program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x6)
r2 = open(&(0x7f0000000000)='./bus\x00', 0x60142, 0x0)
r3 = open(&(0x7f00000001c0)='./bus\x00', 0x101000, 0x0)
fallocate(r2, 0x0, 0x0, 0x3df1)
copy_file_range(r3, 0x0, r2, &(0x7f00000000c0)=0x10000, 0x3df1, 0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000240)=ANY=[@ANYBLOB="0e0000000400000403fffffffa00000000000000", @ANYRES32=r1, @ANYRESOCT=r0, @ANYRES32=r3, @ANYRES32, @ANYBLOB='\x00'/28], 0x48)
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000100)={'vxcan0\x00', <r5=>0x0})
r6 = socket$can_raw(0x1d, 0x3, 0x1)
setsockopt$CAN_RAW_ERR_FILTER(r6, 0x65, 0x2, &(0x7f0000000300)=0x8, 0x4)
bind$can_raw(r6, &(0x7f0000000000)={0x1d, r5}, 0x10)
sendmsg$nl_route_sched(r4, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000080)=@getchain={0x24, 0x11, 0x1, 0x0, 0x0, {0x0, 0x0, 0x0, r5}}, 0x24}}, 0x84)
bpf$PROG_LOAD(0x5, &(0x7f0000000c00)={0x11, 0x3, &(0x7f00000003c0)=@framed={{0x18, 0x0, 0x0, 0x0, 0xfffffffc, 0x0, 0x0, 0x0, 0x6}}, &(0x7f0000000bc0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', r5, @fallback=0x23, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
r7 = socket$netlink(0x10, 0x3, 0x0)
writev(r7, &(0x7f0000000000)=[{&(0x7f0000000080)="390000001300090468fe0700000000000000ff3f08000000480100100000000019002b000a0001000500000000000072080003000500000000", 0x39}], 0x1)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
r8 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r8, 0x5423, &(0x7f00000003c0)=0x14)
ioctl$TIOCVHANGUP(r8, 0x5437, 0x2)

[   73.836936][ T5301] Bluetooth: hci0: command tx timeout
[   73.939111][ T5316] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'.
[   73.991301][ T5317] sit0: entered promiscuous mode
[   73.996084][ T5317] netlink: 'syz.0.0': attribute type 1 has an invalid length.
[   73.999066][ T5317] netlink: 1 bytes leftover after parsing attributes in process `syz.0.0'.
[   74.006862][ T5301] BUG: sleeping function called from invalid context at net/core/sock.c:3624
[   74.010451][ T5301] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5301, name: kworker/u5:2
[   74.013976][ T5301] preempt_count: 1, expected: 0
[   74.015783][ T5301] RCU nest depth: 0, expected: 0
[   74.017662][ T5301] 5 locks held by kworker/u5:2/5301:
[   74.019643][ T5301]  #0: ffff888042f41948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   74.024543][ T5301]  #1: ffffc9000d2efd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   74.030624][ T5301]  #2: ffff888040ae8078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   74.035671][ T5301]  #3: ffff88803ec89420 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   74.040666][ T5301]  #4: ffff888043948258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   74.045342][ T5301] Preemption disabled at:
[   74.045351][ T5301] [<0000000000000000>] 0x0
[   74.048703][ T5301] CPU: 0 UID: 0 PID: 5301 Comm: kworker/u5:2 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
[   74.052716][ T5301] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.056704][ T5301] Workqueue: hci0 hci_rx_work
