====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ kworker/u8:29/28801 is trying to acquire lock: ffff88805ee3d030 (&hsr->seqnr_lock){+.-.}-{3:3}, at: spin_lock_bh include/linux/spinlock.h:348 [inline] ffff88805ee3d030 (&hsr->seqnr_lock){+.-.}-{3:3}, at: hsr_dev_xmit+0x237/0x360 net/hsr/hsr_device.c:235 but task is already holding lock: ffff888055cd6558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline] ffff888055cd6558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: __netif_tx_lock include/linux/netdevice.h:4799 [inline] ffff888055cd6558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: sch_direct_xmit+0x15f/0x4c0 net/sched/sch_generic.c:370 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}: __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:158 spin_lock include/linux/spinlock.h:342 [inline] __netif_tx_lock include/linux/netdevice.h:4799 [inline] sch_direct_xmit+0x15f/0x4c0 net/sched/sch_generic.c:370 __dev_xmit_skb net/core/dev.c:4211 [inline] __dev_queue_xmit+0x180f/0x3950 net/core/dev.c:4833 dev_queue_xmit include/linux/netdevice.h:3436 [inline] hsr_xmit net/hsr/hsr_forward.c:440 [inline] hsr_forward_do net/hsr/hsr_forward.c:581 [inline] hsr_forward_skb+0x166e/0x2a70 net/hsr/hsr_forward.c:743 send_hsr_supervision_frame+0x731/0xcb0 net/hsr/hsr_device.c:364 hsr_announce+0x1db/0x370 net/hsr/hsr_device.c:421 call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers kernel/time/timer.c:2374 [inline] __run_timer_base+0x652/0x8b0 kernel/time/timer.c:2386 run_timer_base kernel/time/timer.c:2395 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2405 handle_softirqs+0x22a/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 zap_pte_range mm/memory.c:-1 [inline] zap_pmd_range mm/memory.c:2020 [inline] zap_pud_range mm/memory.c:2048 [inline] zap_p4d_range mm/memory.c:2069 [inline] __zap_vma_range+0xea6/0x4b70 mm/memory.c:2109 unmap_vmas+0x3ac/0x570 mm/memory.c:2178 exit_mmap+0x280/0x9e0 mm/mmap.c:1300 __mmput+0x118/0x430 kernel/fork.c:1178 exit_mm+0x1f6/0x2d0 kernel/exit.c:582 do_exit+0x6a2/0x22c0 kernel/exit.c:964 do_group_exit+0x21b/0x2d0 kernel/exit.c:1119 get_signal+0x1284/0x1330 kernel/signal.c:3037 arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0xa9/0x680 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x353/0x580 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&hsr->seqnr_lock){+.-.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237 lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5868 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:182 spin_lock_bh include/linux/spinlock.h:348 [inline] hsr_dev_xmit+0x237/0x360 net/hsr/hsr_device.c:235 __netdev_start_xmit include/linux/netdevice.h:5387 [inline] netdev_start_xmit include/linux/netdevice.h:5396 [inline] xmit_one net/core/dev.c:3889 [inline] dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3905 __dev_queue_xmit+0x14d9/0x3950 net/core/dev.c:4872 neigh_output include/net/neighbour.h:560 [inline] ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:236 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip_output+0x29f/0x450 net/ipv4/ip_output.c:437 iptunnel_xmit+0x621/0xd10 net/ipv4/ip_tunnel_core.c:97 ip_tunnel_xmit+0x193a/0x1f20 net/ipv4/ip_tunnel.c:845 __gre_xmit+0x19e/0x240 net/ipv4/ip_gre.c:491 erspan_xmit+0xa41/0x14d0 net/ipv4/ip_gre.c:750 __netdev_start_xmit include/linux/netdevice.h:5387 [inline] netdev_start_xmit include/linux/netdevice.h:5396 [inline] xmit_one net/core/dev.c:3889 [inline] dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3905 sch_direct_xmit+0x251/0x4c0 net/sched/sch_generic.c:372 __dev_xmit_skb net/core/dev.c:4211 [inline] __dev_queue_xmit+0x180f/0x3950 net/core/dev.c:4833 dev_queue_xmit include/linux/netdevice.h:3436 [inline] alb_send_lp_vid+0x348/0x550 drivers/net/bonding/bond_alb.c:949 alb_send_learning_packets+0x12c/0x300 drivers/net/bonding/bond_alb.c:1012 bond_alb_monitor+0x3d5/0x17e0 drivers/net/bonding/bond_alb.c:1563 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 kthread+0x389/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&qdisc_xmit_lock_key#3); lock(&hsr->seqnr_lock); lock(&qdisc_xmit_lock_key#3); lock(&hsr->seqnr_lock); *** DEADLOCK *** 10 locks held by kworker/u8:29/28801: #0: ffff888064c5e140 ((wq_completion)bond4#9){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3289 [inline] #0: ffff888064c5e140 ((wq_completion)bond4#9){+.+.