------------[ cut here ]------------ WARNING: CPU: 1 PID: 4510 at kernel/softirq.c:376 __local_bh_enable_ip+0x28c/0x470 kernel/softirq.c:376 Modules linked in: CPU: 1 PID: 4510 Comm: syz.0.58 Not tainted 6.1.108-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __local_bh_enable_ip+0x28c/0x470 kernel/softirq.c:376 lr : local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33 sp : ffff800020d66d40 x29: ffff800020d66d50 x28: ffff0000ee898cf0 x27: ffff0000cfd43c00 x26: dfff800000000000 x25: ffff800015938240 x24: 0000000000000000 x23: 1fffe0001a332379 x22: dfff800000000000 x21: ffff800010566afc x20: 0000000000000200 x19: ffff0000d1991bc8 x18: ffff800020d665a0 x17: ffff800018aa4000 x16: ffff8000081c6f2c x15: ffff800008a92de4 x14: ffff8000104dd77c x13: ffff80001228a004 x12: 0000000000040000 x11: 00000000000365fa x10: ffff800021d0a000 x9 : 0000000000000000 x8 : 0000000100000201 x7 : ffff800008061c64 x6 : ffff800008061e74 x5 : ffff0000cde72fc8 x4 : ffff800020d66a40 x3 : ffff80000831e428 x2 : 0000000000000001 x1 : 0000000000000200 x0 : ffff800010566afc Call trace: __local_bh_enable_ip+0x28c/0x470 kernel/softirq.c:376 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33 rcu_read_unlock_bh include/linux/rcupdate.h:861 [inline] __dev_queue_xmit+0x1a68/0x38d8 net/core/dev.c:4320 dev_queue_xmit include/linux/netdevice.h:3021 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline] __netlink_deliver_tap+0x464/0x6e4 net/netlink/af_netlink.c:325 netlink_deliver_tap+0x1ac/0x1b0 net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1270 [inline] netlink_broadcast_deliver net/netlink/af_netlink.c:1403 [inline] do_one_broadcast net/netlink/af_netlink.c:1481 [inline] netlink_broadcast+0x9bc/0xff4 net/netlink/af_netlink.c:1521 nlmsg_multicast include/net/netlink.h:1071 [inline] genlmsg_multicast_netns+0xa8/0xf0 include/net/genetlink.h:333 nl80211_frame_tx_status+0x7c8/0xe54 net/wireless/nl80211.c:18624 cfg80211_mgmt_tx_status_ext+0x38/0x4c net/wireless/nl80211.c:18651 ieee80211_report_ack_skb net/mac80211/status.c:680 [inline] ieee80211_report_used_skb+0x1258/0x17b4 net/mac80211/status.c:763 ieee80211_free_txskb+0x30/0x4c net/mac80211/status.c:1284 ieee80211_do_stop+0xe88/0x1994 net/mac80211/iface.c:667 ieee80211_runtime_change_iftype net/mac80211/iface.c:1926 [inline] ieee80211_if_change_type+0x478/0xcf4 net/mac80211/iface.c:1964 ieee80211_change_iface+0x6c/0x418 net/mac80211/cfg.c:217 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline] cfg80211_change_iface+0x844/0x11ac net/wireless/util.c:1159 cfg80211_wext_siwmode net/wireless/wext-compat.c:66 [inline] __cfg80211_wext_siwmode+0x184/0x240 net/wireless/wext-compat.c:1599 ioctl_standard_call+0xe8/0x264 net/wireless/wext-core.c:1026 wext_ioctl_dispatch+0x16c/0x3ec net/wireless/wext-core.c:997 wext_handle_ioctl+0x1f8/0x3f4 net/wireless/wext-core.c:1058 sock_ioctl+0x140/0x858 net/socket.c:1255 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 irq event stamp: 3175 hardirqs last enabled at (3173): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (3173): [] _raw_spin_unlock_irqrestore+0x48/0xac kernel/locking/spinlock.c:194 hardirqs last disabled at (3174): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (3174): [] _raw_spin_lock_irqsave+0xa4/0xb4 kernel/locking/spinlock.c:162 softirqs last enabled at (3122): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (3122): [] netif_addr_unlock_bh include/linux/netdevice.h:4467 [inline] softirqs last enabled at (3122): [] ieee80211_do_stop+0x504/0x1994 net/mac80211/iface.c:542 softirqs last disabled at (3175): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 ---[ end trace 0000000000000000 ]--- ======================================================== WARNING: possible irq lock inversion dependency detected 6.1.108-syzkaller #0 Tainted: G W -------------------------------------------------------- syz.0.58/4510 just changed the state of lock: ffff0000cdaf14f8 (&local->queue_stop_reason_lock){+.