[   74.058516][ T5301] Call Trace:
[   74.059843][ T5301]  <TASK>
[   74.060997][ T5301]  dump_stack_lvl+0x241/0x360
[   74.062794][ T5301]  ? __pfx_dump_stack_lvl+0x10/0x10
[   74.064871][ T5301]  ? __pfx__printk+0x10/0x10
[   74.066454][ T5301]  __might_resched+0x5d4/0x780
[   74.068238][ T5301]  ? __pfx_lock_acquire+0x10/0x10
[   74.070178][ T5301]  ? __pfx___might_resched+0x10/0x10
[   74.072270][ T5301]  ? __pfx_lock_release+0x10/0x10
[   74.074202][ T5301]  ? do_raw_spin_lock+0x14f/0x370
[   74.076185][ T5301]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   74.078443][ T5301]  lock_sock_nested+0x5d/0x100
[   74.080299][ T5301]  sco_connect_cfm+0x439/0xae0
[   74.082052][ T5301]  ? hci_cb_lookup+0x1b3/0x3c0
[   74.083845][ T5301]  ? __pfx_sco_connect_cfm+0x10/0x10
[   74.085834][ T5301]  ? hci_cb_lookup+0x3a0/0x3c0
[   74.087700][ T5301]  ? __pfx_sco_connect_cfm+0x10/0x10
[   74.089656][ T5301]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   74.091638][ T5301]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   74.093805][ T5301]  ? skb_pull_data+0x112/0x230
[   74.095488][ T5301]  hci_event_packet+0xac2/0x1540
[   74.097188][ T5301]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   74.099329][ T5301]  ? __pfx_hci_event_packet+0x10/0x10
[   74.101096][ T5301]  ? do_raw_spin_unlock+0x58/0x8b0
[   74.102854][ T5301]  ? hci_send_to_monitor+0xd8/0x7f0
[   74.104650][ T5301]  ? kcov_remote_start+0x97/0x7d0
[   74.106589][ T5301]  hci_rx_work+0x3f3/0xdb0
[   74.108387][ T5301]  ? process_scheduled_works+0x976/0x1840
[   74.110564][ T5301]  process_scheduled_works+0xa66/0x1840
[   74.112729][ T5301]  ? __pfx_process_scheduled_works+0x10/0x10
[   74.115055][ T5301]  ? assign_work+0x364/0x3d0
[   74.116902][ T5301]  worker_thread+0x870/0xd30
[   74.118828][ T5301]  ? __kthread_parkme+0x169/0x1d0
[   74.120792][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   74.122781][ T5301]  kthread+0x2f0/0x390
[   74.124378][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   74.126388][ T5301]  ? __pfx_kthread+0x10/0x10
[   74.128233][ T5301]  ret_from_fork+0x4b/0x80
[   74.130000][ T5301]  ? __pfx_kthread+0x10/0x10
[   74.131696][ T5301]  ret_from_fork_asm+0x1a/0x30
[   74.133490][ T5301]  </TASK>
[   74.760414][ T5315] 
[   74.761375][ T5315] ======================================================
[   74.764022][ T5315] WARNING: possible circular locking dependency detected
[   74.766860][ T5315] 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Tainted: G        W         
[   74.770406][ T5315] ------------------------------------------------------
[   74.773140][ T5315] syz.0.0/5315 is trying to acquire lock:
[   74.775144][ T5315] ffff88803ec89420 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   74.778232][ T5315] 
[   74.778232][ T5315] but task is already holding lock:
[   74.780765][ T5315] ffff888042d43258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   74.784216][ T5315] 
[   74.784216][ T5315] which lock already depends on the new lock.
