program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8) (async)
listen(r0, 0x0) (async)
r1 = socket(0x10, 0x803, 0x0)
sendto(r1, &(0x7f00000000c0)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0) (async)
recvmmsg(r1, &(0x7f00000037c0)=[{{&(0x7f00000004c0)=@ethernet={0x0, @random}, 0x80, &(0x7f0000000380)=[{&(0x7f0000000140)=""/100, 0x64}, {&(0x7f0000000300)=""/90, 0x5a}, {&(0x7f0000000fc0)=""/4096, 0x1000}, {&(0x7f0000000400)=""/102, 0x66}, {&(0x7f0000000980)=""/73, 0x49}, {&(0x7f0000000200)=""/77, 0x4d}, {&(0x7f00000007c0)=""/154, 0x9a}, {&(0x7f00000001c0)=""/17, 0x11}], 0x8, &(0x7f0000000600)=""/191, 0xbf}}], 0x1, 0x0, &(0x7f0000003700)={0x77359400}) (async)
r2 = fspick(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0)
fsconfig$FSCONFIG_CMD_CREATE(r2, 0x6, 0x0, 0x0, 0x0) (async)
connect$bt_sco(r0, &(0x7f0000000280)={0x1f, @none}, 0x8)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="042c11000000000000000000000000000000000027a57b460f7516fb6ac6b614ff5598079e0135740a6ddbd7b22441e945b6e334306988be63e788eea12a2b63b36c79647b98b61f8fdc5fe57c64bfa744ee16eba02bfd6cffd68757a63d9a64ec08702c70a4cd5d5fcc46585fe2b2539d0664bcbf966847a06c350cdc8219521a64818485ccf6a70f28d3a8f5b1a0f19b33d5416d0912f6c22315e3317b02078690a5cde501c2d890cc6f0d2ff6c958d559b4fb6cb6451215ecb5ba8a11ba4e954e51bff771d4b4810e89abf6ddf9d8aad920809d1b119ff85f2e013f9b45b987f3e8fc1f238091"], 0x14)
[ 59.779054][ T4673] BUG: sleeping function called from invalid context at net/core/sock.c:3613
[ 59.784927][ T4673] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4673, name: kworker/u5:1
[ 59.791533][ T4673] preempt_count: 1, expected: 0
[ 59.793676][ T4673] RCU nest depth: 0, expected: 0
[ 59.795982][ T4673] 6 locks held by kworker/u5:1/4673:
[ 59.809004][ T4673] #0: ffff8880426fc148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 59.815658][ T4673] #1: ffffc9000dc8fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 59.823275][ T4673] #2: ffff888044024078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[ 59.828360][ T4673] #3: ffffffff8fe402a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[ 59.833174][ T4673] #4: ffff888043477c20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40
[ 59.837532][ T4673] #5: ffff888040d4c258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40
[ 59.847662][ T4673] Preemption disabled at:
[ 59.847675][ T4673] [<0000000000000000>] 0x0
[ 59.851425][ T4673] CPU: 0 UID: 0 PID: 4673 Comm: kworker/u5:1 Not tainted 6.12.0-rc6-syzkaller-00169-g906bd684e4b1 #0
[ 59.855677][ T4673] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 59.883544][ T4673] Workqueue: hci0 hci_rx_work
[ 59.885457][ T4673] Call Trace:
[ 59.886805][ T4673]
