============================================
WARNING: possible recursive locking detected
6.8.0-rc4-syzkaller-00014-g7e90b5c295ec #0 Not tainted
--------------------------------------------
syz-executor.2/29218 is trying to acquire lock:
ffff88803105b218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88803105b218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3806 [inline]
ffff88803105b218 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: __dev_queue_xmit+0x2f94/0x3ee0 net/core/dev.c:4317

but task is already holding lock:
ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:192 [inline]
ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3763 [inline]
ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: __dev_queue_xmit+0x1090/0x3ee0 net/core/dev.c:4317

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);
  lock(dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

11 locks held by syz-executor.2/29218:
 #0: ffff88803b5340e0 (&type->s_umount_key#68){+.+.}-{3:3}, at: __super_lock fs/super.c:56 [inline]
 #0: ffff88803b5340e0 (&type->s_umount_key#68){+.+.}-{3:3}, at: __super_lock_excl fs/super.c:71 [inline]
 #0: ffff88803b5340e0 (&type->s_umount_key#68){+.+.}-{3:3}, at: deactivate_super+0xd6/0x100 fs/super.c:509
 #1: ffff88802c81e538 ((wq_completion)btrfs-qgroup-rescan){+.+.}-{0:0}, at: __flush_workqueue+0x141/0x1340 kernel/workqueue.c:3146
 #2: ffffc90000890ce0 ((&icsk->icsk_retransmit_timer)){+.-.}-{0:0}, at: call_timer_fn+0x118/0x5a0 kernel/time/timer.c:1697
 #3: ffff888052e362b0 (slock-AF_INET){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #3: ffff888052e362b0 (slock-AF_INET){+.-.}-{2:2}, at: tcp_write_timer+0x2a/0x2b0 net/ipv4/tcp_timer.c:708
 #4: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #4: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #4: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: __ip_queue_xmit+0x72/0x1900 net/ipv4/ip_output.c:470
 #5: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #5: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #5: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x364/0x2550 net/ipv4/ip_output.c:228
 #6: ffffffff8d7ad100 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #6: ffffffff8d7ad100 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
 #6: ffffffff8d7ad100 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x244/0x3ee0 net/core/dev.c:4276
 #7: ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #7: ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #7: ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:192 [inline]
 #7: ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3763 [inline]
 #7: ffff88801edbb258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+.-.}-{2:2}, at: __dev_queue_xmit+0x1090/0x3ee0 net/core/dev.c:4317
 #8: ffff88801e8730d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #8: ffff88801e8730d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
 #8: ffff88801e8730d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x337/0xc20 net/sched/sch_generic.c:340
 #9: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #9: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #9: ffffffff8d7ad160 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x364/0x2550 net/ipv4/ip_output.c:228
 #10: ffffffff8d7ad100 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #10: ffffffff8d7ad100 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
 #10: ffffffff8d7ad100 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x244/0x3ee0 net/core/dev.c:4276

