program: r0 = socket$nl_route(0x10, 0x3, 0x0) r1 = socket$packet(0x11, 0x3, 0x300) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00', 0x0}) sendmsg$nl_route(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x20, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_OIF={0x8, 0x5, r2}]}, 0x20}}, 0x0) socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000004380)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000180)=@ipv6_newrule={0x24, 0x18, 0x409, 0x0, 0x0, {}, [@FIB_RULE_POLICY=@FRA_GOTO={0x8, 0x1e, 0x1}]}, 0x24}}, 0x0) r3 = socket$nl_route(0x10, 0x3, 0x0) r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r4}, 0x10) r5 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r5) r6 = socket(0x2b, 0x1, 0x1) bind$inet6(r5, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r6, 0x5) r7 = socket$inet_smc(0x2b, 0x1, 0x0) connect$inet(r7, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) r8 = accept4$phonet_pipe(0xffffffffffffffff, &(0x7f0000000040), &(0x7f0000000280)=0x10, 0x80000) ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f00000002c0)={'team0\x00'}) sendmsg$nl_route(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000001c0)=ANY=[@ANYBLOB="4800000010000104000000000000000000000000b0aa4e25946cafb2c8f95c10e4769301a67e3fc36f54340f78b5c5232a5ea695d01dff806fbdc8981a65dc201567518cac5122aa85512d1986e2057524754c8501214c49da17f02528ad2879d86a9b7fb76ba22cd31bfb41ee80dce4a248e72a02", @ANYRES32=0x0, @ANYBLOB="2b03000000000000280012800b00010067656e6576650000180002801400070000000000000000050000000000000001"], 0x48}}, 0x0) [ 86.415428][ T4672] Bluetooth: hci0: command tx timeout [ 86.660670][ T5330] netlink: 40 bytes leftover after parsing attributes in process `syz.0.0'. [ 86.819634][ T5328] [ 86.820771][ T5328] ====================================================== [ 86.823863][ T5328] WARNING: possible circular locking dependency detected [ 86.826804][ T5328] syzkaller #0 Not tainted [ 86.828742][ T5328] ------------------------------------------------------ [ 86.831731][ T5328] syz.0.0/5328 is trying to acquire lock: [ 86.834166][ T5328] ffff888042880a68 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 86.839286][ T5328] [ 86.839286][ T5328] but task is already holding lock: [ 86.842452][ T5328] ffff888042880ee0 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 86.846332][ T5328] [ 86.846332][ T5328] which lock already depends on the new lock. [ 86.846332][ T5328] [ 86.850837][ T5328] [ 86.850837][ T5328] the existing dependency chain (in reverse order) is: [ 86.854690][ T5328] [ 86.854690][ T5328] -> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}: [ 86.858022][ T5328] lock_sock_nested+0x41/0x100 [ 86.860256][ T5328] smc_listen_out+0x109/0x3e0 [ 86.862396][ T5328] smc_listen_work+0x813/0x13f0 [ 86.864851][ T5328] process_scheduled_works+0xb5d/0x1860 [ 86.867217][ T5328] worker_thread+0xa53/0xfc0 [ 86.869426][ T5328] kthread+0x388/0x470 [ 86.871449][ T5328] ret_from_fork+0x514/0xb70 [ 86.873729][ T5328] ret_from_fork_asm+0x1a/0x30 [ 86.876146][ T5328] [ 86.876146][ T5328] -> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}: [ 86.880427][ T5328] __lock_acquire+0x15a5/0x2cf0 [ 86.882749][ T5328] lock_acquire+0x106/0x350 [ 86.884972][ T5328] __flush_work+0x700/0xc50 [ 86.887148][ T5328] __cancel_work_sync+0xbe/0x110 [ 86.889498][ T5328] smc_clcsock_release+0x60/0xf0 [ 86.891754][ T5328] __smc_release+0x66b/0x7e0 [ 86.893801][ T5328] smc_close_non_accepted+0xd5/0x1f0 [ 86.896930][ T5328] smc_close_active+0xb67/0xf10 [ 86.899749][ T5328] __smc_release+0x8d/0x7e0 [ 86.901935][ T5328] smc_release+0x2ce/0x560 [ 86.904123][ T5328] sock_close+0xc3/0x240 [ 86.906286][ T5328] __fput+0x44f/0xa60 [ 86.908285][ T5328] task_work_run+0x1d9/0x270 [ 86.910328][ T5328] exit_to_user_mode_loop+0xed/0x480 [ 86.912655][ T5328] do_syscall_64+0x33e/0xf80 [ 