program: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r0) r1 = socket(0x2b, 0x1, 0x1) bind$inet6(r0, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r1, 0x5) r2 = socket$inet_smc(0x2b, 0x1, 0x0) connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) setsockopt$packet_int(0xffffffffffffffff, 0x107, 0xf, &(0x7f0000000100)=0x207, 0x4) ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'ip6tnl0\x00'}) setsockopt$inet_int(r2, 0x0, 0x2, &(0x7f00000000c0)=0x2, 0x4) [ 101.797926][ T5293] Bluetooth: hci0: command tx timeout [ 101.912431][ T5329] [ 101.913585][ T5329] ====================================================== [ 101.916504][ T5329] WARNING: possible circular locking dependency detected [ 101.919631][ T5329] syzkaller #0 Not tainted [ 101.921790][ T5329] ------------------------------------------------------ [ 101.925115][ T5329] syz.0.0/5329 is trying to acquire lock: [ 101.927512][ T5329] ffff88803f828a68 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0x101/0xca0 [ 101.932470][ T5329] [ 101.932470][ T5329] but task is already holding lock: [ 101.936021][ T5329] ffff88803f828ee0 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x24d/0x550 [ 101.940251][ T5329] [ 101.940251][ T5329] which lock already depends on the new lock. [ 101.940251][ T5329] [ 101.944420][ T5329] [ 101.944420][ T5329] the existing dependency chain (in reverse order) is: [ 101.948027][ T5329] [ 101.948027][ T5329] -> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}: [ 101.951998][ T5329] lock_sock_nested+0x41/0x100 [ 101.954421][ T5329] smc_listen_out+0x105/0x3c0 [ 101.956543][ T5329] smc_listen_work+0x81d/0x1410 [ 101.958919][ T5329] process_scheduled_works+0xa8e/0x14e0 [ 101.961490][ T5329] worker_thread+0xa47/0xfb0 [ 101.963628][ T5329] kthread+0x388/0x470 [ 101.966119][ T5329] ret_from_fork+0x514/0xb70 [ 101.969035][ T5329] ret_from_fork_asm+0x1a/0x30 [ 101.971699][ T5329] [ 101.971699][ T5329] -> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}: [ 101.975883][ T5329] __lock_acquire+0x1520/0x2cf0 [ 101.978207][ T5329] lock_acquire+0x106/0x350 [ 101.980308][ T5329] __flush_work+0x74c/0xca0 [ 101.982531][ T5329] __cancel_work_sync+0xbe/0x110 [ 101.985122][ T5329] smc_clcsock_release+0x60/0xf0 [ 101.987732][ T5329] __smc_release+0x64e/0x7c0 [ 101.990017][ T5329] smc_close_non_accepted+0xd5/0x1f0 [ 101.992575][ T5329] smc_close_active+0xb42/0xf30 [ 101.994966][ T5329] __smc_release+0x9c/0x7c0 [ 101.997391][ T5329] smc_release+0x2c5/0x550 [ 102.000170][ T5329] sock_close+0xad/0x220 [ 102.002461][ T5329] __fput+0x418/0xa50 [ 102.004400][ T5329] task_work_run+0x1d9/0x270 [ 102.006552][ T5329] exit_to_user_mode_loop+0x1fa/0x730 [ 102.009244][ T5329] do_syscall_64+0x353/0x580 [ 102.011752][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.014730][ T5329] [ 102.014730][ T5329] other info that might help us debug this: [ 102.014730][ T5329] [ 102.019025][ T5329] Possible unsafe locking scenario: [ 102.019025][ T5329] [ 102.022566][ T5329] CPU0 CPU1 [ 102.025142][ T5329] ---- ---- [ 102.027603][ T5329] lock(sk_lock-AF_SMC/1); [ 102.029613][ T5329] lock((work_completion)(&new_smc->smc_listen_work)); [ 102.033647][ T5329] lock(sk_lock-AF_SMC/1); [ 102.037199][ T5329] lock((work_completion)(&new_smc->smc_listen_work)); [ 102.040559][ T5329] [ 102.040559][ T5329] *** DEADLOCK *** [ 102.040559][ T5329] [ 102.043913][ T5329] 3 locks held by syz.0.0/5329: [ 102.045904][ T5329] #0: ffff8880442b5f00 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: sock_close+0x82/0x220 [ 102.050599][ T5329] #1: ffff88803f828ee0 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x24d/0x550 [ 102.055362][ T5329] #2: ffffffff8e959c20 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x101/0xca0 [ 102.059127][ T5329] [ 102.059127][ T5329] stack backtrace: [ 102.061728][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 102.061745][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 102.061752][ T5329] Call Trace: [ 102.061761][ T5329] [ 102.061767][ T5329] dump_stack_lvl+0xe8/0x150 [ 102.061785][ T5329] print_circular_bug+0x2e1/0x300 [ 102.061808][ T5329] check_noncircular+0x12e/0x150 [ 102.061820][ T5329] __lock_acquire+0x1520/0x2cf0 [ 102.061835][ T5329] ? do_raw_spin_unlock+0x4d/0x210 [ 102.061850][ T5329] ? __flush_work+0x101/0xca0 [ 102.061859][ T5329] lock_acquire+0x106/0x350 [ 102.061870][ T5329] ? __flush_work+0x101/0xca0 [ 102.061881][ T5329] ? __flush_work+0x101/0xca0 [ 102.061888][ T5329] __flush_work+0x74c/0xca0 [ 102.061894][ T5329] ? __flush_work+0x101/0xca0 [ 102.061902][ T5329] ? __flush_work+0x101/0xca0 [ 102.061910][ T5329] ? __pfx___flush_work+0x10/0x10 [ 102.061919][ T5329] ? __pfx_wq_barrier_func+0x10/0x10 [ 102.061938][ T5329] ? __cancel_work_sync+0x5c/0x110 [ 102.061949][ T5329] __cancel_work_sync+0xbe/0x110 [ 102.061959][ T5329] smc_clcsock_release+0x60/0xf0 [ 102.061973][ T5329] __smc_release+0x64e/0x7c0 [ 102.061989][ T5329] smc_close_non_accepted+0xd5/0x1f0 [ 102.061999][ T5329] smc_close_active+0xb42/0xf30 [ 102.062010][ T5329] ? __pfx_sock_def_readable+0x10/0x10 [ 102.062026][ T5329] __smc_release+0x9c/0x7c0 [ 102.062039][ T5329] ? __local_bh_enable_ip+0xd0/0x130 [ 102.062055][ T5329] smc_release+0x2c5/0x550 [ 102.062069][ T5329] sock_close+0xad/0x220 [ 102.062083][ T5329] ? __pfx_sock_close+0x10/0x10 [ 102.062095][ T5329] __fput+0x418/0xa50 [ 102.062113][ T5329] task_work_run+0x1d9/0x270 [ 102.062127][ T5329] ? __pfx_task_work_run+0x10/0x10 [ 102.062139][ T5329] exit_to_user_mode_loop+0x1fa/0x730 [ 102.062151][ T5329] ? rcu_is_watching+0x15/0xb0 [ 102.062166][ T5329] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.062178][ T5329] do_syscall_64+0x353/0x580 [ 102.062191][ T5329] ? clear_bhb_loop+0x40/0x90 [ 102.062203][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.062215][ T5329] RIP: 0033:0x7fcca939ce59 [ 102.062229][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 102.062238][ T5329] RSP: 002b:00007ffff4a23ab8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 102.062253][ T5329] RAX: 0000000000000000 RBX: 00007ffff4a23ba0 RCX: 00007fcca939ce59 [ 102.062261][ T5329] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 102.062268][ T5329] RBP: 0000000000018d5a R08: 0000000000000001 R09: 0000000000000000 [ 102.062275][ T5329] R10: 00007fcca91ff03c R11: 0000000000000246 R12: 00007ffff4a23be0 [ 102.062282][ T5329] R13: 00007fcca9615fac R14: 0000000000018dc0 R15: 00007fcca9615fa0 [ 102.062295][ T5329]