program:
r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
ftruncate(r0, 0x9)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r1=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'})
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d)
ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000))
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000280)={0x1, @null, @bpq0, 0x10001, 'syz0\x00', @default, 0xfffffdb8, 0x2, [@default, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast]})
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x6, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]})
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @bcast, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]})
r3 = syz_init_net_socket$x25(0x9, 0x5, 0x0)
r4 = syz_open_dev$vim2m(&(0x7f00000001c0), 0x3, 0x2)
ioctl$vim2m_VIDIOC_S_FMT(r4, 0xc0d05605, &(0x7f00000000c0)={0x2, @pix_mp={0x3, 0x3, 0x52424752, 0x9, 0x9, [{0x2, 0x3}, {0x7, 0x6}, {0x9d5, 0x80}, {0x8, 0xc3}, {0x8}, {0x0, 0x20003797}, {0x2, 0x5}, {0x0, 0xd97}], 0xff, 0x4, 0x4, 0x1, 0x2}})
ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f00000000c0)={0x0, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0xb9, 'syz1\x00', @bcast, 0xd, 0x0, [@null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}]})
ioctl$SIOCNRDECOBS(r0, 0x89e2)
ioctl$sock_ifreq(r3, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'})

[   75.244825][ T4658] Bluetooth: hci0: command tx timeout
[   75.322137][ T5310] 
[   75.323172][ T5310] ======================================================
[   75.326128][ T5310] WARNING: possible circular locking dependency detected
[   75.329079][ T5310] 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 Not tainted
[   75.331928][ T5310] ------------------------------------------------------
[   75.334752][ T5310] syz.0.0/5310 is trying to acquire lock:
[   75.337218][ T5310] ffffffff8f44b578 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xa9/0x720
[   75.341173][ T5310] 
[   75.341173][ T5310] but task is already holding lock:
[   75.344552][ T5310] ffffffff8f44b518 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720
[   75.348577][ T5310] 
[   75.348577][ T5310] which lock already depends on the new lock.
[   75.348577][ T5310] 
[   75.353044][ T5310] 
[   75.353044][ T5310] the existing dependency chain (in reverse order) is:
[   75.356714][ T5310] 
[   75.356714][ T5310] -> #2 (nr_neigh_list_lock){+...}-{3:3}:
[   75.360191][ T5310]        lock_acquire+0x120/0x360
[   75.362296][ T5310]        _raw_spin_lock_bh+0x36/0x50
[   75.364530][ T5310]        nr_rt_ioctl+0x390/0xd50
[   75.366721][ T5310]        sock_do_ioctl+0xd9/0x300
[   75.368916][ T5310]        sock_ioctl+0x576/0x790
[   75.371041][ T5310]        __se_sys_ioctl+0xf9/0x170
[   75.373252][ T5310]        do_syscall_64+0xf6/0x210
[   75.375555][ T5310]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.378427][ T5310] 
[   75.378427][ T5310] -> #1 (&nr_node->node_lock){+...}-{3:3}:
[   75.381829][ T5310]        lock_acquire+0x120/0x360
[   75.384038][ T5310]        _raw_spin_lock_bh+0x36/0x50
[   75.386344][ T5310]        nr_rt_ioctl+0x193/0xd50
[   75.388525][ T5310]        sock_do_ioctl+0xd9/0x300
[   75.390684][ T5310]        sock_ioctl+0x576/0x790
[   75.392825][ T5310]        __se_sys_ioctl+0xf9/0x170
[   75.395097][ T5310]        do_syscall_64+0xf6/0x210
[   75.397321][ T5310]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.400150][ T5310] 
[   75.400150][ T5310] -> #0 (nr_node_list_lock){+...}-{3:3}:
[   75.403623][ T5310]        validate_chain+0xb9b/0x2140
[   75.405972][ T5310]        __lock_acquire+0xaac/0xd20
