netlink: 32 bytes leftover after parsing attributes in process `syz.2.3349'. vlan2: left promiscuous mode ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 6.15.0-rc4-syzkaller-00213-g3c44b2d615e6 #0 Not tainted ----------------------------------------------------- syz.2.3349/14843 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire: ffff888063544e18 (&bond->stats_lock/1){+.+.}-{3:3}, at: bond_get_stats+0x3c1/0x6c0 drivers/net/bonding/bond_main.c:4573 and this task is already holding: ffff8880330c4d98 (&br->lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff8880330c4d98 (&br->lock){+.-.}-{3:3}, at: br_port_slave_changelink+0x3d/0x150 net/bridge/br_netlink.c:1212 which would create a new lock dependency: (&br->lock){+.-.}-{3:3} -> (&bond->stats_lock/1){+.+.}-{3:3} but this new dependency connects a SOFTIRQ-irq-safe lock: (&br->lock){+.-.}-{3:3} ... which became SOFTIRQ-irq-safe at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] br_forward_delay_timer_expired+0x4f/0x430 net/bridge/br_stp_timer.c:86 call_timer_fn+0x17b/0x5f0 kernel/time/timer.c:1789 expire_timers kernel/time/timer.c:1840 [inline] __run_timers kernel/time/timer.c:2414 [inline] __run_timer_base+0x61a/0x860 kernel/time/timer.c:2426 run_timer_base kernel/time/timer.c:2435 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2445 handle_softirqs+0x283/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __sanitizer_cov_trace_const_cmp4+0x0/0x90 kernel/kcov.c:309 __page_table_check_ptes_set+0x15c/0x2f0 mm/page_table_check.c:206 page_table_check_ptes_set include/linux/page_table_check.h:74 [inline] set_ptes include/linux/pgtable.h:292 [inline] __copy_present_ptes mm/memory.c:961 [inline] copy_present_ptes mm/memory.c:1044 [inline] copy_pte_range mm/memory.c:1167 [inline] copy_pmd_range+0x427d/0x7000 mm/memory.c:1255 copy_pud_range mm/memory.c:1292 [inline] copy_p4d_range mm/memory.c:1316 [inline] copy_page_range+0x95c/0xd40 mm/memory.c:1410 dup_mmap kernel/fork.c:726 [inline] dup_mm kernel/fork.c:1734 [inline] copy_mm+0x121c/0x2100 kernel/fork.c:1786 copy_process+0x16d3/0x3b80 kernel/fork.c:2429 kernel_clone+0x21e/0x870 kernel/fork.c:2844 __do_sys_clone kernel/fork.c:2987 [inline] __se_sys_clone kernel/fork.c:2971 [inline] __x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2971 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f to a SOFTIRQ-irq-unsafe lock: (&bond->stats_lock/1){+.+.}-{3:3} ... which became SOFTIRQ-irq-unsafe at: ... lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 _raw_spin_lock_nested+0x32/0x50 kernel/locking/spinlock.c:378 bond_get_stats+0x3c1/0x6c0 drivers/net/bonding/bond_main.c:4573 dev_get_stats+0xb1/0xa50 net/core/dev.c:11444 rtnl_fill_stats+0x47/0x8c0 net/core/rtnetlink.c:1474 rtnl_fill_ifinfo+0x1606/0x1e70 net/core/rtnetlink.c:2118 rtmsg_ifinfo_build_skb+0x17d/0x260 net/core/rtnetlink.c:4409 rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline] rtnetlink_event+0x1b7/0x270 net/core/rtnetlink.c:7015 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] netdev_features_change net/core/dev.c:1517 [inline] netdev_change_features+0x8d/0xd0 net/core/dev.c:10685 bond_compute_features+0x615/0x680 drivers/net/bonding/bond_main.c:1619 bond_enslave+0x21e5/0x3a40 drivers/net/bonding/bond_main.c:2350 do_set_master+0x530/0x6d0 net/core/rtnetlink.c:2946 do_setlink+0xd47/0x40d0 net/core/rtnetlink.c:3159 rtnl_changelink net/core/rtnetlink.c:3769 