======================================================
WARNING: possible circular locking dependency detected
6.14.0-rc7-syzkaller-gb5737d35364f #0 Not tainted
------------------------------------------------------
syz.2.333/8207 is trying to acquire lock:
ffff0000d2208768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
ffff0000d2208768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ieee80211_change_mac+0xd0/0xf74 net/mac80211/iface.c:307

but task is already holding lock:
ffff800092b6a490 (dev_addr_sem){++++}-{4:4}, at: dev_set_mac_address_user+0x34/0x68 net/core/dev.c:9533

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (dev_addr_sem){++++}-{4:4}:
       down_read+0x58/0x2fc kernel/locking/rwsem.c:1524
       address_show+0x2c/0x228 net/core/net-sysfs.c:184
       dev_attr_show+0x60/0xcc drivers/base/core.c:2424
       sysfs_kf_seq_show+0x2d0/0x43c fs/sysfs/file.c:59
       kernfs_seq_show+0x150/0x1fc fs/kernfs/file.c:205
       seq_read_iter+0x3e0/0xc44 fs/seq_file.c:230
       kernfs_fop_read_iter+0x144/0x5c8 fs/kernfs/file.c:279
       new_sync_read fs/read_write.c:484 [inline]
       vfs_read+0x698/0x974 fs/read_write.c:565
       ksys_read+0x15c/0x26c fs/read_write.c:708
       __do_sys_read fs/read_write.c:717 [inline]
       __se_sys_read fs/read_write.c:715 [inline]
       __arm64_sys_read+0x7c/0x90 fs/read_write.c:715
       __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
       invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
       el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
       do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
       el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
       el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
       el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

-> #1 (kn->active#12){++++}-{0:0}:
       kernfs_drain+0x29c/0x5d0 fs/kernfs/dir.c:500
       __kernfs_remove+0x3d4/0x7b0 fs/kernfs/dir.c:1487
       kernfs_remove_by_name_ns+0xe4/0x188 fs/kernfs/dir.c:1695
       kernfs_remove_by_name include/linux/kernfs.h:625 [inline]
       remove_files fs/sysfs/group.c:28 [inline]
       sysfs_remove_group+0xf8/0x29c fs/sysfs/group.c:322
       sysfs_remove_groups+0x5c/0xb4 fs/sysfs/group.c:346
       device_remove_groups drivers/base/core.c:2820 [inline]
       device_remove_attrs+0x1f8/0x250 drivers/base/core.c:2956
       device_del+0x478/0x828 drivers/base/core.c:3854
       netdev_unregister_kobject+0x150/0x208 net/core/net-sysfs.c:2142
       unregister_netdevice_many_notify+0x1630/0x1c7c net/core/dev.c:11923
       unregister_netdevice_many net/core/dev.c:11951 [inline]
       unregister_netdevice_queue+0x2d8/0x324 net/core/dev.c:11821
       unregister_netdevice include/linux/netdevice.h:3337 [inline]
       _cfg80211_unregister_wdev+0x15c/0x530 net/wireless/core.c:1255
       cfg80211_unregister_wdev+0x24/0x34 net/wireless/core.c:1311
       ieee80211_remove_interfaces+0x40c/0x5cc net/mac80211/iface.c:2306
       ieee80211_unregister_hw+0x60/0x29c net/mac80211/main.c:1681
       mac80211_hwsim_del_radio+0x220/0x3e4 drivers/net/wireless/virtual/mac80211_hwsim.c:5664
       remove_user_radios drivers/net/wireless/virtual/mac80211_hwsim.c:6464 [inline]
       mac80211_hwsim_netlink_notify+0x500/0x7c4 drivers/net/wireless/virtual/mac80211_hwsim.c:6478
       notifier_call_chain+0x1c4/0x550 kernel/notifier.c:85
       blocking_notifier_call_chain+0x70/0xa0 kernel/notifier.c:380
       netlink_release+0xf74/0x192c net/netlink/af_netlink.c:764
       __sock_release net/socket.c:647 [inline]
       sock_close+0xa4/0x1e8 net/socket.c:1398
       __fput+0x340/0x760 fs/file_table.c:464
       ____fput+0x20/0x30 fs/file_table.c:492
       task_work_run+0x230/0x2e0 kernel/task_work.c:227
       resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
       do_notify_resume+0x178/0x1f4 arch/arm64/kernel/entry-common.c:151
       exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline]
       exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline]
       el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:745
       el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
       el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