[   75.408326][ T5310]        lock_acquire+0x120/0x360
[   75.410587][ T5310]        _raw_spin_lock_bh+0x36/0x50
[   75.413044][ T5310]        nr_rt_device_down+0xa9/0x720
[   75.415341][ T5310]        nr_device_event+0x137/0x150
[   75.417687][ T5310]        notifier_call_chain+0x1b3/0x3e0
[   75.420205][ T5310]        dev_close_many+0x29c/0x410
[   75.422444][ T5310]        netif_close+0x158/0x210
[   75.424933][ T5310]        dev_close+0x10a/0x220
[   75.426982][ T5310]        bpq_device_event+0x2f4/0x600
[   75.429342][ T5310]        notifier_call_chain+0x1b3/0x3e0
[   75.431785][ T5310]        dev_close_many+0x29c/0x410
[   75.434027][ T5310]        netif_close+0x158/0x210
[   75.436147][ T5310]        dev_close+0x10a/0x220
[   75.438254][ T5310]        bond_setup_by_slave+0x5f/0x3f0
[   75.440731][ T5310]        bond_enslave+0x7b4/0x3a40
[   75.443008][ T5310]        bond_do_ioctl+0x635/0x9b0
[   75.445206][ T5310]        dev_ifsioc+0x908/0xf00
[   75.447438][ T5310]        dev_ioctl+0x7b4/0x1150
[   75.449530][ T5310]        sock_do_ioctl+0x22c/0x300
[   75.451687][ T5310]        sock_ioctl+0x576/0x790
[   75.453822][ T5310]        __se_sys_ioctl+0xf9/0x170
[   75.456098][ T5310]        do_syscall_64+0xf6/0x210
[   75.458310][ T5310]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.460887][ T5310] 
[   75.460887][ T5310] other info that might help us debug this:
[   75.460887][ T5310] 
[   75.465591][ T5310] Chain exists of:
[   75.465591][ T5310]   nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock
[   75.465591][ T5310] 
[   75.471304][ T5310]  Possible unsafe locking scenario:
[   75.471304][ T5310] 
[   75.474577][ T5310]        CPU0                    CPU1
[   75.476735][ T5310]        ----                    ----
[   75.479063][ T5310]   lock(nr_neigh_list_lock);
[   75.481215][ T5310]                                lock(&nr_node->node_lock);
[   75.484407][ T5310]                                lock(nr_neigh_list_lock);
[   75.487599][ T5310]   lock(nr_node_list_lock);
[   75.490026][ T5310] 
[   75.490026][ T5310]  *** DEADLOCK ***
[   75.490026][ T5310] 
[   75.493833][ T5310] 2 locks held by syz.0.0/5310:
[   75.495923][ T5310]  #0: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7a4/0x1150
[   75.500125][ T5310]  #1: ffffffff8f44b518 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720
[   75.505288][ T5310] 
[   75.505288][ T5310] stack backtrace:
[   75.508034][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: syz.0.0 Not tainted 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 PREEMPT(full) 
[   75.508051][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.508059][ T5310] Call Trace:
[   75.508066][ T5310]  <TASK>
[   75.508074][ T5310]  dump_stack_lvl+0x189/0x250
[   75.508096][ T5310]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.508112][ T5310]  ? __pfx__printk+0x10/0x10
[   75.508124][ T5310]  ? print_lock_name+0xde/0x100
[   75.508142][ T5310]  print_circular_bug+0x2ee/0x310
[   75.508154][ T5310]  check_noncircular+0x134/0x160
[   75.508166][ T5310]  validate_chain+0xb9b/0x2140
[   75.508175][ T5310]  ? neigh_ifdown+0x1f/0x30
[   75.508190][ T5310]  ? rt6_disable_ip+0x6b3/0x720
[   75.508202][ T5310]  ? rcu_is_watching+0x15/0xb0
[   75.508217][ T5310]  __lock_acquire+0xaac/0xd20
[   75.508231][ T5310]  ? nr_rt_device_down+0xa9/0x720
[   75.508244][ T5310]  lock_acquire+0x120/0x360
[   75.508256][ T5310]  ? nr_rt_device_down+0xa9/0x720
[   75.508269][ T5310]  ? nr_rt_device_down+0xa9/0x720
[   75.508282][ T5310]  _raw_spin_lock_bh+0x36/0x50
[   75.508293][ T5310]  ? nr_rt_device_down+0xa9/0x720
