INFO: task syz.0.2416:18599 blocked for more than 143 seconds.
      Tainted: G     U              syzkaller #0
      Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.2416      state:D stack:23016 pid:18599 tgid:18599 ppid:17636  task_flags:0x40064c flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1190/0x5de0 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0xe7/0x3a0 kernel/sched/core.c:7058
 schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:100 [inline]
 __wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
 rcu_barrier kernel/rcu/tree.c:3883 [inline]
 rcu_barrier+0x330/0x6e0 kernel/rcu/tree.c:3804
 netdev_wait_allrefs_any net/core/dev.c:11381 [inline]
 netdev_run_todo+0xeba/0x1320 net/core/dev.c:11494
 tun_detach drivers/net/tun.c:640 [inline]
 tun_chr_close+0xea/0x230 drivers/net/tun.c:3433
 __fput+0x402/0xb70 fs/file_table.c:468
 task_work_run+0x14d/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x86f/0x2bf0 kernel/exit.c:961
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:40 [inline]
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 irqentry_exit_to_user_mode+0x12a/0x270 kernel/entry/common.c:73
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f6f1d58ebf1
RSP: 002b:ffffffffffffffff EFLAGS: 00010217
RAX: 0000000000000000 RBX: 00007f6f1d7c5fa0 RCX: 00007f6f1d58ebe9
RDX: 0000200000000400 RSI: ffffffffffffffff RDI: 0000000100000001
RBP: 00007f6f1d611e19 R08: 8000000000000000 R09: 0000000000000000
R10: 0000200000000440 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6f1d7c6038 R14: 00007f6f1d7c5fa0 R15: 00007ffe047f1218
 </TASK>
INFO: task syz-executor:18601 blocked for more than 143 seconds.
      Tainted: G     U              syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:24232 pid:18601 tgid:18601 ppid:1      task_flags:0x480140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1190/0x5de0 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0xe7/0x3a0 kernel/sched/core.c:7058
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115
 __mutex_lock_common kernel/locking/mutex.c:676 [inline]
 __mutex_lock+0x81b/0x1060 kernel/locking/mutex.c:760
 rcu_barrier+0x48/0x6e0 kernel/rcu/tree.c:3815
 netdev_wait_allrefs_any net/core/dev.c:11381 [inline]
 netdev_run_todo+0xeba/0x1320 net/core/dev.c:11494
 nsim_destroy+0x212/0x800 drivers/net/netdevsim/netdev.c:1147
 __nsim_dev_port_del+0x189/0x240 drivers/net/netdevsim/dev.c:1473
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1485 [inline]
 nsim_dev_reload_destroy+0x10a/0x4d0 drivers/net/netdevsim/dev.c:1707
 nsim_drv_remove+0x52/0x1d0 drivers/net/netdevsim/dev.c:1722
 device_remove+0xc8/0x170 drivers/base/dd.c:569
 __device_release_driver drivers/base/dd.c:1274 [inline]
 device_release_driver_internal+0x44b/0x620 drivers/base/dd.c:1297
 bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
 device_del+0x396/0x9f0 drivers/base/core.c:3878
 device_unregister+0x1d/0xc0 drivers/base/core.c:3919
 nsim_bus_dev_del drivers/net/netdevsim/bus.c:483 [inline]
 del_device_store+0x355/0x4a0 drivers/net/netdevsim/bus.c:244
 bus_attr_store+0x71/0xb0 drivers/base/bus.c:172
 sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:145
 kernfs_fop_write_iter+0x354/0x510 fs/kernfs/file.c:334
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x7d0/0x11d0 fs/read_write.c:686
 ksys_write+0x12a/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6ad218d69f
RSP: 002b:00007ffd6c39a200 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f6ad218d69f
RDX: 0000000000000001 RSI: 00007ffd6c39a250 RDI: 0000000000000005
RBP: 00007f6ad22130c1 R08: 0000000000000000 R09: 00007ffd6c39a057
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
R13: 00007ffd6c39a250 R14: 00007f6ad2ef4620 R15: 0000000000000003
 </TASK>
INFO: task syz.2.2434:18701 blocked for more than 143 seconds.