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&bond->stats_lock/1); local_irq_disable(); lock(&br->lock); lock(&bond->stats_lock/1); lock(&br->lock); *** DEADLOCK *** 3 locks held by syz.2.3349/14843: #0: ffffffff8f2f4248 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline] #0: ffffffff8f2f4248 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline] #0: ffffffff8f2f4248 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064 #1: ffff8880330c4d98 (&br->lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #1: ffff8880330c4d98 (&br->lock){+.-.}-{3:3}, at: br_port_slave_changelink+0x3d/0x150 net/bridge/br_netlink.c:1212 #2: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #2: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #2: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: bond_get_stats+0xc5/0x6c0 drivers/net/bonding/bond_main.c:4568 the dependencies between SOFTIRQ-irq-safe lock and the holding lock: -> (&br->lock){+.-.}-{3:3} { HARDIRQ-ON-W at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] br_add_if+0xabe/0xec0 net/bridge/br_if.c:682 do_set_master+0x530/0x6d0 net/core/rtnetlink.c:2946 do_setlink+0xd47/0x40d0 net/core/rtnetlink.c:3159 rtnl_changelink net/core/rtnetlink.c:3769 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f IN-SOFTIRQ-W at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] br_forward_delay_timer_expired+0x4f/0x430 net/bridge/br_stp_timer.c:86 call_timer_fn+0x17b/0x5f0 kernel/time/timer.c:1789 expire_timers kernel/time/timer.c:1840 [inline] __run_timers kernel/time/timer.c:2414 [inline] __run_timer_base+0x61a/0x860 kernel/time/timer.c:2426 run_timer_base kernel/time/timer.c:2435 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2445 handle_softirqs+0x283/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 __sanitizer_cov_trace_const_cmp4+0x0/0x90 kernel/kcov.c:309 __page_table_check_ptes_set+0x15c/0x2f0 mm/page_table_check.c:206 page_table_check_ptes_set include/linux/page_table_check.h:74 [inline] set_ptes include/linux/pgtable.h:292 [inline] __copy_present_ptes mm/memory.c:961 [inline] copy_present_ptes mm/memory.c:1044 [inline] copy_pte_range mm/memory.c:1167 [inline] copy_pmd_range+0x427d/0x7000 mm/memory.c:1255 copy_pud_range mm/memory.c:1292 [inline] copy_p4d_range mm/memory.c:1316 [inline] copy_page_range+0x95c/0xd40 mm/memory.c:1410 dup_mmap kernel/fork.c:726 [inline] dup_mm kernel/fork.c:1734 [inline] copy_mm+0x121c/0x2100 kernel/fork.c:1786 copy_process+0x16d3/0x3b80 kernel/fork.c:2429 kernel_clone+0x21e/0x870 kernel/fork.c:2844 __do_sys_clone kernel/fork.c:2987 [inline] __se_sys_clone kernel/fork.c:2971 [inline] __x64_sys_clone+0x18b/0x1e0 kernel/fork.c:2971 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL USE at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] br_add_if+0xabe/0xec0 net/bridge/br_if.c:682 do_set_master+0x530/0x6d0 net/core/rtnetlink.c:2946 do_setlink+0xd47/0x40d0 net/core/rtnetlink.c:3159 rtnl_changelink net/core/rtnetlink.c:3769 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] br_dev_setup.__key+0x0/0x20 the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: -> (&bond->stats_lock/1){+.+.