program: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_GET_CHARDEV(r0, &(0x7f00000016c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="1c1000000f14010000000000000000000c00450072646d615f636d00"], 0x1c}}, 0x0) (async) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0xc008ae88, &(0x7f0000000040)=ANY=[@ANYBLOB="010000000000000096370040"]) (async) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r1) (async) r2 = socket(0x2b, 0x1, 0x1) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r1, 0x0) (async) r3 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r3, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) (async) r4 = syz_open_dev$evdev(&(0x7f0000000000), 0x0, 0x0) ioctl$EVIOCSCLOCKID(r4, 0x400445a0, &(0x7f0000000240)=0x1) (async) accept4$bt_l2cap(r2, 0x0, 0x0, 0x0) (async) close_range(r2, 0xffffffffffffffff, 0x0) (async) syz_80211_inject_frame(&(0x7f0000000240)=@device_b, &(0x7f0000000000)=ANY=[@ANYBLOB="80000000080211000001080211000000aa09b799c0d70000000000000000000064000110000602020202020201010b"], 0xb5) (async) perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xd2, 0x2, 0x0, 0x0, 0x0, 0x0, 0x90414, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x9a3, 0x2, @perf_config_ext={0xc1a0, 0x8}, 0x0, 0x0, 0xffffffff, 0x0, 0x6, 0x87c, 0x1, 0x0, 0x0, 0x0, 0x2}, 0x0, 0x4000000000, 0xffffffffffffffff, 0x0) madvise(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x11) (async) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000340), 0x2, 0x0) (async) r7 = syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x2) ioctl$VIDIOC_S_INPUT(r7, 0xc0045627, &(0x7f00000001c0)=0x2) (async) r8 = syz_open_dev$vim2m(&(0x7f0000000000), 0x7, 0x2) (async) r9 = syz_open_dev$vim2m(&(0x7f00000002c0), 0x2000000f5, 0x2) ioctl$vim2m_VIDIOC_S_CTRL(r9, 0xc008561c, &(0x7f0000000080)={0xf0f01f}) ioctl$vim2m_VIDIOC_S_FMT(r8, 0xc0d05605, &(0x7f00000002c0)={0x1, @sdr={0x12f1077e, 0x7}}) ioctl$TUNSETLINK(r6, 0x400454cd, 0x103) syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) write$RDMA_USER_CM_CMD_CREATE_ID(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x18, 0xfa00, {0x2, &(0x7f0000000280)={0xffffffffffffffff}, 0x2, 0x5}}, 0x20) write$RDMA_USER_CM_CMD_BIND_IP(0xffffffffffffffff, &(0x7f0000000300)={0x2, 0x28, 0xfa00, {0x0, {0xa, 0x4e22, 0x7, @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', 0xffffffff}, r10}}, 0x30) (async) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000000c0)={'wlan1\x00'}) [ 67.853871][ T4662] Bluetooth: hci0: command tx timeout [ 67.935104][ T5315] [ 67.936194][ T5315] ====================================================== [ 67.939074][ T5315] WARNING: possible circular locking dependency detected [ 67.942023][ T5315] 6.15.0-rc4-syzkaller-00208-g00b827f0cffa #0 Not tainted [ 67.945046][ T5315] ------------------------------------------------------ [ 67.948055][ T5315] syz.0.0/5315 is trying to acquire lock: [ 67.950474][ T5315] ffff8880525614d8 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 67.955345][ T5315] [ 67.955345][ T5315] but task is already holding lock: [ 67.958397][ T5315] ffff888052560258 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x540 [ 