stack backtrace:
CPU: 1 PID: 29218 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00014-g7e90b5c295ec #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 check_deadlock kernel/locking/lockdep.c:3062 [inline]
 validate_chain kernel/locking/lockdep.c:3856 [inline]
 __lock_acquire+0x2111/0x3b40 kernel/locking/lockdep.c:5137
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 __dev_xmit_skb net/core/dev.c:3806 [inline]
 __dev_queue_xmit+0x2f94/0x3ee0 net/core/dev.c:4317
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip_finish_output2+0x169f/0x2550 net/ipv4/ip_output.c:235
 __ip_finish_output net/ipv4/ip_output.c:313 [inline]
 __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:295
 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
 dst_output include/net/dst.h:451 [inline]
 ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:129
 iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbc/0x33d0 net/ipv4/ip_tunnel.c:831
 erspan_xmit+0x523/0x1bf0 net/ipv4/ip_gre.c:720
 __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
 netdev_start_xmit include/linux/netdevice.h:5003 [inline]
 xmit_one net/core/dev.c:3547 [inline]
 dev_hard_start_xmit+0x13a/0x6d0 net/core/dev.c:3563
 sch_direct_xmit+0x1ac/0xc20 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3776 [inline]
 __dev_queue_xmit+0x12b4/0x3ee0 net/core/dev.c:4317
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip_finish_output2+0x169f/0x2550 net/ipv4/ip_output.c:235
 __ip_finish_output net/ipv4/ip_output.c:313 [inline]
 __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:295
 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
 dst_output include/net/dst.h:451 [inline]
 ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:129
 __ip_queue_xmit+0x747/0x1900 net/ipv4/ip_output.c:535
 __tcp_transmit_skb+0x29b8/0x3db0 net/ipv4/tcp_output.c:1462
 tcp_transmit_skb net/ipv4/tcp_output.c:1480 [inline]
 __tcp_retransmit_skb.part.0+0x61f/0x2980 net/ipv4/tcp_output.c:3387
 __tcp_retransmit_skb net/ipv4/tcp_output.c:3293 [inline]
 tcp_retransmit_skb+0xa8/0x490 net/ipv4/tcp_output.c:3410
 tcp_retransmit_timer+0x1764/0x4040 net/ipv4/tcp_timer.c:604
 tcp_write_timer_handler net/ipv4/tcp_timer.c:693 [inline]
 tcp_write_timer_handler+0x55e/0xa60 net/ipv4/tcp_timer.c:667
 tcp_write_timer+0xa6/0x2b0 net/ipv4/tcp_timer.c:710
 call_timer_fn+0x193/0x5a0 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x75d/0xaa0 kernel/time/timer.c:2038
 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2051
 __do_softirq+0x21c/0x8e7 kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:lock_acquire+0x1ef/0x520 kernel/locking/lockdep.c:5722
Code: c1 05 4d c6 97 7e 83 f8 01 0f 85 b8 02 00 00 9c 58 f6 c4 02 0f 85 a3 02 00 00 48 85 ed 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24
RSP: 0018:ffffc90003aef870 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ffff9200075df10 RCX: 0000000000000001
RDX: 0000000000000001 RSI: ffffffff8b0cb640 RDI: ffffffff8b6e93c0
RBP: 0000000000000200 R08: 00000000002f2f98 R09: fffffbfff27dc1fa
R10: ffffffff93ee0fd7 R11: 1ffffffff26d03fd R12: 0000000000000001
R13: 0000000000000000 R14: ffff88802c81e538 R15: 0000000000000000
 __flush_workqueue+0x14b/0x1340 kernel/workqueue.c:3146
 drain_workqueue+0x18f/0x3d0 kernel/workqueue.c:3311
 destroy_workqueue+0xc3/0xb10 kernel/workqueue.c:4793
 btrfs_destroy_workqueue+0x3f/0x220 fs/btrfs/async-thread.c:361
 btrfs_stop_all_workers+0x268/0x370 fs/btrfs/disk-io.c:1797
 close_ctree+0x4e3/0xf90 fs/btrfs/disk-io.c:4368
 generic_shutdown_super+0x159/0x3d0 fs/super.c:646
 kill_anon_super+0x3a/0x60 fs/super.c:1230
 btrfs_kill_super+0x3b/0x50 fs/btrfs/super.c:2093
 deactivate_locked_super+0xbe/0x1a0 fs/super.c:477
 deactivate_super+0xde/0x100 fs/super.c:510
 cleanup_mnt+0x222/0x450 fs/namespace.c:1267
 task_work_run+0x14f/0x250 kernel/task_work.c:180
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:108 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
 syscall_exit_to_user_mode+0x281/0x2b0 kernel/entry/common.c:212
 do_syscall_64+0xe5/0x270 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7f7e2c07f0d7
Code: b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b0 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007ffeeb70c738 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7e2c07f0d7
RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffeeb70c7f0
RBP: 00007ffeeb70c7f0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffeeb70d8b0
R13: 00007f7e2c0c93b9 R14: 00000000001a2c52 R15: 0000000000000005
 </TASK>
----------------
Code disassembly (best guess):
   0:	c1 05 4d c6 97 7e 83 	roll   $0x83,0x7e97c64d(%rip)        # 0x7e97c654
   7:	f8                   	clc
   8:	01 0f                	add    %ecx,(%rdi)
   a:	85 b8 02 00 00 9c    	test   %edi,-0x63fffffe(%rax)
  10:	58                   	pop    %rax
  11:	f6 c4 02             	test   $0x2,%ah
  14:	0f 85 a3 02 00 00    	jne    0x2bd
  1a:	48 85 ed             	test   %rbp,%rbp
  1d:	74 01                	je     0x20
  1f:	fb                   	sti
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df
* 2a:	48 01 c3             	add    %rax,%rbx <-- trapping instruction
  2d:	48 c7 03 00 00 00 00 	movq   $0x0,(%rbx)
  34:	48 c7 43 08 00 00 00 	movq   $0x0,0x8(%rbx)
  3b:	00
  3c:	48                   	rex.W
  3d:	8b                   	.byte 0x8b
  3e:	84                   	.byte 0x84
  3f:	24                   	.byte 0x24