program: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x80) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000007c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a05000000000000000000010000000900010073797a30000000002c000000030a01020000000000000000010000000900010073797a30000000000900030073797a310000000054000000060a010400000000000000000100000008000b40000000002c0004802800018008000100636d70001c000280080002400000000008000380040001000800014000edff020900010073797a3000000000140000001100010000000000000000000000000a"], 0xc8}}, 0x0) r2 = socket$inet6_tcp(0xa, 0x1, 0x0) close(r2) r3 = socket(0x2b, 0x1, 0x1) bind$inet6(r2, &(0x7f0000000080)={0xa, 0x4e22, 0x0, @empty}, 0x1c) listen(r3, 0x5) syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000500)='./file0\x00', 0x0, &(0x7f0000000040), 0x1, 0x4b1, &(0x7f0000000a40)="$eJzs3c1rXOUaAPBnZprP5t5+3Mul7YXbQi/0ftBMPrg0ufduXKmLglhwo1BjMo01k0zITGoTukh1IXThQhQFceHev8CNXVkEca17cSEVrRFUEEbOmZk2X1NHTTMl5/eD6bzveU/Pc94Mz8uZ95wzJ4DMOpX8k4sYiohPIuJQo7p5hVONt/U716aTVy7q9Qtf59L1knpr1db/OxgRaxHRHxFPPhrxXG573OrK6txUuVxaataLtfnFYnVl9ezl+anZ0mxpYXTi3OTkxMj42OSu9fXGqy/cOP/+473vff/y7VuvffhBsltDzbaN/dhNja73xJENyw5ExP8fRLAuKDT7M9DtHeE3ST6/P0XE6TT/D0Uh/TSBLKjX6/Wf6n3tmtfqwL6VT4+Bc/nhiGiU8/nh4cYx/J9jMF+uVGv/vlRZXphpHCsfjp78pcvl0kjzu8Lh6Mkl9dG0fK8+tqU+HpEeA79eGEjrw9OV8szeDnXAFge35P93hUb+AxnhKz9kl/yH7JL/kF3yH7JL/kN2yX/ILvkP2SX/IbvkP2SX/Ifskv+QSU+cP5+86q3732eurCzPVa6cnSlV54bnl6eHpytLi8Ozlcpses/O/C9tr1ypLI7+J5avFmulaq1YXVm9OF9ZXqhdTO/rv1jq2ZNeAZ04cvLmZ7mIWPvvQPpK9Dbb5Crsb/V6Lrp9DzLQHYVuD0BA15j6g+zyHR/Y4Sd6N+lv17D4q0O94rdi4eGQ7/YOAF1z5rjzf5BV5v8hu8z/Q3Y5xgf2cP4feEiY/4fsGmrz/K8/bHh210hE/DEiPi309LWe9QXsB/kvc83j/zOH/j60tbU390N6iqA3Il58+8KbV6dqtaXRZPk3d5fX3mouH+vG/gOdauVpK48BgOxav3NtuvXay7hfPdK4CGF7/APNucn+9Bzl4Hpu07UKuV26dmHtekQc2yl+rvm888aZj8H1wrb4R5vvucYm0v09kD43fW/iH98Q/28b4p/43X8VyIabyfgzslP+5dOcjrv5t3n8Gdqlayfaj3/56GuuU2gz/p3sMMbz77z0Rdv41yNO7Bi/Fa8/jbU1fjLWnOkw/u1nnvpLu7b6u43t7BS/JSkVa/OLxerK6tn0d+RmSwujE+cmJydGxscmi+kcdbE1U73d/459fCu2bnRD/wfbxL9f/5Nl/+yw/z/+9aOnT7VpS+L/4/TOn//R+8QfiIh/dRj/27HPn23XlsSfadP//H3iJ8vGO4xffeOxvg5XBQD2QHVldW6qXC4tKSgoKNwtdHtkAh60e0nf7T0BAAAAAAAAAAAAOrUXlxN3u48AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPvBzwEAAP//mM7W6Q==") r4 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0, 0x0) ioctl$FS_IOC_FSSETXATTR(r4, 0x40086602, &(0x7f0000000140)={0x17e}) r5 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0, 0x0) ioctl$FS_IOC_FSSETXATTR(r5, 0x40086602, &(0x7f0000000140)={0x17e}) r6 = socket$inet_smc(0x2b, 0x1, 0x0) connect$inet(r6, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10) [ 101.834284][ T4652] Bluetooth: hci0: command tx timeout [ 102.034812][ T5330] loop0: detected capacity change from 0 to 512 [ 102.212976][ T5330] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 102.218478][ T5330] ext4 filesystem being mounted at /0/file0 supports timestamps until 2038-01-19 (0x7fffffff) [ 102.280590][ T5329] [ 102.281776][ T5329] ====================================================== [ 102.285118][ T5329] WARNING: possible circular locking dependency detected [ 102.288198][ T5329] syzkaller #0 Not tainted [ 102.289897][ T5329] ------------------------------------------------------ [ 102.292782][ T5329] syz.0.0/5329 is trying to acquire lock: [ 102.295245][ T5329] ffff8880419a8a68 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 102.300546][ T5329] [ 102.300546][ T5329] but task is already holding lock: [ 102.304336][ T5329] ffff8880419a8ee0 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 102.308326][ T5329] [ 102.308326][ T5329] which lock already depends on the new lock. [ 102.308326][ T5329] [ 102.312915][ T5329] [ 102.312915][ T5329] the existing dependency chain (in reverse order) is: [ 102.316806][ T5329] [ 102.316806][ T5329] -> #1 (sk_lock-AF_SMC/1){+.+.}-{0:0}: [ 102.319980][ T5329] lock_sock_nested+0x41/0x100 [ 102.322351][ T5329] smc_listen_out+0x109/0x3e0 [ 102.324762][ T5329] smc_listen_work+0x813/0x13f0 [ 102.327140][ T5329] process_scheduled_works+0xb5d/0x1860 [ 102.330003][ T5329] worker_thread+0xa53/0xfc0 [ 102.332662][ T5329] kthread+0x389/0x470 [ 102.334873][ T5329] ret_from_fork+0x514/0xb70 [ 102.337188][ T5329] ret_from_fork_asm+0x1a/0x30 [ 102.339443][ T5329] [ 102.339443][ T5329] -> #0 ((work_completion)(&new_smc->smc_listen_work)){+.+.}-{0:0}: [ 102.343726][ T5329] __lock_acquire+0x15a5/0x2cf0 [ 102.346010][ T5329] lock_acquire+0x106/0x350 [ 102.348219][ T5329] __flush_work+0x700/0xc50 [ 102.350524][ T5329] __cancel_work_sync+0xbe/0x110 [ 102.353094][ T5329] smc_clcsock_release+0x60/0xf0 [ 102.355574][ T5329] __smc_release+0x66b/0x7e0 [ 102.357804][ T5329] smc_close_non_accepted+0xd5/0x1f0 [ 102.360616][ T5329] smc_close_active+0xb67/0xf10 [ 102.363272][ T5329] __smc_release+0x8d/0x7e0 [ 102.365800][ T5329] smc_release+0x2ce/0x560 [ 102.368052][ T5329] sock_close+0xc3/0x240 [ 102.370119][ T5329] __fput+0x44f/0xa60 [ 102.372132][ T5329] task_work_run+0x1d9/0x270 [ 102.374459][ T5329] exit_to_user_mode_loop+0xf3/0x4d0 [ 102.376977][ T5329] do_syscall_64+0x33e/0xf80 [ 102.379152][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.381873][ T5329] [ 102.381873][ T5329] other info that might help us debug this: [ 102.381873][ T5329] [ 102.386543][ T5329] Possible unsafe locking scenario: [ 102.386543][ T5329] [ 102.389881][ T5329] CPU0 CPU1 [ 102.392316][ T5329] ---- ---- [ 102.394730][ T5329] lock(sk_lock-AF_SMC/1); [ 102.396758][ T5329] lock((work_completion)(&new_smc->smc_listen_work)); [ 102.400882][ T5329] lock(sk_lock-AF_SMC/1); [ 102.403886][ T5329] lock((work_completion)(&new_smc->smc_listen_work)); [ 102.406968][ T5329] [ 102.406968][ T5329] *** DEADLOCK *** [ 102.406968][ T5329] [ 102.410584][ T5329] 3 locks held by syz.0.0/5329: [ 102.412696][ T5329] #0: ffff888054819a40 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: sock_close+0x9b/0x240 [ 102.416990][ T5329] #1: ffff8880419a8ee0 (sk_lock-AF_SMC/1){+.