program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   82.803710][ T5093] Bluetooth: hci0: command tx timeout
[   83.933522][ T5093] BUG: sleeping function called from invalid context at net/core/sock.c:3613
[   83.936923][ T5093] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5093, name: kworker/u5:2
[   83.941117][ T5093] preempt_count: 1, expected: 0
[   83.943408][ T5093] RCU nest depth: 0, expected: 0
[   83.946399][ T5093] 6 locks held by kworker/u5:2/5093:
[   83.949183][ T5093]  #0: ffff88801274b948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[   83.952843][ T5093]  #1: ffffc90002fbfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[   83.957283][ T5093]  #2: ffff88803e328078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[   83.961518][ T5093]  #3: ffffffff8fe3e2e8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[   83.966652][ T5093]  #4: ffff88803dd41c20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40
[   83.971373][ T5093]  #5: ffff8880361d6258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40
[   83.975940][ T5093] Preemption disabled at:
[   83.975954][ T5093] [<0000000000000000>] 0x0
[   83.980188][ T5093] CPU: 0 UID: 0 PID: 5093 Comm: kworker/u5:2 Not tainted 6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0
[   83.985527][ T5093] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   83.989532][ T5093] Workqueue: hci0 hci_rx_work
[   83.991276][ T5093] Call Trace:
[   83.992533][ T5093]  <TASK>
[   83.993665][ T5093]  dump_stack_lvl+0x241/0x360
[   83.995608][ T5093]  ? __pfx_dump_stack_lvl+0x10/0x10
[   83.997683][ T5093]  ? __pfx__printk+0x10/0x10
[   83.999856][ T5093]  __might_resched+0x5d4/0x780
[   84.002087][ T5093]  ? __pfx_lock_acquire+0x10/0x10
[   84.004152][ T5093]  ? __pfx___might_resched+0x10/0x10
[   84.006236][ T5093]  ? __pfx_lock_release+0x10/0x10
[   84.008249][ T5093]  ? do_raw_spin_lock+0x14f/0x370
[   84.010182][ T5093]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   84.012147][ T5093]  lock_sock_nested+0x5d/0x100
[   84.013903][ T5093]  sco_connect_cfm+0x461/0xb40
[   84.015860][ T5093]  ? __pfx_sco_connect_cfm+0x10/0x10
[   84.018010][ T5093]  ? hci_conn_add_sysfs+0xfc/0x200
[   84.020028][ T5093]  ? __pfx_sco_connect_cfm+0x10/0x10
[   84.021904][ T5093]  hci_sync_conn_complete_evt+0x5ab/0xaa0
[   84.023906][ T5093]  hci_event_packet+0xac2/0x1540
[   84.025664][ T5093]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   84.027885][ T5093]  ? __pfx_hci_event_packet+0x10/0x10
[   84.029624][ T5093]  ? set_advertising_complete+0x600/0x6f0
[   84.031591][ T5093]  ? kcov_remote_start+0x97/0x7d0
[   84.033525][ T5093]  hci_rx_work+0x3fe/0xd80
[   84.035396][ T5093]  ? process_scheduled_works+0x976/0x1850
[   84.037982][ T5093]  process_scheduled_works+0xa63/0x1850
[   84.040234][ T5093]  ? __pfx_process_scheduled_works+0x10/0x10
[   84.042465][ T5093]  ? assign_work+0x364/0x3d0
[   84.044163][ T5093]  worker_thread+0x870/0xd30
[   84.045630][ T5093]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   84.047700][ T5093]  ? __kthread_parkme+0x169/0x1d0
[   84.049483][ T5093]  ? __pfx_worker_thread+0x10/0x10
[   84.051437][ T5093]  kthread+0x2f0/0x390
[   84.053009][ T5093]  ? __pfx_worker_thread+0x10/0x10
[   84.055094][ T5093]  ? __pfx_kthread+0x10/0x10
[   84.057166][ T5093]  ret_from_fork+0x4b/0x80
[   84.058871][ T5093]  ? __pfx_kthread+0x10/0x10
[   84.060812][ T5093]  ret_from_fork_asm+0x1a/0x30
[   84.062735][ T5093]  </TASK>
[   84.082451][ T5107] 
[   84.083586][ T5107] ======================================================
[   84.086735][ T5107] WARNING: possible circular locking dependency detected
[   84.089974][ T5107] 6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0 Tainted: G        W         
[   84.092983][ T5107] ------------------------------------------------------
[   84.095132][ T5107] syz.0.0/5107 is trying to acquire lock:
[   84.096921][ T5107] ffff88803dd41c20 (&conn->lock#2){+.+.}-{2:2}, at: __sco_sock_close+0x338/0x570
[   84.100281][ T5107] 
[   84.100281][ T5107] but task is already holding lock:
[   84.103014][ T5107] ffff8880361d4258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[   84.107115][ T5107] 
[   84.107115][ T5107] which lock already depends on the new lock.