-> #0 (&rdev->wiphy.mtx){+.+.}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3163 [inline]
       check_prevs_add kernel/locking/lockdep.c:3282 [inline]
       validate_chain kernel/locking/lockdep.c:3906 [inline]
       __lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5228
       lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5851
       __mutex_lock_common+0x1f0/0x24b8 kernel/locking/mutex.c:585
       __mutex_lock kernel/locking/mutex.c:730 [inline]
       mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:782
       class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
       ieee80211_change_mac+0xd0/0xf74 net/mac80211/iface.c:307
       dev_set_mac_address+0x1f4/0x430 net/core/dev.c:9515
       dev_set_mac_address_user+0x44/0x68 net/core/dev.c:9534
       do_setlink+0x6c8/0x36c0 net/core/rtnetlink.c:3073
       rtnl_setlink+0x784/0xa58 net/core/rtnetlink.c:3430
       rtnetlink_rcv_msg+0x670/0xa9c net/core/rtnetlink.c:6912
       netlink_rcv_skb+0x234/0x408 net/netlink/af_netlink.c:2533
       rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6939
       netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
       netlink_unicast+0x668/0x8a4 net/netlink/af_netlink.c:1338
       netlink_sendmsg+0x7b4/0xa9c net/netlink/af_netlink.c:1882
       sock_sendmsg_nosec net/socket.c:718 [inline]
       __sock_sendmsg net/socket.c:733 [inline]
       ____sys_sendmsg+0x570/0x87c net/socket.c:2573
       ___sys_sendmsg net/socket.c:2627 [inline]
       __sys_sendmsg+0x238/0x304 net/socket.c:2659
       __do_sys_sendmsg net/socket.c:2664 [inline]
       __se_sys_sendmsg net/socket.c:2662 [inline]
       __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2662
       __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
       invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
       el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
       do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
       el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
       el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
       el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

other info that might help us debug this:

Chain exists of:
  &rdev->wiphy.mtx --> kn->active#12 --> dev_addr_sem

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(dev_addr_sem);
                               lock(kn->active#12);
                               lock(dev_addr_sem);
  lock(&rdev->wiphy.mtx);

 *** DEADLOCK ***

2 locks held by syz.2.333/8207:
 #0: ffff800092b72ce8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #0: ffff800092b72ce8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:335 [inline]
 #0: ffff800092b72ce8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_setlink+0x63c/0xa58 net/core/rtnetlink.c:3420
 #1: ffff800092b6a490 (dev_addr_sem){++++}-{4:4}, at: dev_set_mac_address_user+0x34/0x68 net/core/dev.c:9533

stack backtrace:
CPU: 0 UID: 0 PID: 8207 Comm: syz.2.333 Not tainted 6.14.0-rc7-syzkaller-gb5737d35364f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 print_circular_bug+0x154/0x1c0 kernel/locking/lockdep.c:2076
 check_noncircular+0x310/0x404 kernel/locking/lockdep.c:2208
 check_prev_add kernel/locking/lockdep.c:3163 [inline]
 check_prevs_add kernel/locking/lockdep.c:3282 [inline]
 validate_chain kernel/locking/lockdep.c:3906 [inline]
 __lock_acquire+0x34f0/0x7904 kernel/locking/lockdep.c:5228
 lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5851
 __mutex_lock_common+0x1f0/0x24b8 kernel/locking/mutex.c:585
 __mutex_lock kernel/locking/mutex.c:730 [inline]
 mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:782
 class_wiphy_constructor include/net/cfg80211.h:6061 [inline]
 ieee80211_change_mac+0xd0/0xf74 net/mac80211/iface.c:307
 dev_set_mac_address+0x1f4/0x430 net/core/dev.c:9515
 dev_set_mac_address_user+0x44/0x68 net/core/dev.c:9534
 do_setlink+0x6c8/0x36c0 net/core/rtnetlink.c:3073
 rtnl_setlink+0x784/0xa58 net/core/rtnetlink.c:3430
 rtnetlink_rcv_msg+0x670/0xa9c net/core/rtnetlink.c:6912
 netlink_rcv_skb+0x234/0x408 net/netlink/af_netlink.c:2533
 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6939
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x668/0x8a4 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x7b4/0xa9c net/netlink/af_netlink.c:1882
 sock_sendmsg_nosec net/socket.c:718 [inline]
 __sock_sendmsg net/socket.c:733 [inline]
 ____sys_sendmsg+0x570/0x87c net/socket.c:2573
 ___sys_sendmsg net/socket.c:2627 [inline]
 __sys_sendmsg+0x238/0x304 net/socket.c:2659
 __do_sys_sendmsg net/socket.c:2664 [inline]
 __se_sys_sendmsg net/socket.c:2662 [inline]
 __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2662
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600