+.}-{2:2}, at: ieee80211_do_stop+0xcf0/0x1994 net/mac80211/iface.c:661 but this lock was taken by another, SOFTIRQ-safe lock in the past: (_xmit_ETHER#2){+.-.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&local->queue_stop_reason_lock); local_irq_disable(); lock(_xmit_ETHER#2); lock(&local->queue_stop_reason_lock); lock(_xmit_ETHER#2); *** DEADLOCK *** 5 locks held by syz.0.58/4510: #0: ffff800017ff1688 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x20/0x2c net/core/rtnetlink.c:74 #1: ffff0000cdaf07c8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:5639 [inline] #1: ffff0000cdaf07c8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: cfg80211_wext_siwmode net/wireless/wext-compat.c:65 [inline] #1: ffff0000cdaf07c8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: __cfg80211_wext_siwmode+0x170/0x240 net/wireless/wext-compat.c:1599 #2: ffff0000cdaf14f8 (&local->queue_stop_reason_lock){+.+.}-{2:2}, at: ieee80211_do_stop+0xcf0/0x1994 net/mac80211/iface.c:661 #3: ffff800015ba4ee0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349 #4: ffff800015ba4ee0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349 the shortest dependencies between 2nd lock and 1st lock: -> (_xmit_ETHER#2){+.-.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __netif_tx_lock include/linux/netdevice.h:4304 [inline] netif_freeze_queues net/sched/sch_generic.c:459 [inline] netif_tx_lock+0x9c/0x1d8 net/sched/sch_generic.c:468 netif_tx_lock_bh include/linux/netdevice.h:4388 [inline] dev_watchdog_down net/sched/sch_generic.c:564 [inline] dev_deactivate_many+0x274/0xa8c net/sched/sch_generic.c:1353 dev_deactivate+0x13c/0x1fc net/sched/sch_generic.c:1387 linkwatch_do_dev+0x29c/0x3a4 net/core/link_watch.c:166 __linkwatch_run_queue+0x3a0/0x700 net/core/link_watch.c:221 linkwatch_event+0x58/0x68 net/core/link_watch.c:264 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 IN-SOFTIRQ-W at: lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __netif_tx_lock include/linux/netdevice.h:4304 [inline] sch_direct_xmit+0x164/0x548 net/sched/sch_generic.c:340 __dev_xmit_skb net/core/dev.c:3854 [inline] __dev_queue_xmit+0x1658/0x38d8 net/core/dev.c:4259 dev_queue_xmit include/linux/netdevice.h:3021 [inline] lapbeth_data_transmit+0x1e0/0x298 drivers/net/wan/lapbether.c:259 lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447 lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149 lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251 lapb_t1timer_expiry+0x4f4/0x8bc call_timer_fn+0x1c0/0xa1c kernel/time/timer.c:1504 expire_timers kernel/time/timer.c:1549 [inline] __run_timers+0x554/0x718 kernel/time/timer.c:1820 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833 handle_softirqs+0x318/0xd58 kernel/softirq.c:571 __do_softirq+0x14/0x20 kernel/softirq.c:605 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:893 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85 invoke_softirq kernel/softirq.c:452 [inline] __irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:654 irq_exit_rcu+0x14/0x84 kernel/softirq.c:666 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline] el1_interrupt+0x38/0x68 arch/arm64/kernel/entry-common.c:486 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581 arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35 default_idle_call+0x68/0xdc