================================
WARNING: inconsistent lock state
5.11.0-syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.0/8303 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff00003b4080a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff00003b4080a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: sco_sock_timeout+0x2c/0x190 net/bluetooth/sco.c:83
{SOFTIRQ-ON-W} state was registered at:
  mark_usage kernel/locking/lockdep.c:4324 [inline]
  __lock_acquire+0x560/0x5670 kernel/locking/lockdep.c:4786
  lock_acquire.part.0+0x230/0x740 kernel/locking/lockdep.c:5442
  lock_acquire+0x90/0xb4 kernel/locking/lockdep.c:5415
  __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
  _raw_spin_lock+0x8c/0x120 kernel/locking/spinlock.c:151
  spin_lock include/linux/spinlock.h:354 [inline]
  sco_conn_del+0xbc/0x1f4 net/bluetooth/sco.c:176
  sco_disconn_cfm net/bluetooth/sco.c:1189 [inline]
  sco_disconn_cfm+0x64/0xac net/bluetooth/sco.c:1182
  hci_disconn_cfm include/net/bluetooth/hci_core.h:1462 [inline]
  hci_conn_hash_flush+0xf4/0x1f4 net/bluetooth/hci_conn.c:1565
  hci_dev_do_close+0x434/0xbb0 net/bluetooth/hci_core.c:1776
  hci_unregister_dev+0x1c8/0xa70 net/bluetooth/hci_core.c:3872
  vhci_release+0x64/0xd0 drivers/bluetooth/hci_vhci.c:340
  __fput+0x1a0/0x6b0 fs/file_table.c:280
  ____fput+0x10/0x20 fs/file_table.c:313
  task_work_run+0xd4/0x20c kernel/task_work.c:140
  exit_task_work include/linux/task_work.h:30 [inline]
  do_exit+0x940/0x2330 kernel/exit.c:825
  do_group_exit+0xcc/0x23c kernel/exit.c:922
  __do_sys_exit_group kernel/exit.c:933 [inline]
  __se_sys_exit_group kernel/exit.c:931 [inline]
  __arm64_sys_exit_group+0x3c/0x44 kernel/exit.c:931
  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
  invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
  el0_svc_common.constprop.0+0x110/0x3c0 arch/arm64/kernel/syscall.c:159
  do_el0_svc_compat+0x40/0x80 arch/arm64/kernel/syscall.c:204
  el0_svc_compat+0x20/0x30 arch/arm64/kernel/entry-common.c:442
  el0_sync_compat_handler+0x90/0x140 arch/arm64/kernel/entry-common.c:451
  el0_sync_compat+0x178/0x180 arch/arm64/kernel/entry.S:708
irq event stamp: 283500
hardirqs last  enabled at (283500): [<ffff800016abf078>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
hardirqs last  enabled at (283500): [<ffff800016abf078>] _raw_spin_unlock_irq+0x78/0x154 kernel/locking/spinlock.c:199
hardirqs last disabled at (283499): [<ffff800016ac0edc>] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:126 [inline]
hardirqs last disabled at (283499): [<ffff800016ac0edc>] _raw_spin_lock_irq+0xf8/0x14c kernel/locking/spinlock.c:167
softirqs last  enabled at (283400): [<ffff8000100209f0>] _stext+0x9f0/0x10cc
softirqs last disabled at (283491): [<ffff80001016a670>] do_softirq_own_stack include/linux/interrupt.h:577 [inline]
softirqs last disabled at (283491): [<ffff80001016a670>] invoke_softirq kernel/softirq.c:226 [inline]
softirqs last disabled at (283491): [<ffff80001016a670>] __irq_exit_rcu+0x46c/0x510 kernel/softirq.c:420

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
  <Interrupt>
    lock(slock-AF_BLUETOOTH-BTPROTO_SCO);

 *** DEADLOCK ***

1 lock held by syz-executor.0/8303:
 #0: ffff00006a2b9e50 ((&sk->sk_timer)#2){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:35 [inline]
 #0: ffff00006a2b9e50 ((&sk->sk_timer)#2){+.-.}-{0:0}, at: call_timer_fn+0xf8/0x9f0 kernel/time/timer.c:1407

stack backtrace:
CPU: 1 PID: 8303 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller #0
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x0/0x3e0 arch/arm64/include/asm/pointer_auth.h:76
 show_stack+0x18/0x70 arch/arm64/kernel/stacktrace.c:196
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x110/0x188 lib/dump_stack.c:120
 print_usage_bug.part.0+0x4c4/0x4e8 kernel/locking/lockdep.c:3740
 print_usage_bug kernel/locking/lockdep.c:3710 [inline]
 valid_state kernel/locking/lockdep.c:3751 [inline]
 mark_lock_irq kernel/locking/lockdep.c:3960 [inline]
 mark_lock+0x13cc/0x1980 kernel/locking/lockdep.c:4411
 mark_usage kernel/locking/lockdep.c:4306 [inline]
 __lock_acquire+0x11c8/0x5670 kernel/locking/lockdep.c:4786
 lock_acquire.part.0+0x230/0x740 kernel/locking/lockdep.c:5442
 lock_acquire+0x90/0xb4 kernel/locking/lockdep.c:5415
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x8c/0x120 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:354 [inline]
 sco_sock_timeout+0x2c/0x190 net/bluetooth/sco.c:83
 call_timer_fn+0x1d4/0x9f0 kernel/time/timer.c:1417
 expire_timers kernel/time/timer.c:1462 [inline]
 __run_timers.part.0+0x494/0x690 kernel/time/timer.c:1731
 __run_timers kernel/time/timer.c:1712 [inline]
 run_timer_softirq+0xa4/0x1a0 kernel/time/timer.c:1744
 _stext+0x400/0x10cc
 do_softirq_own_stack include/linux/interrupt.h:577 [inline]
 invoke_softirq kernel/softirq.c:226 [inline]
 __irq_exit_rcu+0x46c/0x510 kernel/softirq.c:420
 irq_exit+0x14/0x84 kernel/softirq.c:444
 __handle_domain_irq+0x120/0x1f0 kernel/irq/irqdesc.c:692
 handle_domain_irq include/linux/irqdesc.h:176 [inline]
 gic_handle_irq+0x5c/0x1b0 drivers/irqchip/irq-gic.c:370
 el1_irq+0xb4/0x180 arch/arm64/kernel/entry.S:669
 local_daif_restore arch/arm64/include/asm/daifflags.h:117 [inline]
 do_notify_resume+0x160/0x25fc arch/arm64/kernel/signal.c:924
 work_pending+0xc/0x35c