program:
r0 = io_uring_setup(0x218a, &(0x7f0000000240)={0x0, 0x3ffffffc, 0x800, 0x4, 0x221})
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
r2 = socket$packet(0x11, 0x3, 0x300)
setsockopt$packet_int(r2, 0x107, 0xf, &(0x7f0000006ffc)=0x4000000000000200, 0xe50fb6c50bc849c9)
r3 = socket$nl_route(0x10, 0x3, 0x0)
r4 = socket(0x10, 0x803, 0x0)
sendmsg$nl_route_sched(r4, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000003c0)={0x0, 0x24}}, 0x0)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, <r5=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000180)=0x14)
sendmsg$nl_route_sched(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000940)=@newqdisc={0x78, 0x24, 0xe0b, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x4c, 0x2, [@TCA_TBF_RATE64={0xc, 0x4, 0x4e1e2563543d84f9}, @TCA_TBF_PBURST={0x8, 0x7, 0x1fc0}, @TCA_TBF_PARMS={0x28, 0x1, {{0x0, 0x0, 0x0, 0xffff}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x81}}, @TCA_TBF_PRATE64={0xc, 0x5, 0xcb59372f370e8465}]}}]}, 0x78}}, 0x4000080)
bind$packet(r2, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @remote}, 0x14)
sendto$inet6(r2, &(0x7f0000000800)="4103082c1116480401020200c52cf7c25975e005b02f000006892f000300897c6b118777faffffff3066090cb600c5471d130a66321a54e7df305fbe258161b6fd8f2428652265d94c6fdbaefc57376a57c2feffff188be9427c323ef024a37016d2a7f9ab6e7941a6fc4f95aa73c1dfff4941f6503b5bd8c91db22cd33795481c94085fa12cdc679ac2a5d7b5d99b93fb07acb0da680e78b74c74aae8d7690d5986a9af81622a0ac210bc7b5ca5fed11cb54d046642670041e846bb184ff5d39fe8516d2d2a8d84e6e7dfcb2b8a8023444db513a3d7a124b59f0a5cd36489dbbb75cce3145d0ea3c3aa21af7cbcbc7a7575db782e757ca543109f5ddcec4930aa91f4119ea3d1f56140cb86cfe0724b23904ef5d05c725ee23918a502b1afe09fb0757d", 0xfc13, 0x880, 0x0, 0xfffffffffffffef0)
r6 = socket$inet(0x2, 0x3, 0x6)
ioctl$sock_inet_SIOCSARP(r6, 0x8955, &(0x7f0000000000)={{0x2, 0x4e22, @private=0xa010101}, {0x1}, 0x4a, {0x2, 0x0, @broadcast}})
close(r1)
socket(0x2b, 0x1, 0x1)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c)
listen(r1, 0x0)
r7 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r7, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10)
close_range(r0, 0xffffffffffffffff, 0x0)
io_uring_setup(0x218a, &(0x7f0000000240)={0x0, 0x3ffffffc, 0x800, 0x4, 0x221}) (async)
socket$inet6_tcp(0xa, 0x1, 0x0) (async)
socket$packet(0x11, 0x3, 0x300) (async)
setsockopt$packet_int(r2, 0x107, 0xf, &(0x7f0000006ffc)=0x4000000000000200, 0xe50fb6c50bc849c9) (async)
socket$nl_route(0x10, 0x3, 0x0) (async)
socket(0x10, 0x803, 0x0) (async)
sendmsg$nl_route_sched(r4, &(0x7f00000004c0)={0x0, 0x0, &(0x7f00000003c0)={0x0, 0x24}}, 0x0) (async)
getsockname$packet(r4, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000180)=0x14) (async)
sendmsg$nl_route_sched(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000940)=@newqdisc={0x78, 0x24, 0xe0b, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {0xffff, 0xffff}, {0xffe0}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x4c, 0x2, [@TCA_TBF_RATE64={0xc, 0x4, 0x4e1e2563543d84f9}, @TCA_TBF_PBURST={0x8, 0x7, 0x1fc0}, @TCA_TBF_PARMS={0x28, 0x1, {{0x0, 0x0, 0x0, 0xffff}, {0x0, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x81}}, @TCA_TBF_PRATE64={0xc, 0x5, 0xcb59372f370e8465}]}}]}, 0x78}}, 0x4000080) (async)
bind$packet(r2, &(0x7f0000000040)={0x11, 0x0, r5, 0x1, 0x0, 0x6, @remote}, 0x14) (async)
sendto$inet6(r2, &(0x7f0000000800)="4103082c1116480401020200c52cf7c25975e005b02f000006892f000300897c6b118777faffffff3066090cb600c5471d130a66321a54e7df305fbe258161b6fd8f2428652265d94c6fdbaefc57376a57c2feffff188be9427c323ef024a37016d2a7f9ab6e7941a6fc4f95aa73c1dfff4941f6503b5bd8c91db22cd33795481c94085fa12cdc679ac2a5d7b5d99b93fb07acb0da680e78b74c74aae8d7690d5986a9af81622a0ac210bc7b5ca5fed11cb54d046642670041e846bb184ff5d39fe8516d2d2a8d84e6e7dfcb2b8a8023444db513a3d7a124b59f0a5cd36489dbbb75cce3145d0ea3c3aa21af7cbcbc7a7575db782e757ca543109f5ddcec4930aa91f4119ea3d1f56140cb86cfe0724b23904ef5d05c725ee23918a502b1afe09fb0757d", 0xfc13, 0x880, 0x0, 0xfffffffffffffef0) (async)