}-{0:0}, at: process_scheduled_works+0xa35/0x1860 kernel/workqueue.c:3397 #1: ffffc9000ef67c40 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3290 [inline] #1: ffffc9000ef67c40 ((work_completion)(&(&bond->alb_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa70/0x1860 kernel/workqueue.c:3397 #2: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #2: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #2: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: bond_alb_monitor+0xf8/0x17e0 drivers/net/bonding/bond_alb.c:1546 #3: ffffffff8e95cc80 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline] #3: ffffffff8e95cc80 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:891 [inline] #3: ffffffff8e95cc80 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x2b6/0x3950 net/core/dev.c:4793 #4: ffff888030818228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: spin_trylock include/linux/spinlock.h:354 [inline] #4: ffff888030818228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: qdisc_run_begin include/net/sch_generic.h:205 [inline] #4: ffff888030818228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: __dev_xmit_skb net/core/dev.c:4198 [inline] #4: ffff888030818228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: __dev_queue_xmit+0x11a6/0x3950 net/core/dev.c:4833 #5: ffff888055cd6558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline] #5: ffff888055cd6558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: __netif_tx_lock include/linux/netdevice.h:4799 [inline] #5: ffff888055cd6558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: sch_direct_xmit+0x15f/0x4c0 net/sched/sch_generic.c:370 #6: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #6: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #6: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: ip_output+0x5b/0x450 net/ipv4/ip_output.c:432 #7: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #7: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #7: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: ip_finish_output2+0x3c2/0x1070 net/ipv4/ip_output.c:229 #8: ffffffff8e95cc80 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline] #8: ffffffff8e95cc80 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:891 [inline] #8: ffffffff8e95cc80 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x2b6/0x3950 net/core/dev.c:4793 #9: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #9: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #9: ffffffff8e95cc20 (rcu_read_lock){....}-{1:3}, at: hsr_dev_xmit+0x2d/0x360 net/hsr/hsr_device.c:229 stack backtrace: CPU: 0 UID: 0 PID: 28801 Comm: kworker/u8:29 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Workqueue: bond4 bond_alb_monitor Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043 check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237 lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5868 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:182 spin_lock_bh include/linux/spinlock.h:348 [inline] hsr_dev_xmit+0x237/0x360 net/hsr/hsr_device.c:235 __netdev_start_xmit include/linux/netdevice.h:5387 [inline] netdev_start_xmit include/linux/netdevice.h:5396 [inline] xmit_one net/core/dev.c:3889 [inline] dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3905 __dev_queue_xmit+0x14d9/0x3950 net/core/dev.c:4872 neigh_output include/net/neighbour.h:560 [inline] ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:236 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip_output+0x29f/0x450 net/ipv4/ip_output.c:437 iptunnel_xmit+0x621/0xd10 net/ipv4/ip_tunnel_core.c:97 ip_tunnel_xmit+0x193a/0x1f20 net/ipv4/ip_tunnel.c:845 __gre_xmit+0x19e/0x240 net/ipv4/ip_gre.c:491 erspan_xmit+0xa41/0x14d0 net/ipv4/ip_gre.c:750 __netdev_start_xmit include/linux/netdevice.h:5387 [inline] netdev_start_xmit include/linux/netdevice.h:5396 [inline] xmit_one net/core/dev.c:3889 [inline] dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3905 sch_direct_xmit+0x251/0x4c0 net/sched/sch_generic.c:372 __dev_xmit_skb net/core/dev.c:4211 [inline] __dev_queue_xmit+0x180f/0x3950 net/core/dev.c:4833 dev_queue_xmit include/linux/netdevice.h:3436 [inline] alb_send_lp_vid+0x348/0x550 drivers/net/bonding/bond_alb.c:949 alb_send_learning_packets+0x12c/0x300 drivers/net/bonding/bond_alb.c:1012 bond_alb_monitor+0x3d5/0x17e0 drivers/net/bonding/bond_alb.c:1563 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478 kthread+0x389/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245