program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000040)='./control\x00', 0x200080, &(0x7f0000000200), 0x3, 0x569, &(0x7f0000000580)="$eJzs3c+PG1cdAPDvzP6wk6bdBHqAqpAAhYCieLNOG1W9NLmAUFUJUXFAHNJl11ktseMQe0t3icT2bwAJBCf4EzggcUDqiQM3jkgcEFI5IAWIQAkCJKMZz26crK068a9m9/ORJvPjzZvve3HG782z4xfAkXUmInYjYjEi3o6IpeJ4Uixxubtk5927e3vt/t3ba0l0Om/9PcnTs2PRkyfzTHHNckR8/SsR304Oxm1t71xfrddrt4r95Xbj5nJre+f8ZmN1o7ZRu1GtXlq5dOHVi69Ux1bX041f3vny5hvf+M2vP/XB73e/9P2sWCeKtN56jFO36gv7cTLzEfHGJILNwFyxXjyQ8mL/DJcnWx4eTxoRH4uIz+b3/1LM5f86AYDDrNP5aXSWevcBgMMue/4/UU7SSkSkadEJqHTH8J6P42m92Wqfu9bcurHeHSs7GQvptc167cKp0h+/m5+8kGT7K3lanp7vVx/ZvxgRpyLiR6Vj+X5lrVlfn02XBwCOvGfyz8CK9j8i/lVK00plqKx9PtUDAJ4a5VkXAACYut72vzTDcgAA0+P5HwCOniHa/+LD/t2JlwUAmA7P/wBw9Gj/AeDoedz233cEAeCp9rU338yWzv3i96/X39neut585/x6rXW90thaq6w1b92sbDSbG/lv9jQeynysZ7voE9SbzZsrL8fWu8vtWqu93Nreudpobt1oX81/1/tqbWGqtQMA+jl1+v0/JBGx+9qxfImeuRy01XC4pbMuADAzc6Nk1kGAp9qTzfb1n7GXA5i+oZrwvJPwu4mXBZiNvj/mXe67+bCfPEYQ3zOGj5Sznxx+/P/gHM/A08z4PxxdTzb+//rYywFM35ON/wOHQaeTPDrn/+J+EgBwKI3wFb7OD8bVCQFm6sMm8x7L5/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwyJyIiO9EklbyucDT7M+0Uol4NiJOxkJybbNeuxARz8XpiFgoZfsrsy40ADCi9K9JMf/X2aWXTjyaupj8u5SvI+J7P3vrx++uttu3VrLj/9g/XtqbPqz6IN8I8woCAMPplIY8MW+/q8W650H+3t3ba3vLpArZz50r8b9iKuK1+3dv50s3ZT6ygxHlvC9x/J9JzBd5yhHxQkTMjSH+7nsR8Yl+9U/ysZGTxcynvfGjiP3sVOOnD8VP87TuOut8fXwMZYGj5v0rEXG53/2Xxpl83f/+L+fvUKO7c6V7sb33vvs98eeLSHN94mf3/JlhY7z8268eONhZ6qa9F/HCfL/4yX78ZED8l4aM/6cXP/3D1wekdX4ecTb6x++Ntdxu3Fxube+c32ysbtQ2ylGtXlq5dOHVi69Ul/Mx6uW9keqD/vbauecGlS2r//EB8ct967+4n/fzQ9b/F/99+1ufebBbejT+Fz/X//V/vm/8rqxN/MLDYTqD4q8e/9XA6buz+OsD6v9hr/+5YSofER/8ZWd9yFMBgClobe9cX63Xa7dG2sieQsdxnQMbWRGHO3mvuzha0D/HJGrxhBsLk/pbnfjG/H5fcbxX/mZ2xSlXJx17LUbauDetWLN7TwKm48FNP+uSAAAAAAAAAAAAAAAAg0zjvy7Nuo4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcXv8PAAD//4vC0Ck=")
r1 = io_uring_setup(0x203c, &(0x7f00000000c0)={0x0, 0xd4b5, 0x0, 0x3})
r2 = io_uring_register$IORING_REGISTER_PERSONALITY(r1, 0x9, 0x0, 0x0)
io_uring_register$IORING_UNREGISTER_PERSONALITY(r1, 0x16, 0x20000002, r2)
socket$vsock_stream(0x28, 0x1, 0x0)
[ 58.457985][ T4660] BUG: sleeping function called from invalid context at net/core/sock.c:3627
[ 58.461773][ T4660] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4660, name: kworker/u5:1
[ 58.465108][ T4660] preempt_count: 1, expected: 0
[ 58.466961][ T4660] RCU nest depth: 0, expected: 0
[ 58.474727][ T4660] 5 locks held by kworker/u5:1/4660:
[ 58.481146][ T4660] #0: ffff888040b5d948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[ 58.486289][ T4660] #1: ffffc9000e10fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[ 58.491624][ T4660] #2: ffff88803fa28078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[ 58.495695][ T4660] #3: ffff88801203fa20 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[ 58.499536][ T4660] #4: ffff888045dd9258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[ 58.503848][ T4660] Preemption disabled at:
[ 58.503860][ T4660] [<0000000000000000>] 0x0
[ 58.507032][ T4660] CPU: 0 UID: 0 PID: 4660 Comm: kworker/u5:1 Not tainted 6.13.0-rc6-syzkaller-00051-geea6e4b4dfb8 #0
[ 58.511108][ T4660] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 58.514936][ T4660] Workqueue: hci0 hci_rx_work
[ 58.516781][ T4660] Call Trace:
[ 58.518118][ T4660] <TASK>
[ 58.519301][ T4660] dump_stack_lvl+0x241/0x360
[ 58.521114][ T4660] ? __pfx_dump_stack_lvl+0x10/0x10
[ 58.523080][ T4660] ? __pfx__printk+0x10/0x10
[ 58.524915][ T4660] __might_resched+0x5d4/0x780
[ 58.526752][ T4660] ? __pfx_lock_acquire+0x10/0x10
[ 58.528702][ T4660] ? __pfx___might_resched+0x10/0x10
[ 58.530748][ T4660] ? __pfx_lock_release+0x10/0x10
[ 58.532480][ T4660] ? do_raw_spin_lock+0x14f/0x370
[ 58.534345][ T4660] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 58.536268][ T4660] lock_sock_nested+0x5d/0x100
[ 58.538004][ T4660] sco_connect_cfm+0x439/0xae0
[ 58.539845][ T4660] ? hci_cb_lookup+0x1b3/0x3c0
[ 58.541605][ T4660] ? __pfx_sco_connect_cfm+0x10/0x10
[ 58.543613][ T4660] ? hci_cb_lookup+0x3a0/0x3c0
[ 58.545463][ T4660] ? __pfx_sco_connect_cfm+0x10/0x10
[ 58.547302][ T4660] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 58.549203][ T4660] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 58.551366][ T4660] ? skb_pull_data+0x112/0x230
[ 58.553313][ T4660] hci_event_packet+0xac2/0x1540
[ 58.555151][ T4660] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 58.557566][ T4660] ? __pfx_hci_event_packet+0x10/0x10
[ 58.559546][ T4660] ? do_raw_spin_unlock+0x58/0x8b0
[ 58.561674][ T4660] ? hci_send_to_monitor+0xd8/0x7f0
[ 58.563666][ T4660] ? kcov_remote_start+0x97/0x7d0
[ 58.565533][ T4660] hci_rx_work+0x3f3/0xdb0
[ 58.567180][ T4660] ? process_scheduled_works+0x976/0x1840
[ 58.569450][ T4660] process_scheduled_works+0xa66/0x1840
[ 58.571533][ T4660] ? __pfx_process_scheduled_works+0x10/0x10
[ 58.573690][ T4660] ? assign_work+0x364/0x3d0
[ 58.575451][ T4660] worker_thread+0x870/0xd30
[ 58.577203][ T4660] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 58.579385][ T4660] ? __kthread_parkme+0x169/0x1d0
[ 58.581263][ T4660] ? __pfx_worker_thread+0x10/0x10
[ 58.583170][ T4660] kthread+0x2f0/0x390
[ 58.584734][ T4660] ? __pfx_worker_thread+0x10/0x10
[ 58.586644][ T4660] ? __pfx_kthread+0x10/0x10
[ 58.588418][ T4660] ret_from_fork+0x4b/0x80
[ 58.590270][ T4660] ? __pfx_kthread+0x10/0x10
[ 58.592343][ T4660] ret_from_fork_asm+0x1a/0x30
[ 58.594726][ T4660] </TASK>