socket$inet(0x2, 0x3, 0x6) (async)
ioctl$sock_inet_SIOCSARP(r6, 0x8955, &(0x7f0000000000)={{0x2, 0x4e22, @private=0xa010101}, {0x1}, 0x4a, {0x2, 0x0, @broadcast}}) (async)
close(r1) (async)
socket(0x2b, 0x1, 0x1) (async)
bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) (async)
listen(r1, 0x0) (async)
socket$inet_mptcp(0x2, 0x1, 0x106) (async)
connect$inet(r7, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) (async)
close_range(r0, 0xffffffffffffffff, 0x0) (async)

[   74.568287][ T5302] Bluetooth: hci0: command tx timeout
[   74.776203][ T5323] 
[   74.777528][ T5323] ======================================================
[   74.781915][ T5323] WARNING: possible circular locking dependency detected
[   74.796549][ T5323] 6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 Not tainted
[   74.801665][ T5323] ------------------------------------------------------
[   74.811105][ T5323] syz.0.0/5323 is trying to acquire lock:
[   74.816465][ T5323] ffff8880530394d8 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   74.832531][ T5323] 
[   74.832531][ T5323] but task is already holding lock:
[   74.846460][ T5323] ffff888053038258 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x540
[   74.850928][ T5323] 
[   74.850928][ T5323] which lock already depends on the new lock.
[   74.850928][ T5323] 
[   74.869902][ T5323] 
[   74.869902][ T5323] the existing dependency chain (in reverse order) is:
[   74.876639][ T5323] 
[   74.876639][ T5323] -> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}:
[   74.886084][ T5323]        lock_acquire+0x120/0x360
[   74.890374][ T5323]        lock_sock_nested+0x48/0x100
[   74.894173][ T5323]        smc_listen_out+0x109/0x3e0
[   74.897284][ T5323]        process_scheduled_works+0xae1/0x17b0
[   74.899860][ T5323]        worker_thread+0x8a0/0xda0
[   74.902021][ T5323]        kthread+0x70e/0x8a0
[   74.903979][ T5323]        ret_from_fork+0x3fc/0x770
[   74.906090][ T5323]        ret_from_fork_asm+0x1a/0x30
[   74.908681][ T5323] 
[   74.908681][ T5323] -> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}:
[   74.917869][ T5323]        validate_chain+0xb9b/0x2140
[   74.920219][ T5323]        __lock_acquire+0xab9/0xd20
[   74.922551][ T5323]        lock_acquire+0x120/0x360
[   74.924887][ T5323]        __flush_work+0x6b8/0xbc0
[   74.928637][ T5323]        __cancel_work_sync+0xbe/0x110
[   74.936045][ T5323]        smc_clcsock_release+0x60/0xf0
[   74.939625][ T5323]        __smc_release+0x66b/0x7e0
[   74.943696][ T5323]        smc_close_non_accepted+0xd5/0x1f0
[   74.956268][ T5323]        smc_close_active+0xb68/0xf10
[   74.958633][ T5323]        __smc_release+0x8d/0x7e0
[   74.960675][ T5323]        smc_release+0x2ce/0x540
[   74.962953][ T5323]        sock_close+0xc0/0x240
[   74.967301][ T5323]        __fput+0x449/0xa70
[   74.971332][ T5323]        task_work_run+0x1d1/0x260
[   74.976980][ T5323]        exit_to_user_mode_loop+0xec/0x110
[   74.983153][ T5323]        do_syscall_64+0x2bd/0x3b0
[   74.988091][ T5323]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.992451][ T5323] 
[   74.992451][ T5323] other info that might help us debug this:
[   74.992451][ T5323] 
[   75.003460][ T5323]  Possible unsafe locking scenario:
[   75.003460][ T5323] 
[   75.011551][ T5323]        CPU0                    CPU1
[   75.026104][ T5323]        ----                    ----
[   75.028311][ T5323]   lock(sk_lock-AF_SMC/1);
[   75.030223][ T5323]                                lock((work_completion)(&new_smc->smc_listen_work));
[   75.034029][ T5323]                                lock(sk_lock-AF_SMC/1);
[   75.038564][ T5323]   lock((work_completion)(&new_smc->smc_listen_work));
[   75.042540][ T5323] 
[   75.042540][ T5323]  *** DEADLOCK ***
[   75.042540][ T5323] 