}-{3:3} { HARDIRQ-ON-W at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 _raw_spin_lock_nested+0x32/0x50 kernel/locking/spinlock.c:378 bond_get_stats+0x3c1/0x6c0 drivers/net/bonding/bond_main.c:4573 dev_get_stats+0xb1/0xa50 net/core/dev.c:11444 rtnl_fill_stats+0x47/0x8c0 net/core/rtnetlink.c:1474 rtnl_fill_ifinfo+0x1606/0x1e70 net/core/rtnetlink.c:2118 rtmsg_ifinfo_build_skb+0x17d/0x260 net/core/rtnetlink.c:4409 rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline] rtnetlink_event+0x1b7/0x270 net/core/rtnetlink.c:7015 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] netdev_features_change net/core/dev.c:1517 [inline] netdev_change_features+0x8d/0xd0 net/core/dev.c:10685 bond_compute_features+0x615/0x680 drivers/net/bonding/bond_main.c:1619 bond_enslave+0x21e5/0x3a40 drivers/net/bonding/bond_main.c:2350 do_set_master+0x530/0x6d0 net/core/rtnetlink.c:2946 do_setlink+0xd47/0x40d0 net/core/rtnetlink.c:3159 rtnl_changelink net/core/rtnetlink.c:3769 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f SOFTIRQ-ON-W at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 _raw_spin_lock_nested+0x32/0x50 kernel/locking/spinlock.c:378 bond_get_stats+0x3c1/0x6c0 drivers/net/bonding/bond_main.c:4573 dev_get_stats+0xb1/0xa50 net/core/dev.c:11444 rtnl_fill_stats+0x47/0x8c0 net/core/rtnetlink.c:1474 rtnl_fill_ifinfo+0x1606/0x1e70 net/core/rtnetlink.c:2118 rtmsg_ifinfo_build_skb+0x17d/0x260 net/core/rtnetlink.c:4409 rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline] rtnetlink_event+0x1b7/0x270 net/core/rtnetlink.c:7015 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] netdev_features_change net/core/dev.c:1517 [inline] netdev_change_features+0x8d/0xd0 net/core/dev.c:10685 bond_compute_features+0x615/0x680 drivers/net/bonding/bond_main.c:1619 bond_enslave+0x21e5/0x3a40 drivers/net/bonding/bond_main.c:2350 do_set_master+0x530/0x6d0 net/core/rtnetlink.c:2946 do_setlink+0xd47/0x40d0 net/core/rtnetlink.c:3159 rtnl_changelink net/core/rtnetlink.c:3769 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL USE at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 _raw_spin_lock_nested+0x32/0x50 kernel/locking/spinlock.c:378 bond_get_stats+0x3c1/0x6c0 drivers/net/bonding/bond_main.c:4573 dev_get_stats+0xb1/0xa50 net/core/dev.c:11444 rtnl_fill_stats+0x47/0x8c0 net/core/rtnetlink.c:1474 rtnl_fill_ifinfo+0x1606/0x1e70 net/core/rtnetlink.c:2118 rtmsg_ifinfo_build_skb+0x17d/0x260 net/core/rtnetlink.c:4409 rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline] rtnetlink_event+0x1b7/0x270 net/core/rtnetlink.c:7015 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] netdev_features_change net/core/dev.c:1517 [inline] netdev_change_features+0x8d/0xd0 net/core/dev.c:10685 bond_compute_features+0x615/0x680 drivers/net/bonding/bond_main.c:1619 bond_enslave+0x21e5/0x3a40 drivers/net/bonding/bond_main.c:2350 do_set_master+0x530/0x6d0 net/core/rtnetlink.c:2946 do_setlink+0xd47/0x40d0 net/core/rtnetlink.c:3159 rtnl_changelink net/core/rtnetlink.c:3769 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] bond_init.__key+0x1/0x20 ... acquired at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 _raw_spin_lock_nested+0x32/0x50 kernel/locking/spinlock.c:378 bond_get_stats+0x3c1/0x6c0 drivers/net/bonding/bond_main.c:4573 dev_get_stats+0xb1/0xa50 net/core/dev.c:11444 rtnl_fill_stats+0x47/0x8c0 net/core/rtnetlink.c:1474 rtnl_fill_ifinfo+0x1606/0x1e70 net/core/rtnetlink.c:2118 rtmsg_ifinfo_build_skb+0x17d/0x260 net/core/rtnetlink.c:4409 rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline] rtmsg_ifinfo+0x8c/0x1a0 net/core/rtnetlink.c:4451 __dev_notify_flags+0xf4/0x2e0 