program: r0 = socket$kcm(0x23, 0x5, 0x0) listen(r0, 0x800) (async) accept(r0, 0x0, 0x0) (async) r1 = socket$kcm(0x10, 0x2, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=@newlink={0x20, 0x10, 0x40d}, 0x20}}, 0x0) (async) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000a40)={0xffffffffffffffff, 0xffffffffffffffff}) bind$unix(r2, &(0x7f00000000c0)=@file={0x1, './file0\x00'}, 0x6e) r3 = socket$unix(0x1, 0x5, 0x0) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f00000000c0)={'veth0_macvtap\x00', 0x0}) (async) r5 = socket(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r5, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000300)=@newqdisc={0x88, 0x24, 0xf0b, 0x70bd26, 0x0, {0x0, 0x0, 0x0, r4, {0x0, 0xffff}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_mqprio={{0xb}, {0x58, 0x2, {{0x1, [], 0x0, [0x1, 0x2, 0xfffe, 0x0, 0x0, 0x0, 0x0, 0x8, 0x0, 0x5c4, 0x8000, 0x0, 0x0, 0x3dc], [0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1000]}}}}]}, 0x88}}, 0x20000000) r6 = socket(0x400000000010, 0x3, 0x0) sendmsg$nl_route_sched(r6, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000500)=@newqdisc={0x4c, 0x24, 0x4ee4e6a52ff56541, 0x70bd29, 0xfffbffff, {0x0, 0x0, 0x0, r4, {0x0, 0x8}, {0xffff, 0xffff}, {0xc, 0xfff3}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x1c, 0x2, [@TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x8001}]}]}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8}]}}]}, 0x4c}, 0x1, 0x0, 0x0, 0x40001}, 0x10) r7 = socket$unix(0x1, 0x5, 0x0) ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f00000000c0)={'veth0_macvtap\x00', 0x0}) (async) r9 = socket(0x400000000010, 0x3, 0x0) sendmsg$nl_route_sched(r9, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000500)=@newqdisc={0x3c, 0x24, 0x4ee4e6a52ff56541, 0x70bd29, 0xfffbffff, {0x0, 0x0, 0x0, r8, {0x0, 0x8}, {0xffff, 0xffff}, {0xc, 0xfff3}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0xc, 0x2, [@TCA_TAPRIO_ATTR_FLAGS={0x8, 0xa, 0x2}]}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x40001}, 0x10) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) sendmmsg$unix(r10, &(0x7f0000000000), 0x651, 0x0) (async, rerun: 64) sendmsg$inet(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4) (rerun: 64) r11 = socket$phonet_pipe(0x23, 0x5, 0x2) connect$phonet_pipe(r11, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10) [ 102.643923][ T44] Bluetooth: hci0: command tx timeout [ 102.882754][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 102.907157][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 102.926560][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 102.980430][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 103.043157][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 103.089817][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 103.132879][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 103.200384][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 103.236447][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 103.271163][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 103.648466][ C0] [ 103.649555][ C0] ================================ [ 103.651656][ C0] WARNING: inconsistent lock state [ 103.653952][ C0] syzkaller #0 Not tainted [ 103.656117][ C0] -------------------------------- [ 103.658829][ C0] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 103.661871][ C0] syz.0.0/5327 [HC0[0]:SC1[1]:HE1:SE0] takes: [ 103.664615][ C0] ffff888012ae3c68 (slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1bf/0x9e0 [ 103.668976][ C0] {SOFTIRQ-ON-W} state was registered at: [ 103.671535][ C0] lock_acquire+0x106/0x350 [ 103.673685][ C0] _raw_spin_lock_nested+0x32/0x50 [ 103.676100][ C0] __sk_receive_skb+0x1bf/0x9e0 [ 103.678383][ C0] pep_do_rcv+0x685/0xaa0 [ 103.680465][ C0] __release_sock+0x297/0x3a0 [ 103.682679][ C0] release_sock+0x190/0x260 [ 103.684902][ C0] pep_sock_accept+0xdf5/0x12b0 [ 103.687244][ C0] pn_socket_accept+0xc9/0x2e0 [ 103.689598][ C0] do_accept+0x521/0x760 [ 103.691592][ C0] __sys_accept4+0x139/0x230 [ 103.693742][ C0] __x64_sys_accept+0x7d/0x90 [ 103.695956][ C0] do_syscall_64+0x15f/0xf80 [ 103.698167][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.701104][ C0] irq event stamp: 6418 [ 103.703118][ C0] hardirqs last enabled at (6418): [] irqentry_exit+0x218/0x760 [ 103.707452][ C0] hardirqs last disabled at (6417): [] sysvec_apic_timer_interrupt+0xe/0xc0 [ 103.712072][ C0] softirqs last enabled at (6404): [] netif_rx+0x79/0x90 [ 103.715999][ C0] softirqs last