[ 59.888212][ T4673] dump_stack_lvl+0x241/0x360
[ 59.890711][ T4673] ? __pfx_dump_stack_lvl+0x10/0x10
[ 59.893510][ T4673] ? __pfx__printk+0x10/0x10
[ 59.913494][ T4673] __might_resched+0x5d4/0x780
[ 59.931761][ T4673] ? __pfx_lock_acquire+0x10/0x10
[ 59.935329][ T4673] ? __pfx___might_resched+0x10/0x10
[ 59.937676][ T4673] ? __pfx_lock_release+0x10/0x10
[ 59.941250][ T4673] ? do_raw_spin_lock+0x14f/0x370
[ 59.949344][ T4673] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 59.952911][ T4673] lock_sock_nested+0x5d/0x100
[ 59.957257][ T4673] sco_connect_cfm+0x461/0xb40
[ 59.960901][ T4673] ? __pfx_sco_connect_cfm+0x10/0x10
[ 59.968205][ T4673] ? hci_conn_add_sysfs+0xfc/0x200
[ 59.974997][ T4673] ? __pfx_sco_connect_cfm+0x10/0x10
[ 59.984054][ T4673] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 59.991393][ T4673] hci_event_packet+0xac2/0x1540
[ 59.993654][ T4673] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 60.002160][ T4673] ? __pfx_hci_event_packet+0x10/0x10
[ 60.018747][ T4673] ? read_local_oob_ext_data_complete+0x220/0xdd0
[ 60.023619][ T4673] ? kcov_remote_start+0x97/0x7d0
[ 60.026608][ T4673] hci_rx_work+0x3fe/0xd80
[ 60.029411][ T4673] ? process_scheduled_works+0x976/0x1850
[ 60.033973][ T4673] process_scheduled_works+0xa63/0x1850
[ 60.036703][ T4673] ? __pfx_process_scheduled_works+0x10/0x10
[ 60.039405][ T4673] ? assign_work+0x364/0x3d0
[ 60.057827][ T4673] worker_thread+0x870/0xd30
[ 60.061873][ T4673] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 60.067790][ T4673] ? __kthread_parkme+0x169/0x1d0
[ 60.071364][ T4673] ? __pfx_worker_thread+0x10/0x10
[ 60.073909][ T4673] kthread+0x2f0/0x390
[ 60.075873][ T4673] ? __pfx_worker_thread+0x10/0x10
[ 60.078415][ T4673] ? __pfx_kthread+0x10/0x10
[ 60.080628][ T4673] ret_from_fork+0x4b/0x80
[ 60.095094][ T4673] ? __pfx_kthread+0x10/0x10
[ 60.097010][ T4673] ret_from_fork_asm+0x1a/0x30
[ 60.114605][ T4673]
[ 60.147488][ T4673] Bluetooth: hci0: command tx timeout
[ 60.155642][ T5330]
[ 60.158069][ T5330] ======================================================
[ 60.165318][ T5330] WARNING: possible circular locking dependency detected
[ 60.168977][ T5330] 6.12.0-rc6-syzkaller-00169-g906bd684e4b1 #0 Tainted: G W
[ 60.175299][ T5330] ------------------------------------------------------
[ 60.183596][ T5330] syz.0.0/5330 is trying to acquire lock:
[ 60.190916][ T5330] ffff888043477c20 (&conn->lock#2){+.+.}-{2:2}, at: __sco_sock_close+0x338/0x570
[ 60.196745][ T5330]
[ 60.196745][ T5330] but task is already holding lock:
[ 60.199464][ T5330] ffff888040d4e258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 60.203801][ T5330]
[ 60.203801][ T5330] which lock already depends on the new lock.
