137][ T5334]  ___sys_sendmsg+0x21f/0x2a0
[   86.034147][ T5334]  ? __pfx____sys_sendmsg+0x10/0x10
[   86.034163][ T5334]  ? __fget_files+0x2a/0x420
[   86.034172][ T5334]  ? __fget_files+0x3a0/0x420
[   86.034181][ T5334]  __x64_sys_sendmsg+0x19b/0x260
[   86.034188][ T5334]  ? __pfx___x64_sys_sendmsg+0x10/0x10
[   86.034195][ T5334]  ? rcu_is_watching+0x15/0xb0
[   86.034202][ T5334]  ? do_syscall_64+0xbe/0x3b0
[   86.034211][ T5334]  do_syscall_64+0xfa/0x3b0
[   86.034219][ T5334]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.034228][ T5334]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.034238][ T5334]  ? clear_bhb_loop+0x60/0xb0
[   86.034248][ T5334]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.034259][ T5334] RIP: 0033:0x7f69dcf8e9a9
[   86.034269][ T5334] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.034277][ T5334] RSP: 002b:00007f69dddba038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   86.034290][ T5334] RAX: ffffffffffffffda RBX: 00007f69dd1b5fa0 RCX: 00007f69dcf8e9a9
[   86.034297][ T5334] RDX: 0000000000000000 RSI: 0000200000000600 RDI: 0000000000000003
[   86.034303][ T5334] RBP: 00007f69dd010d69 R08: 0000000000000000 R09: 0000000000000000
[   86.034310][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.034317][ T5334] R13: 0000000000000000 R14: 00007f69dd1b5fa0 R15: 00007ffd1ce90dd8
[   86.034329][ T5334]  </TASK>
[   86.298033][ T5334] team0: Port device dummy0 removed
[   86.303679][ T5334] bond0: (slave dummy0): Enslaving as an active interface with an up link
[   86.316054][ T5334] syz.0.0 (5334) used greatest stack depth: 19704 bytes left