disabled at (6405): [] do_softirq+0x76/0xd0 [ 103.719813][ C0] [ 103.719813][ C0] other info that might help us debug this: [ 103.723421][ C0] Possible unsafe locking scenario: [ 103.723421][ C0] [ 103.726853][ C0] CPU0 [ 103.728434][ C0] ---- [ 103.729951][ C0] lock(slock-AF_PHONET/1); [ 103.731951][ C0] [ 103.733457][ C0] lock(slock-AF_PHONET/1); [ 103.735882][ C0] [ 103.735882][ C0] *** DEADLOCK *** [ 103.735882][ C0] [ 103.739772][ C0] 5 locks held by syz.0.0/5327: [ 103.742018][ C0] #0: ffff88801f057840 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: sock_close+0x9b/0x240 [ 103.746597][ C0] #1: ffff888012ae4360 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: pep_sock_close+0x86/0x5b0 [ 103.750912][ C0] #2: ffffffff8e95cca0 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x3eb/0x1950 [ 103.755294][ C0] #3: ffff888012ae4968 (slock-AF_PHONET){+.-.}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0 [ 103.760277][ C0] #4: ffff888012ae49e0 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: phonet_rcv+0x781/0xc40 [ 103.764701][ C0] [ 103.764701][ C0] stack backtrace: [ 103.767470][ C0] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 103.767485][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 103.767523][ C0] Call Trace: [ 103.767591][ C0] [ 103.767598][ C0] dump_stack_lvl+0xe8/0x150 [ 103.767625][ C0] print_usage_bug+0x28b/0x2e0 [ 103.767642][ C0] mark_lock_irq+0x410/0x420 [ 103.767658][ C0] mark_lock+0x115/0x190 [ 103.767673][ C0] __lock_acquire+0x689/0x2cf0 [ 103.767686][ C0] ? sk_filter_trim_cap+0x1a7/0xe70 [ 103.767704][ C0] ? sk_filter_trim_cap+0x91e/0xe70 [ 103.767721][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 103.767733][ C0] lock_acquire+0x106/0x350 [ 103.767743][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 103.767757][ C0] _raw_spin_lock_nested+0x32/0x50 [ 103.767783][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 103.767794][ C0] __sk_receive_skb+0x1bf/0x9e0 [ 103.767817][ C0] pep_do_rcv+0x685/0xaa0 [ 103.767835][ C0] ? __pfx_pep_do_rcv+0x10/0x10 [ 103.767850][ C0] ? __pfx_pep_do_rcv+0x10/0x10 [ 103.767864][ C0] ? phonet_rcv+0x781/0xc40 [ 103.767877][ C0] __sk_receive_skb+0x962/0x9e0 [ 103.767890][ C0] phonet_rcv+0x781/0xc40 [ 103.767906][ C0] ? __pfx_phonet_rcv+0x10/0x10 [ 103.767921][ C0] ? process_backlog+0x3eb/0x1950 [ 103.767932][ C0] ? process_backlog+0x3eb/0x1950 [ 103.767950][ C0] ? __pfx_phonet_rcv+0x10/0x10 [ 103.767962][ C0] ? process_backlog+0x3eb/0x1950 [ 103.767975][ C0] process_backlog+0xc66/0x1950 [ 103.767990][ C0] __napi_poll+0xae/0x340 [ 103.768001][ C0] ? skb_defer_free_flush+0x233/0x260 [ 103.768012][ C0] net_rx_action+0x627/0xf70 [ 103.768028][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 103.768039][ C0] ? xfrm_dev_backlog+0x24b/0x3c0 [ 103.768057][ C0] ? net_tx_action+0x5b6/0xc30 [ 103.768070][ C0] ? net_tx_action+0xbfb/0xc30 [ 103.768081][ C0] handle_softirqs+0x22a/0x840 [ 103.768094][ C0] ? do_softirq+0x76/0xd0 [ 103.768106][ C0] ? netif_rx+0x79/0x90 [ 103.768121][ C0] do_softirq+0x76/0xd0 [ 103.768143][ C0] [ 103.768147][ C0] [ 103.768152][ C0] __local_bh_enable_ip+0xf8/0x130 [ 103.768164][ C0] netif_rx+0x83/0x90 [ 103.768176][ C0] pn_send+0x62a/0x8e0 [ 103.768191][ C0] pn_skb_send+0x218/0x510 [ 103.768204][ C0] pep_sock_close+0x2c1/0x5b0 [ 103.768220][ C0] pn_socket_release+0x9b/0xc0 [ 103.768232][ C0] sock_close+0xc3/0x240 [ 103.768248][ C0] ? __pfx_sock_close+0x10/0x10 [ 103.768264][ C0] __fput+0x44f/0xa60 [ 103.768277][ C0] task_work_run+0x1d9/0x270 [ 103.768293][ C0] ? __pfx_task_work_run+0x10/0x10 [ 103.768311][ C0] exit_to_user_mode_loop+0xf3/0x4d0 [ 103.768322][ C0] ? rcu_is_watching+0x15/0xb0 [ 103.768335][ C0] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.768346][ C0] do_syscall_64+0x33e/0xf80 [ 103.768364][ C0] ? clear_bhb_loop+0x40/0x90 [ 103.768375][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.768387][ C0] RIP: 0033:0x7f0f6699ce59 [ 103.768407][ C0] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 103.768417][ C0] RSP: 002b:00007ffddf4243c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 103.768444][ C0] RAX: 0000000000000000 RBX: 00007f0f66c17da0 RCX: 00007f0f6699ce59 [ 103.768453][ C0] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 103.768459][ C0] RBP: 00007f0f66c17da0 R08: 0000000000000006 R09: 0000000000000000 [ 103.768465][ C0] R10: 00007f0f66c17cb0 R11: 0000000000000246 R12: 00000000000193d2 [ 103.768473][ C0] R13: 00007f0f66c1609c R14: 00000000000191b0 R15: 00007ffddf4244d0 [ 103.768486][ C0]