netlink: 14 bytes leftover after parsing attributes in process `syz.3.2669'.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 13264, name: syz.3.2669
preempt_count: 201, expected: 0
RCU nest depth: 0, expected: 0
2 locks held by syz.3.2669/13264:
 #0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x811/0xfa0 net/core/rtnetlink.c:6469
 #1: ffff88805d20d468 (&x->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
 #1: ffff88805d20d468 (&x->lock){+.-.}-{2:2}, at: xfrm_state_delete net/xfrm/xfrm_state.c:784 [inline]
 #1: ffff88805d20d468 (&x->lock){+.-.}-{2:2}, at: xfrm_dev_state_flush+0x418/0x710 net/xfrm/xfrm_state.c:911
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 13264 Comm: syz.3.2669 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 __might_resched+0x4ad/0x630 kernel/sched/core.c:10211
 __mutex_lock_common kernel/locking/mutex.c:580 [inline]
 __mutex_lock+0xb7/0xcc0 kernel/locking/mutex.c:747
 bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
 xfrm_dev_state_delete net/xfrm/xfrm_state.c:707 [inline]
 __xfrm_state_delete+0x5d0/0xb10 net/xfrm/xfrm_state.c:764
 xfrm_state_delete net/xfrm/xfrm_state.c:785 [inline]
 xfrm_dev_state_flush+0x420/0x710 net/xfrm/xfrm_state.c:911
 bond_master_netdev_event drivers/net/bonding/bond_main.c:3925 [inline]
 bond_netdev_event+0x28a/0xf30 drivers/net/bonding/bond_main.c:4077
 notifier_call_chain+0x197/0x380 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2077 [inline]
 call_netdevice_notifiers net/core/dev.c:2091 [inline]
 unregister_netdevice_many_notify+0x100d/0x1900 net/core/dev.c:11099
 rtnl_delete_link net/core/rtnetlink.c:3259 [inline]
 rtnl_dellink+0x500/0x7c0 net/core/rtnetlink.c:3311
 rtnetlink_rcv_msg+0x869/0xfa0 net/core/rtnetlink.c:6472
 netlink_rcv_skb+0x241/0x4d0 net/netlink/af_netlink.c:2545
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8d0/0xbf0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
 ___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
 __sys_sendmsg net/socket.c:2677 [inline]
 __do_sys_sendmsg net/socket.c:2686 [inline]
 __se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f626379bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6264746028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6263a15fa0 RCX: 00007f626379bf79
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000009
RBP: 00007f62638327e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6263a16038 R14: 00007f6263a15fa0 R15: 00007ffe5ac0ac48
 </TASK>

=============================
[ BUG: Invalid wait context ]
syzkaller #0 Tainted: G        W         
-----------------------------
syz.3.2669/13264 is trying to lock:
ffff88805dab9520 (&bond->ipsec_lock){+.+.}-{3:3}, at: bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
other info that might help us debug this:
context-{4:4}
2 locks held by syz.3.2669/13264:
 #0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8e3c0208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x811/0xfa0 net/core/rtnetlink.c:6469
 #1: ffff88805d20d468 (&x->lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline]
 #1: ffff88805d20d468 (&x->lock){+.-.}-{2:2}, at: xfrm_state_delete net/xfrm/xfrm_state.c:784 [inline]
 #1: ffff88805d20d468 (&x->lock){+.-.}-{2:2}, at: xfrm_dev_state_flush+0x418/0x710 net/xfrm/xfrm_state.c:911
stack backtrace:
CPU: 0 PID: 13264 Comm: syz.3.2669 Tainted: G        W          syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4751 [inline]
 check_wait_context kernel/locking/lockdep.c:4821 [inline]
 __lock_acquire+0x1d19/0x7d40 kernel/locking/lockdep.c:5087
 lock_acquire+0x19e/0x420 kernel/locking/lockdep.c:5754
 __mutex_lock_common kernel/locking/mutex.c:603 [inline]
 __mutex_lock+0x136/0xcc0 kernel/locking/mutex.c:747
 bond_ipsec_del_sa+0x4db/0x740 drivers/net/bonding/bond_main.c:560
 xfrm_dev_state_delete net/xfrm/xfrm_state.c:707 [inline]
 __xfrm_state_delete+0x5d0/0xb10 net/xfrm/xfrm_state.c:764
 xfrm_state_delete net/xfrm/xfrm_state.c:785 [inline]
 xfrm_dev_state_flush+0x420/0x710 net/xfrm/xfrm_state.c:911
 bond_master_netdev_event drivers/net/bonding/bond_main.c:3925 [inline]
 bond_netdev_event+0x28a/0xf30 drivers/net/bonding/bond_main.c:4077
 notifier_call_chain+0x197/0x380 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2077 [inline]
 call_netdevice_notifiers net/core/dev.c:2091 [inline]
 unregister_netdevice_many_notify+0x100d/0x1900 net/core/dev.c:11099
 rtnl_delete_link net/core/rtnetlink.c:3259 [inline]
 rtnl_dellink+0x500/0x7c0 net/core/rtnetlink.c:3311
 rtnetlink_rcv_msg+0x869/0xfa0 net/core/rtnetlink.c:6472
 netlink_rcv_skb+0x241/0x4d0 net/netlink/af_netlink.c:2545
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8d0/0xbf0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
 ___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
 __sys_sendmsg net/socket.c:2677 [inline]
 __do_sys_sendmsg net/socket.c:2686 [inline]
 __se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
 do_syscall_x64 arch/x86/entry/common.c:46 [inline]
 do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f626379bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6264746028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f6263a15fa0 RCX: 00007f626379bf79
RDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000009
RBP: 00007f62638327e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f6263a16038 R14: 00007f6263a15fa0 R15: 00007ffe5ac0ac48
 </TASK>
bond0 (unregistering): Released all slaves