[   74.784216][ T5315] 
[   74.787965][ T5315] 
[   74.787965][ T5315] the existing dependency chain (in reverse order) is:
[   74.791102][ T5315] 
[   74.791102][ T5315] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   74.794088][ T5315]        lock_acquire+0x1ed/0x550
[   74.795946][ T5315]        lock_sock_nested+0x48/0x100
[   74.797874][ T5315]        bt_accept_dequeue+0xfa/0x570
[   74.799876][ T5315]        __sco_sock_close+0xd2/0x310
[   74.801876][ T5315]        sco_sock_release+0xb3/0x320
[   74.803848][ T5315]        sock_close+0xbc/0x240
[   74.805586][ T5315]        __fput+0x23c/0xa50
[   74.807248][ T5315]        task_work_run+0x24f/0x310
[   74.809079][ T5315]        syscall_exit_to_user_mode+0x13f/0x340
[   74.811379][ T5315]        do_syscall_64+0x100/0x230
[   74.813205][ T5315]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.815621][ T5315] 
[   74.815621][ T5315] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   74.818719][ T5315]        lock_acquire+0x1ed/0x550
[   74.820578][ T5315]        lock_sock_nested+0x48/0x100
[   74.822546][ T5315]        sco_connect_cfm+0x439/0xae0
[   74.824770][ T5315]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   74.827206][ T5315]        hci_event_packet+0xac2/0x1540
[   74.829303][ T5315]        hci_rx_work+0x3f3/0xdb0
[   74.831147][ T5315]        process_scheduled_works+0xa66/0x1840
[   74.833414][ T5315]        worker_thread+0x870/0xd30
[   74.835260][ T5315]        kthread+0x2f0/0x390
[   74.837058][ T5315]        ret_from_fork+0x4b/0x80
[   74.839487][ T5315]        ret_from_fork_asm+0x1a/0x30
[   74.842035][ T5315] 
[   74.842035][ T5315] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   74.845541][ T5315]        validate_chain+0x18ef/0x5920
[   74.847759][ T5315]        __lock_acquire+0x1397/0x2100
[   74.849732][ T5315]        lock_acquire+0x1ed/0x550
[   74.851649][ T5315]        _raw_spin_lock+0x2e/0x40
[   74.853555][ T5315]        sco_chan_del+0x74/0x180
[   74.855552][ T5315]        __sco_sock_close+0x152/0x310
[   74.857657][ T5315]        sco_sock_release+0xb3/0x320
[   74.859696][ T5315]        sock_close+0xbc/0x240
[   74.861499][ T5315]        __fput+0x23c/0xa50
[   74.863214][ T5315]        task_work_run+0x24f/0x310
[   74.865140][ T5315]        syscall_exit_to_user_mode+0x13f/0x340
[   74.867492][ T5315]        do_syscall_64+0x100/0x230
[   74.869497][ T5315]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.871882][ T5315] 
[   74.871882][ T5315] other info that might help us debug this:
[   74.871882][ T5315] 
[   74.875740][ T5315] Chain exists of:
[   74.875740][ T5315]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   74.875740][ T5315] 
[   74.881356][ T5315]  Possible unsafe locking scenario:
[   74.881356][ T5315] 
[   74.884099][ T5315]        CPU0                    CPU1
[   74.886154][ T5315]        ----                    ----
[   74.888160][ T5315]   lock(sk_lock-AF_BLUETOOTH);
[   74.889960][ T5315]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   74.892998][ T5315]                                lock(sk_lock-AF_BLUETOOTH);
[   74.896020][ T5315]   lock(&conn->lock#2);
[   74.897720][ T5315] 
[   74.897720][ T5315]  *** DEADLOCK ***
[   74.897720][ T5315] 
[   74.900785][ T5315] 3 locks held by syz.0.0/5315:
[   74.902579][ T5315]  #0: ffff888043774e08 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   74.906330][ T5315]  #1: ffff888043948258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   74.910363][ T5315]  #2: ffff888042d43258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   74.914131][ T5315] 