+.}-{0:0}, at: smc_release+0x255/0x560 [ 102.421108][ T5329] #2: ffffffff8e95cca0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 102.425393][ T5329] [ 102.425393][ T5329] stack backtrace: [ 102.428575][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 102.428596][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 102.428605][ T5329] Call Trace: [ 102.428614][ T5329] [ 102.428621][ T5329] dump_stack_lvl+0xe8/0x150 [ 102.428641][ T5329] print_circular_bug+0x2e1/0x300 [ 102.428661][ T5329] check_noncircular+0x12e/0x150 [ 102.428680][ T5329] __lock_acquire+0x15a5/0x2cf0 [ 102.428696][ T5329] ? do_raw_spin_lock+0x12b/0x2f0 [ 102.428717][ T5329] ? __flush_work+0x100/0xc50 [ 102.428732][ T5329] lock_acquire+0x106/0x350 [ 102.428745][ T5329] ? __flush_work+0x100/0xc50 [ 102.428763][ T5329] ? __flush_work+0x100/0xc50 [ 102.428778][ T5329] __flush_work+0x700/0xc50 [ 102.428792][ T5329] ? __flush_work+0x100/0xc50 [ 102.428806][ T5329] ? __flush_work+0x100/0xc50 [ 102.428821][ T5329] ? __pfx___flush_work+0x10/0x10 [ 102.428836][ T5329] ? __pfx_wq_barrier_func+0x10/0x10 [ 102.428854][ T5329] ? __cancel_work_sync+0x5c/0x110 [ 102.428871][ T5329] __cancel_work_sync+0xbe/0x110 [ 102.428886][ T5329] smc_clcsock_release+0x60/0xf0 [ 102.428901][ T5329] __smc_release+0x66b/0x7e0 [ 102.428918][ T5329] ? __local_bh_enable_ip+0xd0/0x130 [ 102.428933][ T5329] smc_close_non_accepted+0xd5/0x1f0 [ 102.428952][ T5329] smc_close_active+0xb67/0xf10 [ 102.428965][ T5329] ? __pfx_sock_def_readable+0x10/0x10 [ 102.428980][ T5329] __smc_release+0x8d/0x7e0 [ 102.428995][ T5329] ? __local_bh_enable_ip+0xd0/0x130 [ 102.429017][ T5329] smc_release+0x2ce/0x560 [ 102.429035][ T5329] sock_close+0xc3/0x240 [ 102.429048][ T5329] ? __pfx_sock_close+0x10/0x10 [ 102.429060][ T5329] __fput+0x44f/0xa60 [ 102.429077][ T5329] task_work_run+0x1d9/0x270 [ 102.429096][ T5329] ? __pfx_task_work_run+0x10/0x10 [ 102.429116][ T5329] exit_to_user_mode_loop+0xf3/0x4d0 [ 102.429129][ T5329] ? rcu_is_watching+0x15/0xb0 [ 102.429146][ T5329] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.429159][ T5329] do_syscall_64+0x33e/0xf80 [ 102.429180][ T5329] ? clear_bhb_loop+0x40/0x90 [ 102.429196][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 102.429209][ T5329] RIP: 0033:0x7f130ad9ce59 [ 102.429224][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 102.429236][ T5329] RSP: 002b:00007fffea86dff8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 102.429252][ T5329] RAX: 0000000000000000 RBX: 00007fffea86e0e0 RCX: 00007f130ad9ce59 [ 102.429261][ T5329] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 102.429269][ T5329] RBP: 0000000000018d65 R08: 0000000000000001 R09: 0000000000000000 [ 102.429277][ T5329] R10: 00007f130abff030 R11: 0000000000000246 R12: 00007fffea86e120 [ 102.429285][ T5329] R13: 00007f130b015fac R14: 0000000000018efe R15: 00007f130b015fa0 [ 102.429299][ T5329]