kernel/sched/idle.c:109 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0x1e0/0x514 kernel/sched/idle.c:303 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:401 rest_init+0x2d8/0x2f0 init/main.c:733 start_kernel+0x0/0x608 init/main.c:893 start_kernel+0x448/0x608 init/main.c:1140 __primary_switched+0xb8/0xc0 arch/arm64/kernel/head.S:468 INITIAL USE at: lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x54/0x6c kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] __netif_tx_lock include/linux/netdevice.h:4304 [inline] netif_freeze_queues net/sched/sch_generic.c:459 [inline] netif_tx_lock+0x9c/0x1d8 net/sched/sch_generic.c:468 netif_tx_lock_bh include/linux/netdevice.h:4388 [inline] dev_watchdog_down net/sched/sch_generic.c:564 [inline] dev_deactivate_many+0x274/0xa8c net/sched/sch_generic.c:1353 dev_deactivate+0x13c/0x1fc net/sched/sch_generic.c:1387 linkwatch_do_dev+0x29c/0x3a4 net/core/link_watch.c:166 __linkwatch_run_queue+0x3a0/0x700 net/core/link_watch.c:221 linkwatch_event+0x58/0x68 net/core/link_watch.c:264 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 } ... key at: [] netdev_xmit_lock_key+0x10/0x480 ... acquired at: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x6c/0xb4 kernel/locking/spinlock.c:162 ieee80211_tx_frags+0x138/0x700 net/mac80211/tx.c:1721 __ieee80211_tx+0x1b0/0x40c net/mac80211/tx.c:1820 ieee80211_tx+0x2c4/0x400 net/mac80211/tx.c:2000 ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2092 __ieee80211_subif_start_xmit+0xc88/0x2af8 net/mac80211/tx.c:4265 ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4457 __netdev_start_xmit include/linux/netdevice.h:4853 [inline] netdev_start_xmit include/linux/netdevice.h:4867 [inline] xmit_one net/core/dev.c:3627 [inline] dev_hard_start_xmit+0x25c/0x9a4 net/core/dev.c:3643 sch_direct_xmit+0x234/0x548 net/sched/sch_generic.c:342 __dev_xmit_skb net/core/dev.c:3854 [inline] __dev_queue_xmit+0x1658/0x38d8 net/core/dev.c:4259 dev_queue_xmit include/linux/netdevice.h:3021 [inline] neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0xdb8/0x1b54 net/ipv6/ip6_output.c:138 __ip6_finish_output net/ipv6/ip6_output.c:205 [inline] ip6_finish_output+0x5a4/0x940 net/ipv6/ip6_output.c:216 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x274/0x594 net/ipv6/ip6_output.c:237 dst_output include/net/dst.h:444 [inline] NF_HOOK+0x160/0x4f0 include/linux/netfilter.h:302 mld_sendpack+0x90c/0x1364 net/ipv6/mcast.c:1820 mld_send_cr net/ipv6/mcast.c:2121 [inline] mld_ifc_work+0x848/0xc20 net/ipv6/mcast.c:2653 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 -> (&local->queue_stop_reason_lock){+.+.}-{2:2} { HARDIRQ-ON-W at: trace_hardirqs_on+0x184/0x2d4 kernel/trace/trace_preemptirq.c:49 __local_bh_enable_ip+0x230/0x470 kernel/softirq.c:401 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33 rcu_read_unlock_bh include/linux/rcupdate.h:861 [inline] __dev_queue_xmit+0x1a68/0x38d8 net/core/dev.c:4320 dev_queue_xmit include/linux/netdevice.h:3021 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline] __netlink_deliver_tap+0x464/0x6e4 net/netlink/af_netlink.c:325 netlink_deliver_tap+0x1ac/0x1b0 net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1270 [inline] netlink_broadcast_deliver net/netlink/af_netlink.c:1403 [inline] do_one_broadcast net/netlink/af_netlink.c:1481 [inline] netlink_broadcast+0x9bc/0xff4 net/netlink/af_netlink.c:1521 nlmsg_multicast include/net/netlink.h:1071 [inline] genlmsg_multicast_netns+0xa8/0xf0 include/net/genetlink.h:333 nl80211_frame_tx_status+0x7c8/0xe54 net/wireless/nl80211.c:18624 cfg80211_mgmt_tx_status_ext+0x38/0x4c net/wireless/nl80211.c:18651 ieee80211_report_ack_skb