net/core/dev.c:9389 __dev_set_promiscuity+0x152/0x590 net/core/dev.c:9192 netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201 dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 dev_change_rx_flags net/core/dev.c:9145 [inline] __dev_set_promiscuity+0x3f5/0x590 net/core/dev.c:9189 netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201 dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 br_port_clear_promisc net/bridge/br_if.c:135 [inline] br_manage_promisc+0x4db/0x560 net/bridge/br_if.c:172 nbp_update_port_count net/bridge/br_if.c:242 [inline] br_port_flags_change+0x160/0x1f0 net/bridge/br_if.c:761 br_setport+0xc3c/0x1670 net/bridge/br_netlink.c:1000 br_port_slave_changelink+0x12f/0x150 net/bridge/br_netlink.c:1213 rtnl_changelink net/core/rtnetlink.c:3762 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x19e2/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x505/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f stack backtrace: CPU: 1 UID: 0 PID: 14843 Comm: syz.2.3349 Not tainted 6.15.0-rc4-syzkaller-00213-g3c44b2d615e6 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_bad_irq_dependency kernel/locking/lockdep.c:2652 [inline] check_irq_usage kernel/locking/lockdep.c:2893 [inline] check_prev_add kernel/locking/lockdep.c:3170 [inline] check_prevs_add kernel/locking/lockdep.c:3285 [inline] validate_chain+0x1f05/0x2140 kernel/locking/lockdep.c:3909 __lock_acquire+0xaac/0xd20 kernel/locking/lockdep.c:5235 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5866 _raw_spin_lock_nested+0x32/0x50 kernel/locking/spinlock.c:378 bond_get_stats+0x3c1/0x6c0 drivers/net/bonding/bond_main.c:4573 dev_get_stats+0xb1/0xa50 net/core/dev.c:11444 rtnl_fill_stats+0x47/0x8c0 net/core/rtnetlink.c:1474 rtnl_fill_ifinfo+0x1606/0x1e70 net/core/rtnetlink.c:2118 rtmsg_ifinfo_build_skb+0x17d/0x260 net/core/rtnetlink.c:4409 rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline] rtmsg_ifinfo+0x8c/0x1a0 net/core/rtnetlink.c:4451 __dev_notify_flags+0xf4/0x2e0 net/core/dev.c:9389 __dev_set_promiscuity+0x152/0x590 net/core/dev.c:9192 netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201 dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 dev_change_rx_flags net/core/dev.c:9145 [inline] __dev_set_promiscuity+0x3f5/0x590 net/core/dev.c:9189 netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201 dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 br_port_clear_promisc net/bridge/br_if.c:135 [inline] br_manage_promisc+0x4db/0x560 net/bridge/br_if.c:172 nbp_update_port_count net/bridge/br_if.c:242 [inline] br_port_flags_change+0x160/0x1f0 net/bridge/br_if.c:761 br_setport+0xc3c/0x1670 net/bridge/br_netlink.c:1000 br_port_slave_changelink+0x12f/0x150 net/bridge/br_netlink.c:1213 rtnl_changelink net/core/rtnetlink.c:3762 [inline] __rtnl_newlink net/core/rtnetlink.c:3928 [inline] rtnl_newlink+0x19e2/0x1c70 net/core/rtnetlink.c:4065 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x505/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2655 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff707b8e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff708a9b038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007ff707db5fa0 RCX: 00007ff707b8e969 RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000008 RBP: 00007ff707c10ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007ff707db5fa0 R15: 00007ffc10563c18