program:
r0 = socket$pppoe(0x18, 0x1, 0x0)
connect$pppoe(r0, &(0x7f0000000000)={0x18, 0x0, {0xffff, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x34}, 'hsr0\x00'}}, 0x1e)
socket(0x2, 0x80805, 0x0) (async)
r1 = socket(0x2, 0x80805, 0x0)
getsockopt$bt_hci(r1, 0x84, 0x83, 0x0, &(0x7f0000001080)) (async)
getsockopt$bt_hci(r1, 0x84, 0x83, 0x0, &(0x7f0000001080))
sendmmsg(r0, &(0x7f0000001cc0), 0x400000000000026, 0x0) (async)
sendmmsg(r0, &(0x7f0000001cc0), 0x400000000000026, 0x0)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = socket(0x10, 0x3, 0x0)
r4 = socket(0x10, 0x803, 0x0)
r5 = socket(0x10, 0x803, 0x0)
syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), r5)
r6 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000140)={'batadv_slave_1\x00'})
getsockname$packet(r5, &(0x7f0000000080)={0x11, 0x0, <r7=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$nl_route_sched(r3, &(0x7f0000005840)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f0000001240)=@newqdisc={0x78, 0x24, 0x5820a61ca228651, 0xfffffffc, 0x0, {0x0, 0x0, 0x0, r7, {}, {0xffff, 0xffff}, {0xf}}, [@qdisc_kind_options=@q_sfq={{0x8}, {0x4c, 0x2, {{}, 0x0, 0xfffffffc, 0x0, 0x0, 0x0, 0x0, 0x4}}}]}, 0x78}}, 0x0)
sendmsg$nl_route_sched(r4, &(0x7f0000006040)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)=@newtfilter={0x24, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {0x5, 0xb}, {0x7, 0xb}}}, 0x24}}, 0x20000000)
r8 = getuid()
setsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f0000000040)={{{@in=@remote, @in=@private=0x7, 0x4e23, 0x9, 0x4e20, 0x0, 0x2, 0x20, 0x0, 0x0, r7, r8}, {0x80000001, 0x0, 0x9, 0x0, 0x9, 0x7f, 0x4, 0x2}, {0x6d69, 0x9, 0x5}, 0x824, 0x6e6bb3, 0x2, 0x1, 0x2}, {{@in=@local, 0x4d3, 0x6c}, 0x2, @in6=@private1, 0x3502, 0x4, 0x1, 0xc, 0x1ff, 0x0, 0x4}}, 0xe8) (async)
setsockopt$inet_IP_IPSEC_POLICY(r1, 0x0, 0x10, &(0x7f0000000040)={{{@in=@remote, @in=@private=0x7, 0x4e23, 0x9, 0x4e20, 0x0, 0x2, 0x20, 0x0, 0x0, r7, r8}, {0x80000001, 0x0, 0x9, 0x0, 0x9, 0x7f, 0x4, 0x2}, {0x6d69, 0x9, 0x5}, 0x824, 0x6e6bb3, 0x2, 0x1, 0x2}, {{@in=@local, 0x4d3, 0x6c}, 0x2, @in6=@private1, 0x3502, 0x4, 0x1, 0xc, 0x1ff, 0x0, 0x4}}, 0xe8)
socket$packet(0x11, 0x2, 0x300) (async)
r9 = socket$packet(0x11, 0x2, 0x300)
ioctl$sock_SIOCGIFINDEX(r9, 0x8933, &(0x7f0000000000)={'netdevsim0\x00', <r10=>0x0})
sendmsg$nl_route(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000980)=ANY=[@ANYBLOB="44000000100001001000"/20, @ANYRES32=r10, @ANYBLOB="00000000000000001c001a8018000a80140007000000000000000000000000000000000008000400e5000000"], 0x44}}, 0x0) (async)
sendmsg$nl_route(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000440)={&(0x7f0000000980)=ANY=[@ANYBLOB="44000000100001001000"/20, @ANYRES32=r10, @ANYBLOB="00000000000000001c001a8018000a80140007000000000000000000000000000000000008000400e5000000"], 0x44}}, 0x0)

[   68.144908][ T4670] Bluetooth: hci0: command tx timeout
[   68.170967][ T5323] hsr_slave_0: hsr_addr_subst_dest: Unknown node
[   68.173654][ T5323] hsr_slave_1: hsr_addr_subst_dest: Unknown node
[   68.209862][ T5324] hsr_slave_0: hsr_addr_subst_dest: Unknown node
[   68.212525][ T5324] hsr_slave_1: hsr_addr_subst_dest: Unknown node
[   68.221978][ T5323] hsr_slave_0: hsr_addr_subst_dest: Unknown node
[   68.224512][ T5323] hsr_slave_1: hsr_addr_subst_dest: Unknown node
[   68.232482][ T5324] hsr_slave_0: hsr_addr_subst_dest: Unknown node
[   68.235118][ T5324] hsr_slave_1: hsr_addr_subst_dest: Unknown node
[   68.239527][ T5323] hsr_slave_0: hsr_addr_subst_dest: Unknown node
[   68.241995][ T5323] hsr_slave_1: hsr_addr_subst_dest: Unknown node
[   68.322405][ T5324] 
[   68.323449][ T5324] =====================================
[   68.325718][ T5324] WARNING: bad unlock balance detected!
