program: r0 = socket$pppoe(0x18, 0x1, 0x0) connect$pppoe(r0, &(0x7f0000000000)={0x18, 0x0, {0xffff, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x34}, 'hsr0\x00'}}, 0x1e) sendmmsg(r0, &(0x7f0000001cc0), 0x400000000000026, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'netdevsim0\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000980)=@newlink={0x30, 0x10, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, r3}, [@IFLA_AF_SPEC={0x8, 0x1a, 0x0, 0x1, [@AF_INET6={0x4}]}, @IFLA_MTU={0x8, 0x4, 0xe5}]}, 0x30}}, 0x0) [ 141.310697][ T5325] Bluetooth: hci0: command tx timeout [ 141.336261][ T5341] hsr_slave_0: hsr_addr_subst_dest: Unknown node [ 141.339012][ T5341] hsr_slave_1: hsr_addr_subst_dest: Unknown node [ 141.343069][ T5341] hsr_slave_0: hsr_addr_subst_dest: Unknown node [ 141.345878][ T5341] hsr_slave_1: hsr_addr_subst_dest: Unknown node [ 141.348596][ T5341] hsr_slave_0: hsr_addr_subst_dest: Unknown node [ 141.351945][ T5341] hsr_slave_1: hsr_addr_subst_dest: Unknown node [ 141.356528][ T5341] hsr_slave_0: hsr_addr_subst_dest: Unknown node [ 141.358839][ T5341] hsr_slave_1: hsr_addr_subst_dest: Unknown node [ 141.367016][ T5341] hsr_slave_0: hsr_addr_subst_dest: Unknown node [ 141.372254][ T5341] hsr_slave_1: hsr_addr_subst_dest: Unknown node [ 141.384754][ T5341] [ 141.385747][ T5341] ===================================== [ 141.387866][ T5341] WARNING: bad unlock balance detected! [ 141.389917][ T5341] 6.15.0-rc1-syzkaller #0 Not tainted [ 141.392211][ T5341] ------------------------------------- [ 141.394475][ T5341] syz.0.0/5341 is trying to release lock (&dev_instance_lock_key) at: [ 141.397639][ T5341] [] do_setlink+0xc26/0x43a0 [ 141.400264][ T5341] but there are no more locks to release! [ 141.402412][ T5341] [ 141.402412][ T5341] other info that might help us debug this: [ 141.405282][ T5341] 1 lock held by syz.0.0/5341: [ 141.407045][ T5341] #0: ffffffff900fd388 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0xd68/0x1fe0 [ 141.410263][ T5341] [ 141.410263][ T5341] stack backtrace: [ 141.412652][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(full) [ 141.412664][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 141.412671][ T5341] Call Trace: [ 141.412680][ T5341] [ 141.412687][ T5341] dump_stack_lvl+0x241/0x360 [ 141.412711][ T5341] ? __pfx_dump_stack_lvl+0x10/0x10 [ 141.412726][ T5341] ? __pfx__printk+0x10/0x10 [ 141.412740][ T5341] ? print_lock+0x171/0x1a0 [ 141.412754][ T5341] ? do_setlink+0xc26/0x43a0 [ 141.412769][ T5341] print_unlock_imbalance_bug+0x185/0x1a0 [ 141.412795][ T5341] lock_release+0x1ed/0x3e0 [ 141.412809][ T5341] ? do_setlink+0xc26/0x43a0 [ 141.412825][ T5341] ? do_setlink+0xc26/0x43a0 [ 141.412842][ T5341] __mutex_unlock_slowpath+0xee/0x800 [ 141.412857][ T5341] ? validate_linkmsg+0x70e/0xa40 [ 141.412877][ T5341] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 141.412889][ T5341] ? __pfx_validate_linkmsg+0x10/0x10 [ 141.412901][ T5341] ? __kernel_text_address+0xd/0x40 [ 141.412913][ T5341] ? unwind_get_return_address+0x4d/0x90 [ 141.412930][ T5341] do_setlink+0xc26/0x43a0 [ 141.412948][ T5341] ? stack_trace_save+0x11a/0x1d0 [ 141.412964][ T5341] ? __pfx_do_setlink+0x10/0x10 [ 141.412982][ T5341] ? __lock_acquire+0xad5/0xd80 [ 141.412996][ T5341] ? __pfx___mutex_trylock_common+0x10/0x10 [ 141.413014][ T5341] ? rcu_is_watching+0x15/0xb0 [ 141.413027][ T5341] ? trace_contention_end+0x3c/0x120 [ 141.413039][ T5341] ? __mutex_lock+0x380/0x10c0 [ 141.413051][ T5341] ? __pfx_aa_get_newest_label+0x10/0x10 [ 141.413120][ T5341] ? rcu_is_watching+0x15/0xb0 [ 141.413132][ T5341] ? rtnl_newlink+0xd68/0x1fe0 [ 141.413146][ T5341] ? __pfx___mutex_lock+0x10/0x10 [ 141.413161][ T5341] ? ns_capable+0x8a/0xf0 [ 141.413172][ T5341] ? rtnl_link_get_net_capable+0x168/0x340 [ 141.413187][ T5341] rtnl_newlink+0x17e2/0x1fe0 [ 141.413200][ T5341] ? stack_depot_save_flags+0x43f/0x940 [ 141.413214][ T5341] ? __pfx_rtnl_newlink+0x10/0x10 [ 141.413227][ T5341] ? __netlink_deliver_tap+0x561/0x7f0 [ 141.413242][ T5341] ? netlink_deliver_tap+0x19d/0x1b0 [ 141.413254][ T5341] ? netlink_unicast+0x7c6/0x9a0 [ 141.413265][ T5341] ? netlink_sendmsg+0x8c3/0xcd0 [ 141.413277][ T5341] ? __sock_sendmsg+0x221/0x270 [ 141.413290][ T5341] ? ____sys_sendmsg+0x523/0x860 [ 141.413299][ T5341] ? __sys_sendmsg+0x271/0x360 [ 141.413308][ T5341] ? do_syscall_64+0xf3/0x230 [ 141.413320][ T5341] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 141.413338][ T5341] ? kasan_quarantine_put+0xdc/0x230 [ 141.413350][ T5341] ? lockdep_hardirqs_on+0x9d/0x150 [ 141.413362][ T5341] ? nlmon_xmit+0xaf/0x100 [ 141.413379][ T5341] ? __local_bh_enable_ip+0x168/0x200 [ 141.413389][ T5341] ? lockdep_hardirqs_on+0x9d/0x150 [ 141.413403][ T5341] ? aa_get_newest_label+0x101/0x6f0 [ 141.413419][ T5341] ? __lock_acquire+0xad5/0xd80 [ 141.413434][ T5341] ? __pfx_rtnl_newlink+0x10/0x10 [ 141.413448][ T5341] rtnetlink_rcv_msg+0x80f/0xd70 [ 141.413461][ T5341] ? rtnetlink_rcv_msg+0x1ba/0xd70 [ 141.413476][ T5341] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 141.413490][ T5341] ? ref_tracker_free+0x63e/0x7e0 [ 141.413502][ T5341] netlink_rcv_skb+0x208/0x480 [ 141.413516][ T5341] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 141.413529][ T5341] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 141.413546][ T5341] ? netlink_deliver_tap+0x2e/0x1b0 [ 141.413560][ T5341] ? netlink_deliver_tap+0x2e/0x1b0 [ 141.413573][ T5341] netlink_unicast+0x7f8/0x9a0 [ 141.413587][ T5341] ? __pfx_netlink_unicast+0x10/0x10 [ 141.413599][ T5341] ? skb_put+0x114/0x1f0 [ 141.413609][ T5341] netlink_sendmsg+0x8c3/0xcd0 [ 141.413625][ T5341] ? __pfx_netlink_sendmsg+0x10/0x10 [ 141.413639][ T5341] ? aa_sock_msg_perm+0x91/0x160 [ 141.413654][ T5341] ? __pfx_netlink_sendmsg+0x10/0x10 [ 141.413667][ T5341] __sock_sendmsg+0x221/0x270 [ 141.413681][ T5341] ____sys_sendmsg+0x523/0x860 [ 141.413693][ T5341] ? __pfx_____sys_sendmsg+0x10/0x10 [ 141.413702][ T5341] ? __fget_files+0x2a/0x420 [ 141.413712][ T5341] ? __fget_files+0x2a/0x420 [ 141.413722][ T5341] __sys_sendmsg+0x271/0x360 [ 141.413731][ T5341] ? __lock_acquire+0xad5/0xd80 [ 141.413742][ T5341] ? __pfx___sys_sendmsg+0x10/0x10 [ 141.413763][ T5341] ? do_syscall_64+0xb6/0x230 [ 141.413775][ T5341] do_syscall_64+0xf3/0x230 [ 141.413785][ T5341] ? clear_bhb_loop+0x45/0xa0 [ 141.413796][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 141.413807][ T5341] RIP: 0033:0x7f1c1858d169 [ 141.413820][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 141.413829][ T5341] RSP: 002b:00007f1c1930c038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 141.413843][ T5341] RAX: ffffffffffffffda RBX: 00007f1c187a5fa0 RCX: 00007f1c1858d169 [ 141.413851][ T5341] RDX: 0000000000000000 RSI: 00002000000001c0 RDI: 0000000000000004 [ 141.413858][ T5341] RBP: 00007f1c1860e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 141.413865][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 141.413879][ T5341] R13: 0000000000000000 R14: 00007f1c187a5fa0 R15: 00007fff4e485208 [ 141.413891][ T5341]