      Tainted: G     U              syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.2434      state:D stack:27576 pid:18701 tgid:18690 ppid:18329  task_flags:0x400140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5357 [inline]
 __schedule+0x1190/0x5de0 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0xe7/0x3a0 kernel/sched/core.c:7058
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115
 __mutex_lock_common kernel/locking/mutex.c:676 [inline]
 __mutex_lock+0x81b/0x1060 kernel/locking/mutex.c:760
 rcu_barrier+0x48/0x6e0 kernel/rcu/tree.c:3815
 netdev_wait_allrefs_any net/core/dev.c:11381 [inline]
 netdev_run_todo+0xeba/0x1320 net/core/dev.c:11494
 ops_exit_rtnl_list net/core/net_namespace.c:188 [inline]
 ops_undo_list+0x901/0xab0 net/core/net_namespace.c:247
 setup_net+0x1f1/0x380 net/core/net_namespace.c:453
 copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:570
 create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218
 ksys_unshare+0x45b/0xa40 kernel/fork.c:3127
 __do_sys_unshare kernel/fork.c:3198 [inline]
 __se_sys_unshare kernel/fork.c:3196 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:3196
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3ec0f8ebe9
RSP: 002b:00007f3ec1d9b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f3ec11c6360 RCX: 00007f3ec0f8ebe9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080
RBP: 00007f3ec1011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3ec11c63f8 R14: 00007f3ec11c6360 R15: 00007ffe0bb82458
 </TASK>

Showing all locks held in the system:
1 lock held by pool_workqueue_/3:
 #0: ffffffff8e5cc638 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x1a3/0x3c0 kernel/rcu/tree_exp.h:343
1 lock held by khungtaskd/31:
 #0: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8e5c10a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x36/0x1c0 kernel/locking/lockdep.c:6775
4 locks held by kworker/1:1/48:
 #0: ffff888031cef948 ((wq_completion)wg-kex-wg2#6){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90000b87d10 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff888030891308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598
 #3: ffff88805e8f3ea8 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632
4 locks held by kworker/0:2/119:
 #0: ffff88805c6d8948 ((wq_completion)wg-kex-wg0#12){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90002dc7d10 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff88807d879308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598
 #3: ffff88807be4b4c0 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632
3 locks held by kworker/R-ipv6_/3202:
 #0: ffff88814c32c148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc9000b687ca8 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #2: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x12/0x30 net/ipv6/addrconf.c:4734
1 lock held by klogd/5223:
2 locks held by syz-executor/5851:
 #0: ffff88807a22a808 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x11b/0x530 mm/mmap_lock.c:147
 #1: ffff88814d726520 (sb_pagefaults){.+.+}-{0:0}, at: do_page_mkwrite+0x174/0x380 mm/memory.c:3361
4 locks held by kworker/0:3/5905:
 #0: ffff888031cef948 ((wq_completion)wg-kex-wg2#6){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc900042afd10 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff888030891308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598
 #3: ffff88805e8f3ea8 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632
4 locks held by kworker/0:4/5919:
4 locks held by kworker/0:5/5926:
 #0: ffff88801b882148 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc9000447fd10 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0x83/0x1180 net/wireless/reg.c:2483
 #3: ffff88805ae18768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: class_wiphy_constructor include/net/cfg80211.h:6212 [inline]
 #3: ffff88805ae18768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: reg_leave_invalid_chans net/wireless/reg.c:2471 [inline]
 #3: ffff88805ae18768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: reg_check_chans_work+0x10d/0x1180 net/wireless/reg.c:2486
5 locks held by kworker/u11:0/6771:
 #0: ffff88805200a148 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90003547d10 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff888058968dc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x430 net/bluetooth/hci_sync.c:331
 #3: ffff8880589680b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5670
 #4: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2079 [inline]
 #4: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x14f/0x330 net/bluetooth/hci_conn.c:1313
2 locks held by kworker/u11:1/6775:
 #0: ffff888026ade948 ((wq_completion)nbd0-recv){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90003e7fd10 ((work_completion)(&args->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
3 locks held by kworker/u10:4/6808:
5 locks held by kworker/u11:3/7665:
 #0: ffff888079899948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90003487d10 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff88803538cdc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x430 net/bluetooth/hci_sync.c:331
 #3: ffff88803538c0b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5670
 #4: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2079 [inline]
 #4: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x14f/0x330 net/bluetooth/hci_conn.c:1313