[   68.327966][ T5324] 6.15.0-rc1-syzkaller-00060-ga24588245776 #0 Not tainted
[   68.331227][ T5324] -------------------------------------
[   68.333441][ T5324] syz.0.0/5324 is trying to release lock (&dev_instance_lock_key) at:
[   68.336522][ T5324] [<ffffffff89f4a276>] do_setlink+0xc26/0x43a0
[   68.338958][ T5324] but there are no more locks to release!
[   68.341642][ T5324] 
[   68.341642][ T5324] other info that might help us debug this:
[   68.344713][ T5324] 1 lock held by syz.0.0/5324:
[   68.346541][ T5324]  #0: ffffffff900fd3c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0xd68/0x1fe0
[   68.349904][ T5324] 
[   68.349904][ T5324] stack backtrace:
[   68.352186][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc1-syzkaller-00060-ga24588245776 #0 PREEMPT(full) 
[   68.352200][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   68.352216][ T5324] Call Trace:
[   68.352223][ T5324]  <TASK>
[   68.352229][ T5324]  dump_stack_lvl+0x241/0x360
[   68.352248][ T5324]  ? __pfx_dump_stack_lvl+0x10/0x10
[   68.352262][ T5324]  ? __pfx__printk+0x10/0x10
[   68.352275][ T5324]  ? print_lock+0x171/0x1a0
[   68.352288][ T5324]  ? do_setlink+0xc26/0x43a0
[   68.352302][ T5324]  print_unlock_imbalance_bug+0x185/0x1a0
[   68.352326][ T5324]  lock_release+0x1ed/0x3e0
[   68.352337][ T5324]  ? do_setlink+0xc26/0x43a0
[   68.352350][ T5324]  ? do_setlink+0xc26/0x43a0
[   68.352364][ T5324]  __mutex_unlock_slowpath+0xee/0x800
[   68.352377][ T5324]  ? validate_linkmsg+0x70e/0xa40
[   68.352389][ T5324]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   68.352401][ T5324]  ? __pfx_validate_linkmsg+0x10/0x10
[   68.352412][ T5324]  ? rcu_is_watching+0x15/0xb0
[   68.352426][ T5324]  do_setlink+0xc26/0x43a0
[   68.352442][ T5324]  ? stack_trace_save+0x11a/0x1d0
[   68.352456][ T5324]  ? __lock_acquire+0xad5/0xd80
[   68.352466][ T5324]  ? do_raw_spin_lock+0x151/0x370
[   68.352479][ T5324]  ? __pfx_do_setlink+0x10/0x10
[   68.352496][ T5324]  ? _raw_spin_unlock_irqrestore+0x90/0x140
[   68.352506][ T5324]  ? lockdep_hardirqs_on+0x9d/0x150
[   68.352517][ T5324]  ? _raw_spin_unlock_irqrestore+0xde/0x140
[   68.352527][ T5324]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   68.352539][ T5324]  ? rcu_is_watching+0x15/0xb0
[   68.352551][ T5324]  ? __mutex_lock+0xbe3/0x10c0
[   68.352564][ T5324]  ? __mutex_lock+0x5f3/0x10c0
[   68.352576][ T5324]  ? rtnl_newlink+0xd68/0x1fe0
[   68.352589][ T5324]  ? __pfx___mutex_lock+0x10/0x10
[   68.352602][ T5324]  ? ns_capable+0x8a/0xf0
[   68.352611][ T5324]  ? rtnl_link_get_net_capable+0x168/0x340
[   68.352626][ T5324]  rtnl_newlink+0x17e2/0x1fe0
[   68.352664][ T5324]  ? stack_depot_save_flags+0x44/0x940
[   68.352717][ T5324]  ? __pfx_rtnl_newlink+0x10/0x10
[   68.352730][ T5324]  ? __netlink_deliver_tap+0x561/0x7f0
[   68.352743][ T5324]  ? netlink_deliver_tap+0x19d/0x1b0
[   68.352754][ T5324]  ? netlink_unicast+0x7c6/0x9a0
[   68.352765][ T5324]  ? netlink_sendmsg+0x8c3/0xcd0