67.962080][ T5315] [ 67.962080][ T5315] which lock already depends on the new lock. [ 67.962080][ T5315] [ 67.966320][ T5315] [ 67.966320][ T5315] the existing dependency chain (in reverse order) is: [ 67.970139][ T5315] [ 67.970139][ T5315] -> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}: [ 67.973459][ T5315] lock_acquire+0x120/0x360 [ 67.975514][ T5315] lock_sock_nested+0x48/0x100 [ 67.977787][ T5315] smc_listen_out+0x109/0x3e0 [ 67.979960][ T5315] process_scheduled_works+0xadb/0x17a0 [ 67.982378][ T5315] worker_thread+0x8a0/0xda0 [ 67.984413][ T5315] kthread+0x70e/0x8a0 [ 67.986304][ T5315] ret_from_fork+0x4b/0x80 [ 67.988414][ T5315] ret_from_fork_asm+0x1a/0x30 [ 67.990648][ T5315] [ 67.990648][ T5315] -> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}: [ 67.994882][ T5315] validate_chain+0xb9b/0x2140 [ 67.997048][ T5315] __lock_acquire+0xaac/0xd20 [ 67.999215][ T5315] lock_acquire+0x120/0x360 [ 68.001335][ T5315] __flush_work+0x6b8/0xbc0 [ 68.003506][ T5315] __cancel_work_sync+0xbe/0x110 [ 68.005687][ T5315] smc_clcsock_release+0x60/0xf0 [ 68.007941][ T5315] __smc_release+0x66b/0x7e0 [ 68.009906][ T5315] smc_close_non_accepted+0xd5/0x1f0 [ 68.012351][ T5315] smc_close_active+0xb68/0xf10 [ 68.014768][ T5315] __smc_release+0x8d/0x7e0 [ 68.016879][ T5315] smc_release+0x2ce/0x540 [ 68.018905][ T5315] sock_close+0xc0/0x240 [ 68.020998][ T5315] __fput+0x449/0xa70 [ 68.022997][ T5315] task_work_run+0x1d1/0x260 [ 68.025206][ T5315] get_signal+0x11c5/0x1310 [ 68.027370][ T5315] arch_do_signal_or_restart+0x95/0x780 [ 68.029953][ T5315] syscall_exit_to_user_mode+0x8b/0x120 [ 68.032534][ T5315] do_syscall_64+0x103/0x210 [ 68.034718][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.037464][ T5315] [ 68.037464][ T5315] other info that might help us debug this: [ 68.037464][ T5315] [ 68.041851][ T5315] Possible unsafe locking scenario: [ 68.041851][ T5315] [ 68.045069][ T5315] CPU0 CPU1 [ 68.047248][ T5315] ---- ---- [ 68.049463][ T5315] lock(sk_lock-AF_SMC/1); [ 68.051452][ T5315] lock((work_completion)(&new_smc->smc_listen_work)); [ 68.055391][ T5315] lock(sk_lock-AF_SMC/1); [ 68.058333][ T5315] lock((work_completion)(&new_smc->smc_listen_work)); [ 68.061248][ T5315] [ 68.061248][ T5315] *** DEADLOCK *** [ 68.061248][ T5315] [ 68.064770][ T5315] 3 locks held by syz.0.0/5315: [ 68.066914][ T5315] #0: ffff88801c17d408 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: sock_close+0x9b/0x240 [ 68.071327][ T5315] #1: ffff888052560258 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x540 [ 68.075291][ T5315] #2: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 68.079120][ T5315] [ 68.079120][ T5315] stack backtrace: [ 68.081613][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted 6.15.0-rc4-syzkaller-00208-g00b827f0cffa #0 PREEMPT(full) [ 68.081625][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.081631][ T5315] Call Trace: [ 68.081638][ T5315] [ 68.081643][ T5315] dump_stack_lvl+0x189/0x250 [ 68.081661][ T5315] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.081675][ T5315] ? __pfx__printk+0x10/0x10 [ 68.081685][ T5315] ? print_lock_name+0xde/0x100 [ 68.081700][ T5315] print_circular_bug+0x2ee/0x310 [ 68.081712][ T5315] check_noncircular+0x134/0x160 [ 68.081722][ T5315] validate_chain+0xb9b/0x2140 [ 68.081731][ T5315] ? do_raw_spin_lock+0x121/0x290 [ 68.081743][ T5315] ? look_up_lock_class+0x74/0x170 [ 68.081755][ T5315] ? register_lock_class+0x51/0x320 [ 68.081769][ T5315] __lock_acquire+0xaac/0xd20 [ 68.081782][ T5315] ? __flush_work+0xd2/0xbc0 [ 68.081792][ T5315] lock_acquire+0x120/0x360 [ 68.081804][ T5315] ? __flush_work+0xd2/0xbc0 [ 68.081814][ T5315] ? _raw_spin_unlock_irq+0x23/0x50 [ 68.081825][ T5315] ? __flush_work+0xd2/0xbc0 [ 68.081835][ T5315] __flush_work+0x6b8/0xbc0 [ 68.081844][ T5315] ? __flush_work+0xd2/0xbc0 [ 68.081854][ T5315] ? __flush_work+0xd2/0xbc0 [ 68.081863][ T5315] ? __pfx___flush_work+0x10/0x10 [ 68.081873][ T5315] ? __pfx_wq_barrier_func+0x10/0x10 [ 68.081889][ T5315] ? __pfx___cancel_work+0x10/0x10 [ 68.081897][ T5315] ? __local_bh_enable_ip+0x12d/0x1c0 [ 68.081912][ T5315] ? lockdep_hardirqs_on+0x9c/0x150 [ 68.081921][ T5315] ? __local_bh_enable_ip+0x12d/0x1c0 [ 68.081942][ T5315] __cancel_work_sync+0xbe/0x110 [ 68.081953][ T5315] smc_clcsock_release+0x60/0xf0 [ 68.081967][ T5315] __smc_release+0x66b/0x7e0 [ 68.081976][ T5315] ? do_raw_spin_unlock+0x4d/0x240 [ 68.081987][ T5315] smc_close_non_accepted+0xd5/0x1f0 [ 68.081998][ T5315] smc_close_active+0xb68/0xf10 [ 68.082010][ T5315] ? __pfx_sock_def_readable+0x10/0x10 [ 68.082025][ T5315] __smc_release+0x8d/0x7e0 [ 68.082033][ T5315] ? do_raw_spin_unlock+0x4d/0x240 [ 68.082044][ T5315] smc_release+0x2ce/0x540 [ 68.082053][ T5315] sock_close+0xc0/0x240 [ 68.082069][ T5315] ? __pfx_sock_close+0x10/0x10 [ 68.082081][ T5315] __fput+0x449/0xa70 [ 68.082097][ T5315] task_work_run+0x1d1/0x260 [ 68.082109][ T5315] ? __pfx_task_work_run+0x10/0x10 [ 68.082122][ T5315] get_signal+0x11c5/0x1310 [ 68.082137][ T5315] ? task_work_add+0x281/0x420 [ 68.082148][ T5315] ? __pfx_task_work_add+0x10/0x10 [ 68.082158][ T5315] ? __file_ref_put+0xd5/0x130 [ 68.082169][ T5315] ? __pfx___file_ref_put+0x10/0x10 [ 68.082180][ T5315] arch_do_signal_or_restart+0x95/0x780 [ 68.082190][ T5315] ? __fput_deferred+0x16f/0x1f0 [ 68.082203][ T5315] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 68.082211][ T5315] ? __sys_accept4+0x16e/0x1c0 [ 68.082222][ T5315] ? local_irq_enable_exit_to_user+0x5/0x10 [ 68.082237][ T5315] syscall_exit_to_user_mode+0x8b/0x120 [ 68.082248][ T5315] do_syscall_64+0x103/0x210 [ 68.082260][ T5315] ? clear_bhb_loop+0x45/0xa0 [ 68.082271][ T5315] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.082281][ T5315] RIP: 0033:0x7fef6678e969 [ 68.082292][ T5315] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.082301][ T5315] RSP: 002b:00007fef6760a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000120 [ 68.082312][ T5315] RAX: fffffffffffffe00 RBX: 00007fef669b6160 RCX: 00007fef6678e969 [ 68.082319][ T5315] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 68.082324][ T5315] RBP: 00007fef66810ab1 R08: 0000000000000000 R09: 0000000000000000 [ 68.082330][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.082335][ T5315] R13: 0000000000000001 R14: 00007fef669b6160 R15: 00007ffcac737b38 [ 68.082344][ T5315]