program: r0 = socket$inet(0x2b, 0x1, 0x0) r1 = socket$inet6_tcp(0xa, 0x1, 0x0) r2 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)={0x10, 0x1414, 0x22b, 0x70bd2d, 0x2000000}, 0x10}, 0x1, 0x0, 0x0, 0x4040}, 0x0) close(r1) socket(0x2b, 0x1, 0x1) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r1, 0x0) connect$inet(r0, &(0x7f0000000000)={0x2, 0x4e22, @loopback}, 0x10) socket$inet(0x2b, 0x1, 0x0) (async) socket$inet6_tcp(0xa, 0x1, 0x0) (async) socket$nl_rdma(0x10, 0x3, 0x14) (async) sendmsg$RDMA_NLDEV_CMD_NEWLINK(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000080)={0x10, 0x1414, 0x22b, 0x70bd2d, 0x2000000}, 0x10}, 0x1, 0x0, 0x0, 0x4040}, 0x0) (async) close(r1) (async) socket(0x2b, 0x1, 0x1) (async) bind$inet6(r1, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty}, 0x1c) (async) listen(r1, 0x0) (async) connect$inet(r0, &(0x7f0000000000)={0x2, 0x4e22, @loopback}, 0x10) (async) [ 75.286398][ T5312] Bluetooth: hci0: command tx timeout [ 75.349610][ T5334] [ 75.350648][ T5334] ====================================================== [ 75.353361][ T5334] WARNING: possible circular locking dependency detected [ 75.356119][ T5334] syzkaller #0 Not tainted [ 75.357933][ T5334] ------------------------------------------------------ [ 75.360856][ T5334] syz.0.0/5334 is trying to acquire lock: [ 75.363238][ T5334] ffff88803e3c1678 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 75.367912][ T5334] [ 75.367912][ T5334] but task is already holding lock: [ 75.370861][ T5334] ffff88803e3c0258 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 75.374702][ T5334] [ 75.374702][ T5334] which lock already depends on the new lock. [ 75.374702][ T5334] [ 75.378908][ T5334] [ 75.378908][ T5334] the existing dependency chain (in reverse order) is: [ 75.382550][ T5334] [ 75.382550][ T5334] -> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}: [ 75.385841][ T5334] lock_acquire+0x120/0x360 [ 75.387939][ T5334] lock_sock_nested+0x48/0x100 [ 75.390160][ T5334] smc_listen_out+0x109/0x3e0 [ 75.392383][ T5334] smc_listen_work+0x581/0xf50 [ 75.394662][ T5334] process_scheduled_works+0xade/0x17b0 [ 75.397313][ T5334] worker_thread+0x8a0/0xda0 [ 75.399483][ T5334] kthread+0x711/0x8a0 [ 75.401409][ T5334] ret_from_fork+0x436/0x7d0 [ 75.403661][ T5334] ret_from_fork_asm+0x1a/0x30 [ 75.406052][ T5334] [ 75.406052][ T5334] -> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}: [ 75.410338][ T5334] validate_chain+0xb9b/0x2140 [ 75.412660][ T5334] __lock_acquire+0xab9/0xd20 [ 75.414993][ T5334] lock_acquire+0x120/0x360 [ 75.417249][ T5334] __flush_work+0x6b8/0xbc0 [ 75.419412][ T5334] __cancel_work_sync+0xbe/0x110 [ 75.421722][ T5334] smc_clcsock_release+0x60/0xf0 [ 75.423972][ T5334] __smc_release+0x66b/0x7e0 [ 75.426160][ T5334] smc_close_non_accepted+0xd5/0x1f0 [ 75.428658][ T5334] smc_close_active+0xb68/0xf10 [ 75.430857][ T5334] __smc_release+0x8d/0x7e0 [ 75.433065][ T5334] smc_release+0x2ce/0x560 [ 75.435182][ T5334] sock_close+0xc0/0x240 [ 75.437325][ T5334] __fput+0x449/0xa70 [ 75.439398][ T5334] fput_close_sync+0x119/0x200 [ 75.441692][ T5334] __x64_sys_close+0x7f/0x110 [ 75.443930][ T5334] do_syscall_64+0xfa/0x3b0 [ 75.446097][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.448977][ T5334] [ 75.448977][ T5334] other info that might help us debug this: [ 75.448977][ T5334] [ 75.453590][ T5334] Possible unsafe locking scenario: [ 75.453590][ T5334] [ 75.456857][ T5334] CPU0 CPU1 [ 75.459061][ T5334] ---- ---- [ 75.461251][ T5334] lock(sk_lock-AF_SMC/1); [ 75.463155][ T5334] lock((work_completion)(&new_smc->smc_listen_work)); [ 75.466967][ T5334] lock(sk_lock-AF_SMC/1); [ 75.469804][ T5334] lock((work_completion)(&new_smc->smc_listen_work)); [ 75.472608][ T5334] [ 75.472608][ T5334] *** DEADLOCK *** [ 75.472608][ T5334] [ 75.475974][ T5334] 3 locks held by syz.0.0/5334: [ 75.477921][ T5334] #0: ffff8880431c4d88 (&sb->s_type->i_mutex_key#11){+.