3 locks held by kworker/u10:11/9370:
3 locks held by kworker/u10:15/9374:
3 locks held by kworker/u10:17/9376:
3 locks held by kworker/u10:23/9382:
3 locks held by kworker/u10:27/10347:
3 locks held by kworker/u10:28/10348:
3 locks held by kworker/u10:32/11354:
2 locks held by kworker/u11:4/12233:
 #0: ffff888026ae3148 ((wq_completion)nbd1-recv){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc9000497fd10 ((work_completion)(&args->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
3 locks held by kworker/0:0/14953:
6 locks held by kworker/u11:5/16215:
 #0: ffff88802957e148 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90017197d10 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff88807f27cdc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x430 net/bluetooth/hci_sync.c:331
 #3: ffff88807f27c0b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5670
 #4: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2079 [inline]
 #4: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x14f/0x330 net/bluetooth/hci_conn.c:1313
 #5: ffff8880584e9b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x80/0x730 net/bluetooth/l2cap_core.c:1762
3 locks held by kworker/1:2/17907:
 #0: ffff88801b880d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90017a07d10 (free_ipc_work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffffffff8e5cc638 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x1a3/0x3c0 kernel/rcu/tree_exp.h:343
1 lock held by syz.0.2416/18599:
 #0: ffffffff8e5cc500 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x48/0x6e0 kernel/rcu/tree.c:3815
7 locks held by syz-executor/18601:
 #0: ffff888035a8c428 (sb_writers#7){.+.+}-{0:0}, at: ksys_write+0x12a/0x250 fs/read_write.c:738
 #1: ffff88802a5a4088 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x28f/0x510 fs/kernfs/file.c:325
 #2: ffff888028b153c8 (kn->active#52){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x2b2/0x510 fs/kernfs/file.c:326
 #3: ffffffff8f8f6608 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xd1/0x4a0 drivers/net/netdevsim/bus.c:234
 #4: ffff88805ef530e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:911 [inline]
 #4: ffff88805ef530e8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1096 [inline]
 #4: ffff88805ef530e8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xa4/0x620 drivers/base/dd.c:1294
 #5: ffff88805ef54250 (&devlink->lock_key#3){+.+.}-{4:4}, at: nsim_drv_remove+0x4a/0x1d0 drivers/net/netdevsim/dev.c:1721
 #6: ffffffff8e5cc500 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x48/0x6e0 kernel/rcu/tree.c:3815
4 locks held by kworker/u10:0/18652:
2 locks held by kworker/u10:1/18653:
 #0: ffff88801b889148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90003f1fd10 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
6 locks held by kworker/u10:2/18654:
2 locks held by kworker/u10:3/18657:
 #0: ffff88801b889148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc9000b807d10 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
3 locks held by kworker/u10:5/18658:
4 locks held by kworker/u10:6/18659:
4 locks held by kworker/u10:7/18662:
4 locks held by kworker/u10:8/18670:
4 locks held by kworker/u10:9/18678:
1 lock held by syz-executor/18680:
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x600/0x2000 net/core/rtnetlink.c:4056
2 locks held by syz.2.2434/18701:
 #0: ffffffff90370b50 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x286/0x5f0 net/core/net_namespace.c:566
 #1: ffffffff8e5cc500 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x48/0x6e0 kernel/rcu/tree.c:3815
4 locks held by kworker/u10:10/18697:
4 locks held by kworker/u10:12/18698:
2 locks held by kworker/u10:13/18699:
 #0: ffff88801b889148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90003f0fd10 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
2 locks held by kworker/0:1/18700:
2 locks held by kworker/u10:14/18707:
 #0: ffff88801b889148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90004b77d10 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
2 locks held by kworker/0:6/18708:
4 locks held by kworker/u10:16/18712:
2 locks held by modprobe/18713:
2 locks held by modprobe/18714:
4 locks held by kworker/u10:18/18717:
6 locks held by kworker/u10:19/18720:
1 lock held by syz.1.2437/18723:
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x38/0x230 drivers/net/tun.c:3433
4 locks held by kworker/u10:20/18725:
2 locks held by modprobe/18734:
1 lock held by syz-executor/18737:
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x600/0x2000 net/core/rtnetlink.c:4056
3 locks held by kworker/u10:21/18744:
1 lock held by syz-executor/18745:
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x600/0x2000 net/core/rtnetlink.c:4056
3 locks held by kworker/u10:22/18748:
4 locks held by kworker/u10:24/18753:
3 locks held by modprobe/18757:
4 locks held by kworker/u10:25/18759:
1 lock held by dhcpcd/18763:
 #0: ffff88807ea54408 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
 #0: ffff88807ea54408 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: __sock_release+0x86/0x270 net/socket.c:648
3 locks held by kworker/0:7/18779:
 #0: ffff88801b880d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc90003957d10 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: 
ffffffff90386e48
 (
rtnl_mutex
){+.+.}-{4:4}
, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/u10:26/18780:
4 locks held by kworker/1:4/18784:
 #0: 
ffff88805c6d8948 ((wq_completion)wg-kex-wg0#12){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc900001f7d10 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff88807d879308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598
 #3: ffff88807be4b4c0 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632
4 locks held by kworker/u11:7/18785:
 #0: ffff88807d811148 ((wq_completion)hci7#4){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc900034ffd10 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff88807d79c0b8 (&hdev->lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x94/0x970 net/bluetooth/hci_event.c:3684
 #3: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2079 [inline]
 #3: ffffffff905ef0a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_remote_features_evt+0x472/0x970 net/bluetooth/hci_event.c:3718
4 locks held by kworker/1:8/18790:
 #0: ffff888058b8b948 ((wq_completion)wg-kex-wg0#6){+.+.}-{0:0}, at: process_one_work+0x12a2/0x1b70 kernel/workqueue.c:3211
 #1: ffffc9000350fd10 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x929/0x1b70 kernel/workqueue.c:3212
 #2: ffff88807d949308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598
 #3: ffff88805e8f2ad8 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632
1 lock held by dhcpcd/18791:
 #0: ffff88807e1d4258 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]
 #0: ffff88807e1d4258 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x2c/0xf60 net/packet/af_packet.c:3251
1 lock held by dhcpcd/18792:
 #0: ffff8880256aa258 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline]
 #0: ffff8880256aa258 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x2c/0xf60 net/packet/af_packet.c:3251
1 lock held by kworker/0:8/18812:
1 lock held by syz-executor/18825:
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #0: ffffffff90386e48 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x30c/0x1540 net/ipv4/devinet.c:979
3 locks held by kworker/u10:29/18833:
1 lock held by kworker/u10:30/18835:

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Tainted: G     U              syzkaller #0 PREEMPT(full) 
Tainted: [U]=USER
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:328 [inline]
 watchdog+0xf0e/0x1260 kernel/hung_task.c:491
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 18720 Comm: kworker/u10:19 Tainted: G     U              syzkaller #0 PREEMPT(full) 
Tainted: [U]=USER
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:26 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:109 [inline]
RIP: 0010:arch_local_irq_save arch/x86/include/asm/irqflags.h:127 [inline]
RIP: 0010:lock_acquire kernel/locking/lockdep.c:5864 [inline]
RIP: 0010:lock_acquire+0x130/0x350 kernel/locking/lockdep.c:5825
Code: b1 00 00 00 65 8b 05 47 e0 3e 12 85 c0 0f 85 a2 00 00 00 65 48 8b 05 87 9e 3e 12 8b 90 ec 0a 00 00 85 d2 0f 85 8c 00 00 00 9c <8f> 04 24 fa 48 c7 c7 4e 08 f4 8d e8 f0 82 f9 09 45 89 e0 89 e9 44
RSP: 0018:ffffc90000006c38 EFLAGS: 00000246
RAX: ffff88802bf19e00 RBX: ffffffff8e5c10a0 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff816ab581 RDI: fffffbfff1cb8214
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 000000000008635c R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881246c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0816fd7000 CR3: 0000000026304000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0xd1/0x20a0 arch/x86/kernel/unwind_orc.c:479
 arch_stack_walk+0x94/0x100 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kmem_cache_free+0x2d1/0x4d0 mm/slub.c:4782
 kfree_skbmem+0x1a4/0x1f0 net/core/skbuff.c:1109
 __kfree_skb net/core/skbuff.c:1166 [inline]
 consume_skb net/core/skbuff.c:1397 [inline]
 consume_skb+0xcc/0x100 net/core/skbuff.c:1391
 netlink_broadcast_filtered+0x3ee/0xf90 net/netlink/af_netlink.c:1537
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 nlmsg_multicast include/net/netlink.h:1184 [inline]
 nlmsg_notify+0x9e/0x220 net/netlink/af_netlink.c:2595
 fdb_notify+0xfd/0x1a0 net/bridge/br_fdb.c:199
 br_fdb_update+0x323/0x7c0 net/bridge/br_fdb.c:934
 br_handle_frame_finish+0xdc0/0x1ca0 net/bridge/br_input.c:144
 br_nf_hook_thresh+0x307/0x410 net/bridge/br_netfilter_hooks.c:1170
 br_nf_pre_routing_finish_ipv6+0x76a/0xfb0 net/bridge/br_netfilter_ipv6.c:154
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x3cd/0x8c0 net/bridge/br_netfilter_ipv6.c:184
 br_nf_pre_routing+0x860/0x15b0 net/bridge/br_netfilter_hooks.c:508
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:283 [inline]
 br_handle_frame+0xad8/0x14b0 net/bridge/br_input.c:434
 __netif_receive_skb_core.constprop.0+0xa25/0x48c0 net/core/dev.c:5878
 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:5989
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6104
 process_backlog+0x442/0x15e0 net/core/dev.c:6456
 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7506
 napi_poll net/core/dev.c:7569 [inline]
 net_rx_action+0xa9f/0xfe0 net/core/dev.c:7696
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 do_softirq kernel/softirq.c:480 [inline]
 do_softirq+0xb2/0xf0 kernel/softirq.c:467
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:407
 wg_socket_send_skb_to_peer+0x145/0x210 drivers/net/wireguard/socket.c:184
 wg_socket_send_buffer_to_peer+0x148/0x1a0 drivers/net/wireguard/socket.c:200
 wg_packet_send_handshake_initiation+0x225/0x360 drivers/net/wireguard/send.c:40
 wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>