[ 58.624461][ T5312] loop0: detected capacity change from 0 to 512
[ 58.675837][ T5312] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[ 58.681776][ T5312] ext4 filesystem being mounted at /0/control supports timestamps until 2038-01-19 (0x7fffffff)
[ 58.701366][ T5311]
[ 58.702283][ T5311] ======================================================
[ 58.704831][ T5311] WARNING: possible circular locking dependency detected
[ 58.707643][ T5311] 6.13.0-rc6-syzkaller-00051-geea6e4b4dfb8 #0 Tainted: G W
[ 58.710892][ T5311] ------------------------------------------------------
[ 58.713478][ T5311] syz.0.0/5311 is trying to acquire lock:
[ 58.715417][ T5311] ffff88801203fa20 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[ 58.718231][ T5311]
[ 58.718231][ T5311] but task is already holding lock:
[ 58.721006][ T5311] ffff888045dde258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 58.724711][ T5311]
[ 58.724711][ T5311] which lock already depends on the new lock.
[ 58.724711][ T5311]
[ 58.728517][ T5311]
[ 58.728517][ T5311] the existing dependency chain (in reverse order) is:
[ 58.731584][ T5311]
[ 58.731584][ T5311] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 58.734550][ T5311] lock_acquire+0x1ed/0x550
[ 58.736628][ T5311] lock_sock_nested+0x48/0x100
[ 58.738643][ T5311] bt_accept_dequeue+0xfa/0x570
[ 58.740696][ T5311] __sco_sock_close+0xd2/0x310
[ 58.742713][ T5311] sco_sock_release+0xb3/0x320
[ 58.744733][ T5311] sock_close+0xbc/0x240
[ 58.746550][ T5311] __fput+0x23c/0xa50
[ 58.748508][ T5311] task_work_run+0x24f/0x310
[ 58.750740][ T5311] syscall_exit_to_user_mode+0x13f/0x340
[ 58.753101][ T5311] do_syscall_64+0x100/0x230
[ 58.755013][ T5311] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 58.757370][ T5311]
[ 58.757370][ T5311] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 58.760678][ T5311] lock_acquire+0x1ed/0x550
[ 58.762464][ T5311] lock_sock_nested+0x48/0x100
[ 58.764438][ T5311] sco_connect_cfm+0x439/0xae0
[ 58.766492][ T5311] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 58.768823][ T5311] hci_event_packet+0xac2/0x1540
[ 58.771003][ T5311] hci_rx_work+0x3f3/0xdb0
[ 58.772811][ T5311] process_scheduled_works+0xa66/0x1840
[ 58.774968][ T5311] worker_thread+0x870/0xd30
[ 58.777220][ T5311] kthread+0x2f0/0x390
[ 58.779110][ T5311] ret_from_fork+0x4b/0x80
[ 58.781232][ T5311] ret_from_fork_asm+0x1a/0x30
[ 58.783353][ T5311]
[ 58.783353][ T5311] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[ 58.786176][ T5311] validate_chain+0x18ef/0x5920
[ 58.787904][ T5311] __lock_acquire+0x1397/0x2100
[ 58.789966][ T5311] lock_acquire+0x1ed/0x550
[ 58.791721][ T5311] _raw_spin_lock+0x2e/0x40
[ 58.793431][ T5311] sco_chan_del+0x74/0x180