[ 60.203801][ T5330]
[ 60.216224][ T5330]
[ 60.216224][ T5330] the existing dependency chain (in reverse order) is:
[ 60.226054][ T5330]
[ 60.226054][ T5330] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 60.233022][ T5330] lock_acquire+0x1ed/0x550
[ 60.240779][ T5330] lock_sock_nested+0x48/0x100
[ 60.243775][ T5330] bt_accept_dequeue+0xfa/0x570
[ 60.248295][ T5330] __sco_sock_close+0xd6/0x570
[ 60.252611][ T5330] sco_sock_release+0xb3/0x320
[ 60.260646][ T5330] sock_close+0xbc/0x240
[ 60.265578][ T5330] __fput+0x23f/0x880
[ 60.270958][ T5330] task_work_run+0x24f/0x310
[ 60.272806][ T5330] syscall_exit_to_user_mode+0x168/0x370
[ 60.275069][ T5330] do_syscall_64+0x100/0x230
[ 60.277010][ T5330] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.279229][ T5330]
[ 60.279229][ T5330] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 60.289013][ T5330] lock_acquire+0x1ed/0x550
[ 60.294734][ T5330] lock_sock_nested+0x48/0x100
[ 60.298052][ T5330] sco_connect_cfm+0x461/0xb40
[ 60.300733][ T5330] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 60.305762][ T5330] hci_event_packet+0xac2/0x1540
[ 60.307786][ T5330] hci_rx_work+0x3fe/0xd80
[ 60.309571][ T5330] process_scheduled_works+0xa63/0x1850
[ 60.312264][ T5330] worker_thread+0x870/0xd30
[ 60.316359][ T5330] kthread+0x2f0/0x390
[ 60.318735][ T5330] ret_from_fork+0x4b/0x80
[ 60.320529][ T5330] ret_from_fork_asm+0x1a/0x30
[ 60.323863][ T5330]
[ 60.323863][ T5330] -> #0 (&conn->lock#2){+.+.}-{2:2}:
[ 60.328860][ T5330] validate_chain+0x18ef/0x5920
[ 60.331529][ T5330] __lock_acquire+0x1384/0x2050
[ 60.333476][ T5330] lock_acquire+0x1ed/0x550
[ 60.335196][ T5330] _raw_spin_lock+0x2e/0x40
[ 60.336865][ T5330] __sco_sock_close+0x338/0x570
[ 60.338749][ T5330] __sco_sock_close+0x154/0x570
[ 60.340899][ T5330] sco_sock_release+0xb3/0x320
[ 60.343448][ T5330] sock_close+0xbc/0x240
[ 60.345815][ T5330] __fput+0x23f/0x880
[ 60.348309][ T5330] task_work_run+0x24f/0x310
[ 60.350557][ T5330] syscall_exit_to_user_mode+0x168/0x370
[ 60.354946][ T5330] do_syscall_64+0x100/0x230
[ 60.367735][ T5330] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.370329][ T5330]
[ 60.370329][ T5330] other info that might help us debug this:
[ 60.370329][ T5330]
[ 60.374502][ T5330] Chain exists of:
[ 60.374502][ T5330] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 60.374502][ T5330]
[ 60.391917][ T5330] Possible unsafe locking scenario:
[ 60.391917][ T5330]
[ 60.396733][ T5330] CPU0 CPU1
[ 60.401725][ T5330] ---- ----
[ 60.406726][ T5330] lock(sk_lock-AF_BLUETOOTH);
[ 60.410314][ T5330] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 60.414634][ T5330] lock(sk_lock-AF_BLUETOOTH);
[ 60.423287][ T5330] lock(&conn->lock#2);
[ 60.428474][ T5330]
[ 60.428474][ T5330] *** DEADLOCK ***
[ 60.428474][ T5330]
[ 60.433007][ T5330] 3 locks held by syz.0.0/5330:
[ 60.435060][ T5330] #0: ffff888043dc3208 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: sock_close+0x90/0x240
[ 60.440354][ T5330] #1: ffff888040d4c258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 60.448038][ T5330] #2: ffff888040d4e258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 60.451817][ T5330]