net/mac80211/status.c:680 [inline] ieee80211_report_used_skb+0x1258/0x17b4 net/mac80211/status.c:763 ieee80211_free_txskb+0x30/0x4c net/mac80211/status.c:1284 ieee80211_do_stop+0xe88/0x1994 net/mac80211/iface.c:667 ieee80211_runtime_change_iftype net/mac80211/iface.c:1926 [inline] ieee80211_if_change_type+0x478/0xcf4 net/mac80211/iface.c:1964 ieee80211_change_iface+0x6c/0x418 net/mac80211/cfg.c:217 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline] cfg80211_change_iface+0x844/0x11ac net/wireless/util.c:1159 cfg80211_wext_siwmode net/wireless/wext-compat.c:66 [inline] __cfg80211_wext_siwmode+0x184/0x240 net/wireless/wext-compat.c:1599 ioctl_standard_call+0xe8/0x264 net/wireless/wext-core.c:1026 wext_ioctl_dispatch+0x16c/0x3ec net/wireless/wext-core.c:997 wext_handle_ioctl+0x1f8/0x3f4 net/wireless/wext-core.c:1058 sock_ioctl+0x140/0x858 net/socket.c:1255 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 SOFTIRQ-ON-W at: trace_hardirqs_on+0x184/0x2d4 kernel/trace/trace_preemptirq.c:49 __local_bh_enable_ip+0x230/0x470 kernel/softirq.c:401 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33 rcu_read_unlock_bh include/linux/rcupdate.h:861 [inline] __dev_queue_xmit+0x1a68/0x38d8 net/core/dev.c:4320 dev_queue_xmit include/linux/netdevice.h:3021 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline] __netlink_deliver_tap+0x464/0x6e4 net/netlink/af_netlink.c:325 netlink_deliver_tap+0x1ac/0x1b0 net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1270 [inline] netlink_broadcast_deliver net/netlink/af_netlink.c:1403 [inline] do_one_broadcast net/netlink/af_netlink.c:1481 [inline] netlink_broadcast+0x9bc/0xff4 net/netlink/af_netlink.c:1521 nlmsg_multicast include/net/netlink.h:1071 [inline] genlmsg_multicast_netns+0xa8/0xf0 include/net/genetlink.h:333 nl80211_frame_tx_status+0x7c8/0xe54 net/wireless/nl80211.c:18624 cfg80211_mgmt_tx_status_ext+0x38/0x4c net/wireless/nl80211.c:18651 ieee80211_report_ack_skb net/mac80211/status.c:680 [inline] ieee80211_report_used_skb+0x1258/0x17b4 net/mac80211/status.c:763 ieee80211_free_txskb+0x30/0x4c net/mac80211/status.c:1284 ieee80211_do_stop+0xe88/0x1994 net/mac80211/iface.c:667 ieee80211_runtime_change_iftype net/mac80211/iface.c:1926 [inline] ieee80211_if_change_type+0x478/0xcf4 net/mac80211/iface.c:1964 ieee80211_change_iface+0x6c/0x418 net/mac80211/cfg.c:217 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline] cfg80211_change_iface+0x844/0x11ac net/wireless/util.c:1159 cfg80211_wext_siwmode net/wireless/wext-compat.c:66 [inline] __cfg80211_wext_siwmode+0x184/0x240 net/wireless/wext-compat.c:1599 ioctl_standard_call+0xe8/0x264 net/wireless/wext-core.c:1026 wext_ioctl_dispatch+0x16c/0x3ec net/wireless/wext-core.c:997 wext_handle_ioctl+0x1f8/0x3f4 net/wireless/wext-core.c:1058 sock_ioctl+0x140/0x858 net/socket.c:1255 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 INITIAL USE at: lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x6c/0xb4 kernel/locking/spinlock.c:162 ieee80211_do_open+0x1948/0x280c net/mac80211/iface.c:1481 ieee80211_open+0x148/0x1e0 net/mac80211/iface.c:459 __dev_open+0x328/0x4fc net/core/dev.c:1457 __dev_change_flags+0x1a8/0x5a0 net/core/dev.c:8585 dev_change_flags+0x80/0x154 net/core/dev.c:8656 devinet_ioctl+0x858/0x17e4 net/ipv4/devinet.c:1146 inet_ioctl+0x2ac/0x4d8 net/ipv4/af_inet.c:1010 sock_do_ioctl+0x134/0x2dc net/socket.c:1204 sock_ioctl+0x4ec/0x858 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 } ... key at: [] ieee80211_alloc_hw_nm.