[   75.508305][ T5310]  nr_rt_device_down+0xa9/0x720
[   75.508319][ T5310]  ? do_raw_spin_unlock+0x4d/0x240
[   75.508331][ T5310]  nr_device_event+0x137/0x150
[   75.508343][ T5310]  notifier_call_chain+0x1b3/0x3e0
[   75.508353][ T5310]  dev_close_many+0x29c/0x410
[   75.508364][ T5310]  ? __pfx_dev_close_many+0x10/0x10
[   75.508374][ T5310]  ? __try_to_del_timer_sync+0x34a/0x3a0
[   75.508386][ T5310]  ? bond_netdev_event+0x227/0xe80
[   75.508397][ T5310]  netif_close+0x158/0x210
[   75.508406][ T5310]  ? __pfx_netif_close+0x10/0x10
[   75.508415][ T5310]  ? tun_device_event+0x77/0x1020
[   75.508431][ T5310]  dev_close+0x10a/0x220
[   75.508445][ T5310]  bpq_device_event+0x2f4/0x600
[   75.508457][ T5310]  notifier_call_chain+0x1b3/0x3e0
[   75.508468][ T5310]  dev_close_many+0x29c/0x410
[   75.508478][ T5310]  ? __pfx_dev_close_many+0x10/0x10
[   75.508488][ T5310]  ? __lock_acquire+0xaac/0xd20
[   75.508504][ T5310]  netif_close+0x158/0x210
[   75.508520][ T5310]  ? __pfx_netif_close+0x10/0x10
[   75.508530][ T5310]  ? do_raw_spin_lock+0x121/0x290
[   75.508542][ T5310]  ? __local_bh_enable_ip+0x12d/0x1c0
[   75.508559][ T5310]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.508570][ T5310]  dev_close+0x10a/0x220
[   75.508581][ T5310]  bond_setup_by_slave+0x5f/0x3f0
[   75.508593][ T5310]  bond_enslave+0x7b4/0x3a40
[   75.508610][ T5310]  ? finish_task_switch+0x266/0x950
[   75.508626][ T5310]  ? __schedule+0x1700/0x4cd0
[   75.508637][ T5310]  ? __pfx_bond_enslave+0x10/0x10
[   75.508646][ T5310]  ? __lock_acquire+0xaac/0xd20
[   75.508664][ T5310]  ? apparmor_capable+0x137/0x1b0
[   75.508679][ T5310]  ? full_name_hash+0x92/0xe0
[   75.508697][ T5310]  ? netdev_name_node_lookup+0xdf/0x120
[   75.508715][ T5310]  bond_do_ioctl+0x635/0x9b0
[   75.508733][ T5310]  ? __pfx_bond_do_ioctl+0x10/0x10
[   75.508751][ T5310]  ? __mutex_lock+0xa6d/0xe80
[   75.508764][ T5310]  ? full_name_hash+0x92/0xe0
[   75.508778][ T5310]  ? netdev_name_node_lookup+0xdf/0x120
[   75.508792][ T5310]  dev_ifsioc+0x908/0xf00
[   75.508803][ T5310]  ? dev_load+0x21/0x1f0
[   75.508811][ T5310]  dev_ioctl+0x7b4/0x1150
[   75.508822][ T5310]  sock_do_ioctl+0x22c/0x300
[   75.508837][ T5310]  ? __pfx_sock_do_ioctl+0x10/0x10
[   75.508853][ T5310]  sock_ioctl+0x576/0x790
[   75.508866][ T5310]  ? __pfx_sock_ioctl+0x10/0x10
[   75.508880][ T5310]  ? __fget_files+0x3a0/0x420
[   75.508893][ T5310]  ? __fget_files+0x2a/0x420
[   75.508904][ T5310]  ? bpf_lsm_file_ioctl+0x9/0x20
[   75.508917][ T5310]  ? __pfx_sock_ioctl+0x10/0x10
[   75.508929][ T5310]  __se_sys_ioctl+0xf9/0x170
[   75.508940][ T5310]  do_syscall_64+0xf6/0x210
[   75.508952][ T5310]  ? clear_bhb_loop+0x45/0xa0
[   75.508963][ T5310]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.508973][ T5310] RIP: 0033:0x7f035838e969
[   75.508984][ T5310] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.508995][ T5310] RSP: 002b:00007f03591ff038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   75.509007][ T5310] RAX: ffffffffffffffda RBX: 00007f03585b5fa0 RCX: 00007f035838e969
[   75.509015][ T5310] RDX: 0000200000000180 RSI: 0000000000008990 RDI: 0000000000000008
[   75.509024][ T5310] RBP: 00007f0358410ab1 R08: 0000000000000000 R09: 0000000000000000
[   75.509032][ T5310] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.509040][ T5310] R13: 0000000000000000 R14: 00007f03585b5fa0 R15: 00007ffc31b13dc8
[   75.509052][ T5310]  </TASK>
[   75.801231][ T5310] 8021q: adding VLAN 0 to HW filter on device bond0
[   75.806412][ T5310] bond0: (slave rose0): Enslaving as an active interface with an up link