[   75.050686][ T5323] 3 locks held by syz.0.0/5323:
[   75.054631][ T5323]  #0: ffff888043a85408 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: sock_close+0x9b/0x240
[   75.058833][ T5323]  #1: ffff888053038258 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x540
[   75.065564][ T5323]  #2: ffffffff8e13ee60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   75.071173][ T5323] 
[   75.071173][ T5323] stack backtrace:
[   75.077791][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 PREEMPT(full) 
[   75.077855][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.077863][ T5323] Call Trace:
[   75.077871][ T5323]  <TASK>
[   75.077920][ T5323]  dump_stack_lvl+0x189/0x250
[   75.078039][ T5323]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.078538][ T5323]  ? __pfx__printk+0x10/0x10
[   75.078549][ T5323]  ? print_lock_name+0xde/0x100
[   75.078558][ T5323]  print_circular_bug+0x2ee/0x310
[   75.078570][ T5323]  check_noncircular+0x134/0x160
[   75.078580][ T5323]  validate_chain+0xb9b/0x2140
[   75.078588][ T5323]  ? do_raw_spin_lock+0x121/0x290
[   75.078600][ T5323]  ? look_up_lock_class+0x74/0x170
[   75.078615][ T5323]  ? register_lock_class+0x51/0x320
[   75.078630][ T5323]  __lock_acquire+0xab9/0xd20
[   75.078645][ T5323]  ? __flush_work+0xd2/0xbc0
[   75.078655][ T5323]  lock_acquire+0x120/0x360
[   75.078667][ T5323]  ? __flush_work+0xd2/0xbc0
[   75.078678][ T5323]  ? _raw_spin_unlock_irq+0x23/0x50
[   75.078693][ T5323]  ? __flush_work+0xd2/0xbc0
[   75.078702][ T5323]  __flush_work+0x6b8/0xbc0
[   75.078712][ T5323]  ? __flush_work+0xd2/0xbc0
[   75.078747][ T5323]  ? __flush_work+0xd2/0xbc0
[   75.078757][ T5323]  ? __pfx___flush_work+0x10/0x10
[   75.078768][ T5323]  ? __pfx_wq_barrier_func+0x10/0x10
[   75.078826][ T5323]  ? __pfx___cancel_work+0x10/0x10
[   75.078836][ T5323]  ? __local_bh_enable_ip+0x12d/0x1c0
[   75.078851][ T5323]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.078865][ T5323]  ? __local_bh_enable_ip+0x12d/0x1c0
[   75.078879][ T5323]  __cancel_work_sync+0xbe/0x110
[   75.078890][ T5323]  smc_clcsock_release+0x60/0xf0
[   75.078902][ T5323]  __smc_release+0x66b/0x7e0
[   75.078915][ T5323]  ? do_raw_spin_unlock+0x4d/0x240
[   75.078927][ T5323]  smc_close_non_accepted+0xd5/0x1f0
[   75.078939][ T5323]  smc_close_active+0xb68/0xf10
[   75.078949][ T5323]  ? __pfx_sock_def_readable+0x10/0x10
[   75.078965][ T5323]  __smc_release+0x8d/0x7e0
[   75.078975][ T5323]  ? do_raw_spin_unlock+0x4d/0x240
[   75.078987][ T5323]  smc_release+0x2ce/0x540
[   75.079001][ T5323]  sock_close+0xc0/0x240
[   75.079012][ T5323]  ? __pfx_sock_close+0x10/0x10
[   75.079024][ T5323]  __fput+0x449/0xa70
[   75.079039][ T5323]  task_work_run+0x1d1/0x260
[   75.079052][ T5323]  ? __pfx_task_work_run+0x10/0x10
[   75.079064][ T5323]  ? exit_to_user_mode_loop+0x40/0x110
[   75.079079][ T5323]  exit_to_user_mode_loop+0xec/0x110
[   75.079093][ T5323]  do_syscall_64+0x2bd/0x3b0
[   75.079101][ T5323]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.079114][ T5323]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.079124][ T5323]  ? clear_bhb_loop+0x60/0xb0
[   75.079135][ T5323]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.079146][ T5323] RIP: 0033:0x7febc338e929
[   75.079157][ T5323] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.079165][ T5323] RSP: 002b:00007febc4270038 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   75.079178][ T5323] RAX: 0000000000000000 RBX: 00007febc35b5fa0 RCX: 00007febc338e929
[   75.079185][ T5323] RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000003
[   75.079199][ T5323] RBP: 00007febc3410b39 R08: 0000000000000000 R09: 0000000000000000
[   75.079205][ T5323] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   75.079211][ T5323] R13: 0000000000000000 R14: 00007febc35b5fa0 R15: 00007ffe3d04e1d8
[   75.079221][ T5323]  </TASK>