86.914814][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.917680][ T5328] [ 86.917680][ T5328] other info that might help us debug this: [ 86.917680][ T5328] [ 86.922095][ T5328] Possible unsafe locking scenario: [ 86.922095][ T5328] [ 86.925422][ T5328] CPU0 CPU1 [ 86.927676][ T5328] ---- ---- [ 86.930046][ T5328] lock(sk_lock-AF_SMC/1); [ 86.932115][ T5328] lock((work_completion)(&new_smc->smc_listen_work)); [ 86.936273][ T5328] lock(sk_lock-AF_SMC/1); [ 86.939249][ T5328] lock((work_completion)(&new_smc->smc_listen_work)); [ 86.942196][ T5328] [ 86.942196][ T5328] *** DEADLOCK *** [ 86.942196][ T5328] [ 86.945474][ T5328] 3 locks held by syz.0.0/5328: [ 86.947458][ T5328] #0: ffff8880476e6640 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: sock_close+0x9b/0x240 [ 86.951429][ T5328] #1: ffff888042880ee0 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 86.955154][ T5328] #2: ffffffff8e95cce0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 86.959036][ T5328] [ 86.959036][ T5328] stack backtrace: [ 86.961625][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.961642][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.961649][ T5328] Call Trace: [ 86.961656][ T5328] [ 86.961661][ T5328] dump_stack_lvl+0xe8/0x150 [ 86.961682][ T5328] print_circular_bug+0x2e1/0x300 [ 86.961695][ T5328] check_noncircular+0x12e/0x150 [ 86.961709][ T5328] __lock_acquire+0x15a5/0x2cf0 [ 86.961727][ T5328] ? __pfx___schedule+0x10/0x10 [ 86.961739][ T5328] ? irqentry_exit+0x218/0x730 [ 86.961751][ T5328] ? trace_irq_disable+0x3b/0x140 [ 86.961765][ T5328] ? __flush_work+0x100/0xc50 [ 86.961775][ T5328] lock_acquire+0x106/0x350 [ 86.961790][ T5328] ? __flush_work+0x100/0xc50 [ 86.961801][ T5328] ? preempt_schedule_thunk+0x16/0x30 [ 86.961838][ T5328] ? __flush_work+0x100/0xc50 [ 86.961844][ T5328] __flush_work+0x700/0xc50 [ 86.961850][ T5328] ? __flush_work+0x100/0xc50 [ 86.961857][ T5328] ? __flush_work+0x100/0xc50 [ 86.961866][ T5328] ? __pfx___flush_work+0x10/0x10 [ 86.961875][ T5328] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.961894][ T5328] ? __cancel_work_sync+0x5c/0x110 [ 86.961905][ T5328] __cancel_work_sync+0xbe/0x110 [ 86.961916][ T5328] smc_clcsock_release+0x60/0xf0 [ 86.961930][ T5328] __smc_release+0x66b/0x7e0 [ 86.961940][ T5328] ? __local_bh_enable_ip+0xd0/0x130 [ 86.961956][ T5328] smc_close_non_accepted+0xd5/0x1f0 [ 86.961968][ T5328] smc_close_active+0xb67/0xf10 [ 86.961981][ T5328] ? __pfx_sock_def_readable+0x10/0x10 [ 86.961995][ T5328] __smc_release+0x8d/0x7e0 [ 86.962004][ T5328] ? __local_bh_enable_ip+0xd0/0x130 [ 86.962019][ T5328] smc_release+0x2ce/0x560 [ 86.962026][ T5328] sock_close+0xc3/0x240 [ 86.962034][ T5328] ? __pfx_sock_close+0x10/0x10 [ 86.962041][ T5328] __fput+0x44f/0xa60 [ 86.962051][ T5328] task_work_run+0x1d9/0x270 [ 86.962062][ T5328] ? __pfx_task_work_run+0x10/0x10 [ 86.962073][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.962085][ T5328] exit_to_user_mode_loop+0xed/0x480 [ 86.962100][ T5328] ? rcu_is_watching+0x15/0xb0 [ 86.962111][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.962121][ T5328] do_syscall_64+0x33e/0xf80 [ 86.962135][ T5328] ? clear_bhb_loop+0x40/0x90 [ 86.962147][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.962158][ T5328] RIP: 0033:0x7fb859f9c819 [ 86.962169][ T5328] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 86.962178][ T5328] RSP: 002b:00007ffd4824b688 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 86.962191][ T5328] RAX: 0000000000000000 RBX: 00007fb85a217da0 RCX: 00007fb859f9c819 [ 86.962198][ T5328] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 86.962204][ T5328] RBP: 00007fb85a217da0 R08: 0000000000000006 R09: 0000000000000000 [ 86.962210][ T5328] R10: 0000000000deb304 R11: 0000000000000246 R12: 0000000000015477 [ 86.962216][ T5328] R13: 00007fb85a21609c R14: 000000000001521a R15: 00007ffd4824b790 [ 86.962227][ T5328]