[   68.352777][ T5324]  ? __sock_sendmsg+0x221/0x270
[   68.352789][ T5324]  ? ____sys_sendmsg+0x523/0x860
[   68.352799][ T5324]  ? __sys_sendmsg+0x271/0x360
[   68.352808][ T5324]  ? do_syscall_64+0xf3/0x230
[   68.352819][ T5324]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.352836][ T5324]  ? kasan_quarantine_put+0xdc/0x230
[   68.352847][ T5324]  ? lockdep_hardirqs_on+0x9d/0x150
[   68.352858][ T5324]  ? nlmon_xmit+0xaf/0x100
[   68.352874][ T5324]  ? __local_bh_enable_ip+0x168/0x200
[   68.352884][ T5324]  ? lockdep_hardirqs_on+0x9d/0x150
[   68.352895][ T5324]  ? aa_get_newest_label+0x101/0x6f0
[   68.352911][ T5324]  ? __lock_acquire+0xad5/0xd80
[   68.352924][ T5324]  ? __pfx_rtnl_newlink+0x10/0x10
[   68.352937][ T5324]  rtnetlink_rcv_msg+0x80f/0xd70
[   68.352950][ T5324]  ? rtnetlink_rcv_msg+0x1ba/0xd70
[   68.352964][ T5324]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   68.352978][ T5324]  ? ref_tracker_free+0x63e/0x7e0
[   68.352991][ T5324]  netlink_rcv_skb+0x208/0x480
[   68.353005][ T5324]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[   68.353018][ T5324]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   68.353034][ T5324]  ? netlink_deliver_tap+0x2e/0x1b0
[   68.353047][ T5324]  ? netlink_deliver_tap+0x2e/0x1b0
[   68.353061][ T5324]  netlink_unicast+0x7f8/0x9a0
[   68.353074][ T5324]  ? __pfx_netlink_unicast+0x10/0x10
[   68.353087][ T5324]  ? skb_put+0x114/0x1f0
[   68.353097][ T5324]  netlink_sendmsg+0x8c3/0xcd0
[   68.353112][ T5324]  ? __pfx_netlink_sendmsg+0x10/0x10
[   68.353126][ T5324]  ? aa_sock_msg_perm+0x91/0x160
[   68.353140][ T5324]  ? __pfx_netlink_sendmsg+0x10/0x10
[   68.353153][ T5324]  __sock_sendmsg+0x221/0x270
[   68.353166][ T5324]  ____sys_sendmsg+0x523/0x860
[   68.353178][ T5324]  ? __pfx_____sys_sendmsg+0x10/0x10
[   68.353187][ T5324]  ? __fget_files+0x2a/0x420
[   68.353197][ T5324]  ? __fget_files+0x2a/0x420
[   68.353214][ T5324]  __sys_sendmsg+0x271/0x360
[   68.353223][ T5324]  ? __lock_acquire+0xad5/0xd80
[   68.353234][ T5324]  ? __pfx___sys_sendmsg+0x10/0x10
[   68.353255][ T5324]  ? do_syscall_64+0xb6/0x230
[   68.353268][ T5324]  do_syscall_64+0xf3/0x230
[   68.353279][ T5324]  ? clear_bhb_loop+0x45/0xa0
[   68.353287][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.353297][ T5324] RIP: 0033:0x7f735958d169
[   68.353308][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   68.353316][ T5324] RSP: 002b:00007f735a47e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   68.353328][ T5324] RAX: ffffffffffffffda RBX: 00007f73597a6080 RCX: 00007f735958d169
[   68.353335][ T5324] RDX: 0000000000000000 RSI: 00002000000001c0 RDI: 0000000000000006
[   68.353341][ T5324] RBP: 00007f735960e2a0 R08: 0000000000000000 R09: 0000000000000000
[   68.353348][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   68.353354][ T5324] R13: 0000000000000000 R14: 00007f73597a6080 R15: 00007ffca518b398
[   68.353365][ T5324]  </TASK>