[   84.107115][ T5107] 
[   84.111177][ T5107] 
[   84.111177][ T5107] the existing dependency chain (in reverse order) is:
[   84.114663][ T5107] 
[   84.114663][ T5107] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   84.117558][ T5107]        lock_acquire+0x1ed/0x550
[   84.119353][ T5107]        lock_sock_nested+0x48/0x100
[   84.121674][ T5107]        bt_accept_dequeue+0xfa/0x570
[   84.124064][ T5107]        __sco_sock_close+0xd6/0x570
[   84.126278][ T5107]        sco_sock_release+0xb3/0x320
[   84.128041][ T5107]        sock_close+0xbc/0x240
[   84.129733][ T5107]        __fput+0x23f/0x880
[   84.131446][ T5107]        task_work_run+0x24f/0x310
[   84.133240][ T5107]        syscall_exit_to_user_mode+0x168/0x370
[   84.135528][ T5107]        do_syscall_64+0x100/0x230
[   84.137775][ T5107]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.140744][ T5107] 
[   84.140744][ T5107] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   84.144197][ T5107]        lock_acquire+0x1ed/0x550
[   84.146183][ T5107]        lock_sock_nested+0x48/0x100
[   84.148313][ T5107]        sco_connect_cfm+0x461/0xb40
[   84.150506][ T5107]        hci_sync_conn_complete_evt+0x5ab/0xaa0
[   84.153312][ T5107]        hci_event_packet+0xac2/0x1540
[   84.155717][ T5107]        hci_rx_work+0x3fe/0xd80
[   84.157737][ T5107]        process_scheduled_works+0xa63/0x1850
[   84.160318][ T5107]        worker_thread+0x870/0xd30
[   84.162404][ T5107]        kthread+0x2f0/0x390
[   84.164512][ T5107]        ret_from_fork+0x4b/0x80
[   84.166841][ T5107]        ret_from_fork_asm+0x1a/0x30
[   84.170482][ T5107] 
[   84.170482][ T5107] -> #0 (&conn->lock#2){+.+.}-{2:2}:
[   84.174516][ T5107]        validate_chain+0x18ef/0x5920
[   84.176464][ T5107]        __lock_acquire+0x1384/0x2050
[   84.178768][ T5107]        lock_acquire+0x1ed/0x550
[   84.180314][ T5107]        _raw_spin_lock+0x2e/0x40
[   84.182338][ T5107]        __sco_sock_close+0x338/0x570
[   84.184490][ T5107]        __sco_sock_close+0x154/0x570
[   84.186655][ T5107]        sco_sock_release+0xb3/0x320
[   84.188811][ T5107]        sock_close+0xbc/0x240
[   84.190859][ T5107]        __fput+0x23f/0x880
[   84.193311][ T5107]        task_work_run+0x24f/0x310
[   84.195614][ T5107]        syscall_exit_to_user_mode+0x168/0x370
[   84.197769][ T5107]        do_syscall_64+0x100/0x230
[   84.199713][ T5107]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.202250][ T5107] 
[   84.202250][ T5107] other info that might help us debug this:
[   84.202250][ T5107] 
[   84.206246][ T5107] Chain exists of:
[   84.206246][ T5107]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   84.206246][ T5107] 
[   84.212917][ T5107]  Possible unsafe locking scenario:
[   84.212917][ T5107] 
[   84.216048][ T5107]        CPU0                    CPU1
[   84.218161][ T5107]        ----                    ----
[   84.220165][ T5107]   lock(sk_lock-AF_BLUETOOTH);
[   84.222060][ T5107]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   84.226225][ T5107]                                lock(sk_lock-AF_BLUETOOTH);
[   84.229882][ T5107]   lock(&conn->lock#2);
[   84.231556][ T5107] 
[   84.231556][ T5107]  *** DEADLOCK ***
[   84.231556][ T5107] 
[   84.234050][ T5107] 3 locks held by syz.0.0/5107:
[   84.235682][ T5107]  #0: ffff88803c4c6608 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: sock_close+0x90/0x240