[ 60.451817][ T5330] stack backtrace:
[ 60.453963][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Tainted: G W 6.12.0-rc6-syzkaller-00169-g906bd684e4b1 #0
[ 60.458032][ T5330] Tainted: [W]=WARN
[ 60.459492][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 60.466753][ T5330] Call Trace:
[ 60.469395][ T5330]
[ 60.471374][ T5330] dump_stack_lvl+0x241/0x360
[ 60.473818][ T5330] ? __pfx_dump_stack_lvl+0x10/0x10
[ 60.477564][ T5330] ? __pfx__printk+0x10/0x10
[ 60.487038][ T5330] print_circular_bug+0x13a/0x1b0
[ 60.489211][ T5330] check_noncircular+0x36a/0x4a0
[ 60.491193][ T5330] ? mark_lock+0x9a/0x360
[ 60.492894][ T5330] ? __pfx_check_noncircular+0x10/0x10
[ 60.495470][ T5330] ? lockdep_lock+0x123/0x2b0
[ 60.497803][ T5330] validate_chain+0x18ef/0x5920
[ 60.500091][ T5330] ? __pfx_validate_chain+0x10/0x10
[ 60.502925][ T5330] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 60.507047][ T5330] ? __mod_timer+0xb89/0xeb0
[ 60.509250][ T5330] ? __pfx_lock_release+0x10/0x10
[ 60.512376][ T5330] ? do_raw_spin_unlock+0x58/0x8b0
[ 60.514598][ T5330] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 60.517342][ T5330] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 60.520039][ T5330] ? mark_lock+0x9a/0x360
[ 60.521966][ T5330] __lock_acquire+0x1384/0x2050
[ 60.524057][ T5330] lock_acquire+0x1ed/0x550
[ 60.526217][ T5330] ? __sco_sock_close+0x338/0x570
[ 60.528536][ T5330] ? __pfx_lock_acquire+0x10/0x10
[ 60.530802][ T5330] ? queue_delayed_work_on+0x267/0x390
[ 60.533222][ T5330] ? __pfx_queue_delayed_work_on+0x10/0x10
[ 60.537647][ T5330] ? __pfx___cancel_work+0x10/0x10
[ 60.539885][ T5330] ? __cancel_work+0x2ee/0x390
[ 60.542050][ T5330] ? __pfx___cancel_work+0x10/0x10
[ 60.544357][ T5330] ? __sco_sock_close+0xec/0x570
[ 60.563710][ T5330] _raw_spin_lock+0x2e/0x40
[ 60.570098][ T5330] ? __sco_sock_close+0x338/0x570
[ 60.573822][ T5330] __sco_sock_close+0x338/0x570
[ 60.575922][ T5330] __sco_sock_close+0x154/0x570
[ 60.579780][ T5330] sco_sock_release+0xb3/0x320
[ 60.585224][ T5330] sock_close+0xbc/0x240
[ 60.591155][ T5330] ? __pfx_sock_close+0x10/0x10
[ 60.598306][ T5330] __fput+0x23f/0x880
[ 60.599953][ T5330] task_work_run+0x24f/0x310
[ 60.603298][ T5330] ? __pfx_task_work_run+0x10/0x10
[ 60.610404][ T5330] ? syscall_exit_to_user_mode+0xa3/0x370
[ 60.627137][ T5330] syscall_exit_to_user_mode+0x168/0x370
[ 60.629556][ T5330] do_syscall_64+0x100/0x230
[ 60.631667][ T5330] ? clear_bhb_loop+0x35/0x90
[ 60.633608][ T5330] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.650788][ T5330] RIP: 0033:0x7f40d677e719
[ 60.652758][ T5330] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 60.672985][ T5330] RSP: 002b:00007ffff0bcb438 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 60.676359][ T5330] RAX: 0000000000000000 RBX: 00007f40d6937a80 RCX: 00007f40d677e719
[ 60.679572][ T5330] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 60.699470][ T5330] RBP: 00007f40d6937a80 R08: 0000000000000000 R09: 00007ffff0bcb72f
[ 60.703860][ T5330] R10: 0000000000dffd68 R11: 0000000000000246 R12: 000000000000ec2d
[ 60.707552][ T5330] R13: 00007ffff0bcb540 R14: 0000000000000032 R15: ffffffffffffffff
[ 60.710801][ T5330]