__key.12+0x0/0x20 ... acquired at: mark_lock+0x258/0x360 kernel/locking/lockdep.c:4628 mark_held_locks kernel/locking/lockdep.c:4230 [inline] __trace_hardirqs_on_caller kernel/locking/lockdep.c:4256 [inline] lockdep_hardirqs_on_prepare+0x3e8/0x874 kernel/locking/lockdep.c:4315 trace_hardirqs_on+0x184/0x2d4 kernel/trace/trace_preemptirq.c:49 __local_bh_enable_ip+0x230/0x470 kernel/softirq.c:401 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33 rcu_read_unlock_bh include/linux/rcupdate.h:861 [inline] __dev_queue_xmit+0x1a68/0x38d8 net/core/dev.c:4320 dev_queue_xmit include/linux/netdevice.h:3021 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline] __netlink_deliver_tap+0x464/0x6e4 net/netlink/af_netlink.c:325 netlink_deliver_tap+0x1ac/0x1b0 net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1270 [inline] netlink_broadcast_deliver net/netlink/af_netlink.c:1403 [inline] do_one_broadcast net/netlink/af_netlink.c:1481 [inline] netlink_broadcast+0x9bc/0xff4 net/netlink/af_netlink.c:1521 nlmsg_multicast include/net/netlink.h:1071 [inline] genlmsg_multicast_netns+0xa8/0xf0 include/net/genetlink.h:333 nl80211_frame_tx_status+0x7c8/0xe54 net/wireless/nl80211.c:18624 cfg80211_mgmt_tx_status_ext+0x38/0x4c net/wireless/nl80211.c:18651 ieee80211_report_ack_skb net/mac80211/status.c:680 [inline] ieee80211_report_used_skb+0x1258/0x17b4 net/mac80211/status.c:763 ieee80211_free_txskb+0x30/0x4c net/mac80211/status.c:1284 ieee80211_do_stop+0xe88/0x1994 net/mac80211/iface.c:667 ieee80211_runtime_change_iftype net/mac80211/iface.c:1926 [inline] ieee80211_if_change_type+0x478/0xcf4 net/mac80211/iface.c:1964 ieee80211_change_iface+0x6c/0x418 net/mac80211/cfg.c:217 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline] cfg80211_change_iface+0x844/0x11ac net/wireless/util.c:1159 cfg80211_wext_siwmode net/wireless/wext-compat.c:66 [inline] __cfg80211_wext_siwmode+0x184/0x240 net/wireless/wext-compat.c:1599 ioctl_standard_call+0xe8/0x264 net/wireless/wext-core.c:1026 wext_ioctl_dispatch+0x16c/0x3ec net/wireless/wext-core.c:997 wext_handle_ioctl+0x1f8/0x3f4 net/wireless/wext-core.c:1058 sock_ioctl+0x140/0x858 net/socket.c:1255 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 stack backtrace: CPU: 1 PID: 4510 Comm: syz.0.58 Tainted: G W 6.1.108-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 print_irq_inversion_bug+0x330/0x388 kernel/locking/lockdep.c:4036 mark_lock_irq+0x8b0/0xd2c mark_lock+0x258/0x360 kernel/locking/lockdep.c:4628 mark_held_locks kernel/locking/lockdep.c:4230 [inline] __trace_hardirqs_on_caller kernel/locking/lockdep.c:4256 [inline] lockdep_hardirqs_on_prepare+0x3e8/0x874 kernel/locking/lockdep.c:4315 trace_hardirqs_on+0x184/0x2d4 kernel/trace/trace_preemptirq.c:49 __local_bh_enable_ip+0x230/0x470 kernel/softirq.c:401 local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33 rcu_read_unlock_bh include/linux/rcupdate.h:861 [inline] __dev_queue_xmit+0x1a68/0x38d8 net/core/dev.c:4320 dev_queue_xmit include/linux/netdevice.h:3021 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline] __netlink_deliver_tap+0x464/0x6e4 net/netlink/af_netlink.c:325 netlink_deliver_tap+0x1ac/0x1b0 net/netlink/af_netlink.c:338 __netlink_sendskb net/netlink/af_netlink.c:1270 [inline] netlink_broadcast_deliver net/netlink/af_netlink.c:1403 [inline] do_one_broadcast net/netlink/af_netlink.c:1481 [inline] netlink_broadcast+0x9bc/0xff4 net/netlink/af_netlink.c:1521 nlmsg_multicast include/net/netlink.h:1071 [inline] genlmsg_multicast_netns+0xa8/0xf0 include/net/genetlink.h:333 nl80211_frame_tx_status+0x7c8/0xe54 net/wireless/nl80211.c:18624 cfg80211_mgmt_tx_status_ext+0x38/0x4c net/wireless/nl80211.c:18651 ieee80211_report_ack_skb net/mac80211/status.c:680 [inline] ieee80211_report_used_skb+0x1258/0x17b4 net/mac80211/status.c:763 