+.}-{4:4}, at: sock_close+0x9b/0x240 [ 75.481886][ T5334] #1: ffff88803e3c0258 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 75.485976][ T5334] #2: ffffffff8dd3a960 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 75.490040][ T5334] [ 75.490040][ T5334] stack backtrace: [ 75.492766][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.492779][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.492786][ T5334] Call Trace: [ 75.492793][ T5334] [ 75.492798][ T5334] dump_stack_lvl+0x189/0x250 [ 75.492815][ T5334] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.492828][ T5334] ? __pfx__printk+0x10/0x10 [ 75.492838][ T5334] ? print_lock_name+0xde/0x100 [ 75.492852][ T5334] print_circular_bug+0x2ee/0x310 [ 75.492866][ T5334] check_noncircular+0x134/0x160 [ 75.492880][ T5334] validate_chain+0xb9b/0x2140 [ 75.492891][ T5334] ? do_raw_spin_lock+0x121/0x290 [ 75.492905][ T5334] ? look_up_lock_class+0x74/0x170 [ 75.492916][ T5334] ? register_lock_class+0x51/0x320 [ 75.492926][ T5334] __lock_acquire+0xab9/0xd20 [ 75.492937][ T5334] ? __flush_work+0xd2/0xbc0 [ 75.492948][ T5334] lock_acquire+0x120/0x360 [ 75.492958][ T5334] ? __flush_work+0xd2/0xbc0 [ 75.492970][ T5334] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.492985][ T5334] ? __flush_work+0xd2/0xbc0 [ 75.492995][ T5334] __flush_work+0x6b8/0xbc0 [ 75.493006][ T5334] ? __flush_work+0xd2/0xbc0 [ 75.493016][ T5334] ? __flush_work+0xd2/0xbc0 [ 75.493028][ T5334] ? __pfx___flush_work+0x10/0x10 [ 75.493040][ T5334] ? __pfx_wq_barrier_func+0x10/0x10 [ 75.493062][ T5334] ? __pfx___cancel_work+0x10/0x10 [ 75.493073][ T5334] ? __local_bh_enable_ip+0x12d/0x1c0 [ 75.493084][ T5334] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.493090][ T5334] ? __local_bh_enable_ip+0x12d/0x1c0 [ 75.493097][ T5334] __cancel_work_sync+0xbe/0x110 [ 75.493105][ T5334] smc_clcsock_release+0x60/0xf0 [ 75.493114][ T5334] __smc_release+0x66b/0x7e0 [ 75.493123][ T5334] ? do_raw_spin_unlock+0x4d/0x240 [ 75.493132][ T5334] smc_close_non_accepted+0xd5/0x1f0 [ 75.493142][ T5334] smc_close_active+0xb68/0xf10 [ 75.493149][ T5334] ? __pfx_sock_def_readable+0x10/0x10 [ 75.493158][ T5334] __smc_release+0x8d/0x7e0 [ 75.493166][ T5334] ? do_raw_spin_unlock+0x4d/0x240 [ 75.493175][ T5334] smc_release+0x2ce/0x560 [ 75.493185][ T5334] sock_close+0xc0/0x240 [ 75.493193][ T5334] ? __pfx_sock_close+0x10/0x10 [ 75.493201][ T5334] __fput+0x449/0xa70 [ 75.493211][ T5334] fput_close_sync+0x119/0x200 [ 75.493220][ T5334] ? __pfx_fput_close_sync+0x10/0x10 [ 75.493230][ T5334] __x64_sys_close+0x7f/0x110 [ 75.493240][ T5334] do_syscall_64+0xfa/0x3b0 [ 75.493246][ T5334] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.493252][ T5334] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.493258][ T5334] ? clear_bhb_loop+0x60/0xb0 [ 75.493266][ T5334] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.493275][ T5334] RIP: 0033:0x7feeda78eec9 [ 75.493284][ T5334] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.493292][ T5334] RSP: 002b:00007feedb6c5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 75.493307][ T5334] RAX: ffffffffffffffda RBX: 00007feeda9e6090 RCX: 00007feeda78eec9 [ 75.493313][ T5334] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 75.493317][ T5334] RBP: 00007feeda811f91 R08: 0000000000000000 R09: 0000000000000000 [ 75.493321][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.493327][ T5334] R13: 00007feeda9e6128 R14: 00007feeda9e6090 R15: 00007ffd22378178 [ 75.493337][ T5334]