[   84.238954][ T5107]  #1: ffff8880361d6258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   84.242496][ T5107]  #2: ffff8880361d4258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[   84.246260][ T5107] 
[   84.246260][ T5107] stack backtrace:
[   84.248992][ T5107] CPU: 0 UID: 0 PID: 5107 Comm: syz.0.0 Tainted: G        W          6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0
[   84.253451][ T5107] Tainted: [W]=WARN
[   84.254833][ T5107] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   84.258291][ T5107] Call Trace:
[   84.259596][ T5107]  <TASK>
[   84.260902][ T5107]  dump_stack_lvl+0x241/0x360
[   84.263039][ T5107]  ? __pfx_dump_stack_lvl+0x10/0x10
[   84.265407][ T5107]  ? __pfx__printk+0x10/0x10
[   84.267351][ T5107]  print_circular_bug+0x13a/0x1b0
[   84.269196][ T5107]  check_noncircular+0x36a/0x4a0
[   84.270947][ T5107]  ? mark_lock+0x9a/0x360
[   84.272373][ T5107]  ? __pfx_check_noncircular+0x10/0x10
[   84.274394][ T5107]  ? lockdep_lock+0x123/0x2b0
[   84.276425][ T5107]  validate_chain+0x18ef/0x5920
[   84.278623][ T5107]  ? __pfx_validate_chain+0x10/0x10
[   84.281052][ T5107]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   84.283441][ T5107]  ? __mod_timer+0xb89/0xeb0
[   84.285050][ T5107]  ? __pfx_lock_release+0x10/0x10
[   84.287139][ T5107]  ? do_raw_spin_unlock+0x58/0x8b0
[   84.289099][ T5107]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   84.291970][ T5107]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   84.295217][ T5107]  ? mark_lock+0x9a/0x360
[   84.296883][ T5107]  __lock_acquire+0x1384/0x2050
[   84.298627][ T5107]  lock_acquire+0x1ed/0x550
[   84.300279][ T5107]  ? __sco_sock_close+0x338/0x570
[   84.302158][ T5107]  ? __pfx_lock_acquire+0x10/0x10
[   84.303930][ T5107]  ? queue_delayed_work_on+0x267/0x390
[   84.305759][ T5107]  ? __pfx_queue_delayed_work_on+0x10/0x10
[   84.307639][ T5107]  ? __pfx___cancel_work+0x10/0x10
[   84.309408][ T5107]  ? __cancel_work+0x2ee/0x390
[   84.311114][ T5107]  ? __pfx___cancel_work+0x10/0x10
[   84.312982][ T5107]  ? __sco_sock_close+0xec/0x570
[   84.314713][ T5107]  _raw_spin_lock+0x2e/0x40
[   84.316291][ T5107]  ? __sco_sock_close+0x338/0x570
[   84.318068][ T5107]  __sco_sock_close+0x338/0x570
[   84.319712][ T5107]  __sco_sock_close+0x154/0x570
[   84.321320][ T5107]  sco_sock_release+0xb3/0x320
[   84.322958][ T5107]  sock_close+0xbc/0x240
[   84.325406][ T5107]  ? __pfx_sock_close+0x10/0x10
[   84.327153][ T5107]  __fput+0x23f/0x880
[   84.328525][ T5107]  task_work_run+0x24f/0x310
[   84.330007][ T5107]  ? __pfx_task_work_run+0x10/0x10
[   84.331985][ T5107]  ? syscall_exit_to_user_mode+0xa3/0x370
[   84.334032][ T5107]  syscall_exit_to_user_mode+0x168/0x370
[   84.335989][ T5107]  do_syscall_64+0x100/0x230
[   84.337561][ T5107]  ? clear_bhb_loop+0x35/0x90
[   84.339434][ T5107]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.341914][ T5107] RIP: 0033:0x7ff86297dff9
[   84.343745][ T5107] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   84.351241][ T5107] RSP: 002b:00007ffe0f2e64e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   84.354308][ T5107] RAX: 0000000000000000 RBX: 00007ff862b37a80 RCX: 00007ff86297dff9
[   84.357226][ T5107] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   84.360837][ T5107] RBP: 00007ff862b37a80 R08: 0000000000000006 R09: 00007ffe0f2e67df
[   84.364755][ T5107] R10: 0000000000df9918 R11: 0000000000000246 R12: 0000000000014a86
[   84.367861][ T5107] R13: 00007ffe0f2e65f0 R14: 0000000000000032 R15: ffffffffffffffff
[   84.370937][ T5107]  </TASK>