ieee80211_free_txskb+0x30/0x4c net/mac80211/status.c:1284 ieee80211_do_stop+0xe88/0x1994 net/mac80211/iface.c:667 ieee80211_runtime_change_iftype net/mac80211/iface.c:1926 [inline] ieee80211_if_change_type+0x478/0xcf4 net/mac80211/iface.c:1964 ieee80211_change_iface+0x6c/0x418 net/mac80211/cfg.c:217 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline] cfg80211_change_iface+0x844/0x11ac net/wireless/util.c:1159 cfg80211_wext_siwmode net/wireless/wext-compat.c:66 [inline] __cfg80211_wext_siwmode+0x184/0x240 net/wireless/wext-compat.c:1599 ioctl_standard_call+0xe8/0x264 net/wireless/wext-core.c:1026 wext_ioctl_dispatch+0x16c/0x3ec net/wireless/wext-core.c:997 wext_handle_ioctl+0x1f8/0x3f4 net/wireless/wext-core.c:1058 sock_ioctl+0x140/0x858 net/socket.c:1255 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 ------------[ cut here ]------------ raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 1 PID: 4510 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x38/0x40 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 1 PID: 4510 Comm: syz.0.58 Tainted: G W 6.1.108-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : warn_bogus_irq_restore+0x38/0x40 kernel/locking/irqflag-debug.c:10 lr : warn_bogus_irq_restore+0x38/0x40 kernel/locking/irqflag-debug.c:10 sp : ffff800020d67590 x29: ffff800020d67590 x28: ffff0000cdaf2060 x27: dfff800000000000 x26: 0000000000000058 x25: 000000000000000f x24: 0000000000000010 x23: ffff0000f0c46790 x22: 000000000000000f x21: 000000000000000f x20: ffff0000cdaf14e0 x19: 0000000000000000 x18: ffff800020d665a0 x17: 0000000000000000 x16: ffff8000121dbf80 x15: 0000000000000002 x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000040000 x11: 000000000003ffff x10: ffff800021d0a000 x9 : 8bc434c6f0095400 x8 : 8bc434c6f0095400 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800020d66e78 x4 : ffff800015ab2d40 x3 : ffff80000834e1d8 x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000 Call trace: warn_bogus_irq_restore+0x38/0x40 kernel/locking/irqflag-debug.c:10 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] _raw_spin_unlock_irqrestore+0xa0/0xac kernel/locking/spinlock.c:194 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] ieee80211_do_stop+0xfac/0x1994 net/mac80211/iface.c:671 ieee80211_runtime_change_iftype net/mac80211/iface.c:1926 [inline] ieee80211_if_change_type+0x478/0xcf4 net/mac80211/iface.c:1964 ieee80211_change_iface+0x6c/0x418 net/mac80211/cfg.c:217 rdev_change_virtual_intf net/wireless/rdev-ops.h:74 [inline] cfg80211_change_iface+0x844/0x11ac net/wireless/util.c:1159 cfg80211_wext_siwmode net/wireless/wext-compat.c:66 [inline] __cfg80211_wext_siwmode+0x184/0x240 net/wireless/wext-compat.c:1599 ioctl_standard_call+0xe8/0x264 net/wireless/wext-core.c:1026 wext_ioctl_dispatch+0x16c/0x3ec net/wireless/wext-core.c:997 wext_handle_ioctl+0x1f8/0x3f4 net/wireless/wext-core.c:1058 sock_ioctl+0x140/0x858 net/socket.c:1255 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:856 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x64/0x218 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 irq event stamp: 3176 hardirqs last enabled at (3173): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (3173): [] _raw_spin_unlock_irqrestore+0x48/0xac kernel/locking/spinlock.c:194 hardirqs last disabled at (3174): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (3174): [] _raw_spin_lock_irqsave+0xa4/0xb4 kernel/locking/spinlock.c:162 softirqs last enabled at (3176): [] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 softirqs last disabled at (3175): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 ---[ end trace 0000000000000000 ]---