program: r0 = socket$kcm(0x29, 0x2, 0x0) r1 = socket$inet_smc(0x2b, 0x1, 0x0) setsockopt$inet_tcp_TCP_REPAIR_QUEUE(r1, 0x6, 0x14, &(0x7f0000000000), 0x4) (async) r2 = syz_open_procfs(0x0, &(0x7f0000000280)='net/kcm\x00') sendmsg$L2TP_CMD_TUNNEL_MODIFY(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000080)=ANY=[@ANYBLOB="22c22b", @ANYRES16=0x0, @ANYBLOB="000028bd7000fedbdf2503000000"], 0x14}}, 0x0) (async) timer_create(0x0, &(0x7f00000000c0)={0x0, 0x21, 0x2, @thr={0x0, 0x0}}, &(0x7f0000000300)=0x0) (async) fcntl$lock(0xffffffffffffffff, 0x7, &(0x7f0000000040)={0x0, 0x0, 0x8000, 0x3ff}) (async) mprotect(&(0x7f0000000000/0xf000)=nil, 0xf000, 0x1) timer_settime(r3, 0x1, &(0x7f0000000040)={{0x77359400}}, 0x0) mmap(&(0x7f0000000000/0x200000)=nil, 0x200000, 0x300000b, 0x204031, 0xffffffffffffffff, 0xec776000) r4 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r4) r5 = socket(0x2b, 0x1, 0x1) bind$inet6(r4, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r4, 0x5) (async) accept4$netrom(r5, 0x0, 0x0, 0x80800) (async) r6 = socket$inet_mptcp(0x2, 0x1, 0x106) connect$inet(r6, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) (async) read$FUSE(r2, &(0x7f00000019c0)={0x2020}, 0x2020) [ 87.521184][ T5306] Bluetooth: hci0: command tx timeout [ 87.787741][ T5326] [ 87.788942][ T5326] ====================================================== [ 87.791955][ T5326] WARNING: possible circular locking dependency detected [ 87.795003][ T5326] syzkaller #0 Not tainted [ 87.796929][ T5326] ------------------------------------------------------ [ 87.799984][ T5326] syz.0.0/5326 is trying to acquire lock: [ 87.802482][ T5326] ffff8880129816d8 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 87.807641][ T5326] [ 87.807641][ T5326] but task is already holding lock: [ 87.810923][ T5326] ffff888012980260 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 87.814943][ T5326] [ 87.814943][ T5326] which lock already depends on the new lock. [ 87.814943][ T5326] [ 87.819435][ T5326] [ 87.819435][ T5326] the existing dependency chain (in reverse order) is: [ 87.823426][ T5326] [ 87.823426][ T5326] -> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}: [ 87.826724][ T5326] lock_sock_nested+0x48/0x100 [ 87.829131][ T5326] smc_listen_out+0x109/0x3e0 [ 87.831382][ T5326] process_scheduled_works+0xaec/0x17a0 [ 87.833963][ T5326] worker_thread+0x89f/0xd90 [ 87.836075][ T5326] kthread+0x726/0x8b0 [ 87.837909][ T5326] ret_from_fork+0x51b/0xa40 [ 87.840198][ T5326] ret_from_fork_asm+0x1a/0x30 [ 87.842487][ T5326] [ 87.842487][ T5326] -> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}: [ 87.846930][ T5326] __lock_acquire+0x15a5/0x2cf0 [ 87.849275][ T5326] lock_acquire+0x106/0x330 [ 87.851393][ T5326] __flush_work+0x700/0xc50 [ 87.853603][ T5326] __cancel_work_sync+0xbe/0x110 [ 87.855968][ T5326] smc_clcsock_release+0x60/0xf0 [ 87.858379][ T5326] __smc_release+0x66b/0x7e0 [ 87.860551][ T5326] smc_close_non_accepted+0xd5/0x1f0 [ 87.863156][ T5326] smc_close_active+0xb67/0xf10 [ 87.865529][ T5326] __smc_release+0x8d/0x7e0 [ 87.868044][ T5326] smc_release+0x2ce/0x560 [ 87.870716][ T5326] sock_close+0xc3/0x240 [ 87.873340][ T5326] __fput+0x44f/0xa70 [ 87.875725][ T5326] task_work_run+0x1d9/0x270 [ 87.878451][ T5326] get_signal+0x11eb/0x1330 [ 87.880706][ T5326] arch_do_signal_or_restart+0xbc/0x830 [ 87.883417][ T5326] exit_to_user_mode_loop+0x86/0x480 [ 87.886024][ T5326] do_syscall_64+0x2b7/0xf80 [ 87.888325][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.891157][ T5326] [ 87.891157][ T5326] other info that might help us debug this: [ 87.891157][ T5326] [ 87.895631][ T5326] Possible unsafe locking scenario: [ 87.895631][ T5326] [ 87.898921][ T5326] CPU0 CPU1 [ 87.901298][ T5326] ---- ---- [ 87.903713][ T5326] lock(sk_lock-AF_SMC/1); [ 87.905815][ T5326] lock((work_completion)(&new_smc->smc_listen_work)); [ 87.909862][ T5326] lock(sk_lock-AF_SMC/1); [ 87.913012][ T5326] lock((work_completion)(&new_smc->smc_listen_work)); [ 87.915877][ T5326] [ 87.915877][ T5326] *** DEADLOCK *** [ 87.915877][ T5326] [ 87.919283][ T5326] 3 locks held by syz.0.0/5326: [ 87.921387][ T5326] #0: ffff888023165ec8 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: sock_close+0x9b/0x240 [ 87.925909][ T5326] #1: ffff888012980260 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 87.930554][ T5326] #2: ffffffff8e35a360 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 87.934872][ T5326] [ 87.934872][ T5326] stack backtrace: [ 87.937532][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 87.937546][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.937553][ T5326] Call Trace: [ 87.937561][ T5326] [ 87.937583][ T5326] dump_stack_lvl+0xe8/0x150 [ 87.937610][ T5326] print_circular_bug+0x2e1/0x300 [ 87.937627][ T5326] check_noncircular+0x12e/0x150 [ 87.937641][ T5326] __lock_acquire+0x15a5/0x2cf0 [ 87.937654][ T5326] ? do_raw_spin_lock+0x12b/0x2f0 [ 87.937682][ T5326] ? __flush_work+0x100/0xc50 [ 87.937695][ T5326] lock_acquire+0x106/0x330 [ 87.937705][ T5326] ? __flush_work+0x100/0xc50 [ 87.937718][ T5326] ? __flush_work+0x100/0xc50 [ 87.937730][ T5326] __flush_work+0x700/0xc50 [ 87.937741][ T5326] ? __flush_work+0x100/0xc50 [ 87.937753][ T5326] ? __flush_work+0x100/0xc50 [ 87.937765][ T5326] ? __pfx___flush_work+0x10/0x10 [ 87.937778][ T5326] ? __pfx_wq_barrier_func+0x10/0x10 [ 87.937792][ T5326] ? __cancel_work_sync+0x5c/0x110 [ 87.937805][ T5326] __cancel_work_sync+0xbe/0x110 [ 87.937819][ T5326] smc_clcsock_release+0x60/0xf0 [ 87.937837][ T5326] __smc_release+0x66b/0x7e0 [ 87.937849][ T5326] ? __local_bh_enable_ip+0xd0/0x130 [ 87.937862][ T5326] smc_close_non_accepted+0xd5/0x1f0 [ 87.937874][ T5326] smc_close_active+0xb67/0xf10 [ 87.937888][ T5326] ? __pfx_sock_def_readable+0x10/0x10 [ 87.937901][ T5326] __smc_release+0x8d/0x7e0 [ 87.937911][ T5326] ? __local_bh_enable_ip+0xd0/0x130 [ 87.937923][ T5326] smc_release+0x2ce/0x560 [ 87.937935][ T5326] sock_close+0xc3/0x240 [ 87.937945][ T5326] ? __pfx_sock_close+0x10/0x10 [ 87.937954][ T5326] __fput+0x44f/0xa70 [ 87.937968][ T5326] task_work_run+0x1d9/0x270 [ 87.937983][ T5326] ? __pfx_task_work_run+0x10/0x10 [ 87.938000][ T5326] get_signal+0x11eb/0x1330 [ 87.938010][ T5326] ? __pfx___fput_deferred+0x10/0x10 [ 87.938024][ T5326] ? do_raw_spin_lock+0x12b/0x2f0 [ 87.938039][ T5326] arch_do_signal_or_restart+0xbc/0x830 [ 87.938055][ T5326] ? do_raw_spin_unlock+0x4d/0x210 [ 87.938069][ T5326] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 87.938087][ T5326] exit_to_user_mode_loop+0x86/0x480 [ 87.938100][ T5326] ? rcu_is_watching+0x15/0xb0 [ 87.938114][ T5326] do_syscall_64+0x2b7/0xf80 [ 87.938128][ T5326] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.938139][ T5326] ? clear_bhb_loop+0x60/0xb0 [ 87.938151][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.938161][ T5326] RIP: 0033:0x7ff333f9acb9 [ 87.938173][ T5326] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 87.938182][ T5326] RSP: 002b:00007ffcc673c128 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 87.938194][ T5326] RAX: 0000000000000000 RBX: 00007ff334217da0 RCX: 00007ff333f9acb9 [ 87.938198][ T5326] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 87.938203][ T5326] RBP: 00007ff334217da0 R08: 00007ff334216038 R09: 0000000000000000 [ 87.938207][ T5326] R10: 0000000000dffd1c R11: 0000000000000246 R12: 00000000000158f6 [ 87.938219][ T5326] R13: 00007ff33421609c R14: 0000000000015663 R15: 00007ff334216090 [ 87.938230][ T5326]