[   74.914131][ T5315] stack backtrace:
[   74.916468][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Tainted: G        W          6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
[   74.921186][ T5315] Tainted: [W]=WARN
[   74.922676][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.926865][ T5315] Call Trace:
[   74.928172][ T5315]  <TASK>
[   74.929433][ T5315]  dump_stack_lvl+0x241/0x360
[   74.931249][ T5315]  ? __pfx_dump_stack_lvl+0x10/0x10
[   74.933249][ T5315]  ? __pfx__printk+0x10/0x10
[   74.935245][ T5315]  print_circular_bug+0x13a/0x1b0
[   74.937198][ T5315]  check_noncircular+0x36a/0x4a0
[   74.939033][ T5315]  ? __pfx_check_noncircular+0x10/0x10
[   74.941066][ T5315]  ? lockdep_lock+0x123/0x2b0
[   74.942926][ T5315]  validate_chain+0x18ef/0x5920
[   74.944772][ T5315]  ? debug_object_assert_init+0x2dd/0x4b0
[   74.946992][ T5315]  ? do_raw_spin_unlock+0x58/0x8b0
[   74.948940][ T5315]  ? __pfx_validate_chain+0x10/0x10
[   74.950880][ T5315]  ? __pfx_stack_trace_save+0x10/0x10
[   74.952961][ T5315]  ? debug_object_assert_init+0x2dd/0x4b0
[   74.955198][ T5315]  ? __pfx_debug_object_assert_init+0x10/0x10
[   74.957545][ T5315]  ? mark_lock+0x9a/0x360
[   74.959231][ T5315]  __lock_acquire+0x1397/0x2100
[   74.961272][ T5315]  lock_acquire+0x1ed/0x550
[   74.963045][ T5315]  ? sco_chan_del+0x74/0x180
[   74.964756][ T5315]  ? __pfx_lock_acquire+0x10/0x10
[   74.966600][ T5315]  ? lockdep_hardirqs_on+0x99/0x150
[   74.968503][ T5315]  ? __cancel_work+0x2ee/0x390
[   74.970184][ T5315]  ? __pfx___cancel_work+0x10/0x10
[   74.972102][ T5315]  ? __sco_sock_close+0xe8/0x310
[   74.973959][ T5315]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   74.976243][ T5315]  ? __sco_sock_close+0xe8/0x310
[   74.978598][ T5315]  _raw_spin_lock+0x2e/0x40
[   74.980309][ T5315]  ? sco_chan_del+0x74/0x180
[   74.982540][ T5315]  sco_chan_del+0x74/0x180
[   74.984280][ T5315]  __sco_sock_close+0x152/0x310
[   74.986068][ T5315]  sco_sock_release+0xb3/0x320
[   74.987885][ T5315]  sock_close+0xbc/0x240
[   74.989422][ T5315]  ? __pfx_sock_close+0x10/0x10
[   74.991142][ T5315]  __fput+0x23c/0xa50
[   74.992583][ T5315]  task_work_run+0x24f/0x310
[   74.994442][ T5315]  ? _raw_spin_unlock+0x28/0x50
[   74.996314][ T5315]  ? __pfx_task_work_run+0x10/0x10
[   74.998372][ T5315]  ? syscall_exit_to_user_mode+0xa3/0x340
[   75.000508][ T5315]  syscall_exit_to_user_mode+0x13f/0x340
[   75.002538][ T5315]  do_syscall_64+0x100/0x230
[   75.004402][ T5315]  ? clear_bhb_loop+0x35/0x90
[   75.006081][ T5315]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.008299][ T5315] RIP: 0033:0x7fec5bb85d29
[   75.009959][ T5315] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.017587][ T5315] RSP: 002b:00007fff44ba3a58 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   75.020616][ T5315] RAX: 0000000000000000 RBX: 00007fec5bd77ba0 RCX: 00007fec5bb85d29
[   75.023458][ T5315] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   75.026534][ T5315] RBP: 00007fec5bd77ba0 R08: 00000000000204f4 R09: 00007fff44ba3d4f
[   75.029541][ T5315] R10: 00007fec5bd77ac0 R11: 0000000000000246 R12: 0000000000012384
[   75.032539][ T5315] R13: 00007fec5bd76080 R14: 0000000000000032 R15: ffffffffffffffff
[   75.035680][ T5315]  </TASK>
[   75.907283][ T4663] Bluetooth: hci0: command tx timeout
[   76.149303][ T1308] ieee802154 phy0 wpan0: encryption failed: -22
[   76.151730][ T1308] ieee802154 phy1 wpan1: encryption failed: -22