[ 58.795121][ T5311] __sco_sock_close+0x152/0x310
[ 58.796914][ T5311] sco_sock_release+0xb3/0x320
[ 58.798705][ T5311] sock_close+0xbc/0x240
[ 58.800326][ T5311] __fput+0x23c/0xa50
[ 58.801869][ T5311] task_work_run+0x24f/0x310
[ 58.803678][ T5311] syscall_exit_to_user_mode+0x13f/0x340
[ 58.806042][ T5311] do_syscall_64+0x100/0x230
[ 58.808046][ T5311] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 58.810876][ T5311]
[ 58.810876][ T5311] other info that might help us debug this:
[ 58.810876][ T5311]
[ 58.814561][ T5311] Chain exists of:
[ 58.814561][ T5311] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 58.814561][ T5311]
[ 58.819983][ T5311] Possible unsafe locking scenario:
[ 58.819983][ T5311]
[ 58.822815][ T5311] CPU0 CPU1
[ 58.824794][ T5311] ---- ----
[ 58.826648][ T5311] lock(sk_lock-AF_BLUETOOTH);
[ 58.828401][ T5311] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 58.831519][ T5311] lock(sk_lock-AF_BLUETOOTH);
[ 58.834302][ T5311] lock(&conn->lock#2);
[ 58.835900][ T5311]
[ 58.835900][ T5311] *** DEADLOCK ***
[ 58.835900][ T5311]
[ 58.838831][ T5311] 3 locks held by syz.0.0/5311:
[ 58.840566][ T5311] #0: ffff88801cda4e08 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[ 58.844089][ T5311] #1: ffff888045dd9258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 58.848038][ T5311] #2: ffff888045dde258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 58.851822][ T5311]
[ 58.851822][ T5311] stack backtrace:
[ 58.853982][ T5311] CPU: 0 UID: 0 PID: 5311 Comm: syz.0.0 Tainted: G W 6.13.0-rc6-syzkaller-00051-geea6e4b4dfb8 #0
[ 58.858393][ T5311] Tainted: [W]=WARN
[ 58.859835][ T5311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 58.863761][ T5311] Call Trace:
[ 58.865019][ T5311] <TASK>
[ 58.866137][ T5311] dump_stack_lvl+0x241/0x360
[ 58.867855][ T5311] ? __pfx_dump_stack_lvl+0x10/0x10
[ 58.869844][ T5311] ? __pfx__printk+0x10/0x10
[ 58.871637][ T5311] print_circular_bug+0x13a/0x1b0
[ 58.873569][ T5311] check_noncircular+0x36a/0x4a0
[ 58.875636][ T5311] ? __pfx_check_noncircular+0x10/0x10
[ 58.877656][ T5311] ? lockdep_lock+0x123/0x2b0
[ 58.879475][ T5311] validate_chain+0x18ef/0x5920
[ 58.881405][ T5311] ? debug_object_assert_init+0x2dd/0x4b0
[ 58.883487][ T5311] ? do_raw_spin_unlock+0x58/0x8b0
[ 58.885195][ T5311] ? __pfx_validate_chain+0x10/0x10
[ 58.887045][ T5311] ? __pfx_stack_trace_save+0x10/0x10
[ 58.889100][ T5311] ? debug_object_assert_init+0x2dd/0x4b0
[ 58.891330][ T5311] ? __pfx_debug_object_assert_init+0x10/0x10
[ 58.893718][ T5311] ? mark_lock+0x9a/0x360
[ 58.895253][ T5311] __lock_acquire+0x1397/0x2100
[ 58.897081][ T5311] lock_acquire+0x1ed/0x550
[ 58.898842][ T5311] ? sco_chan_del+0x74/0x180
[ 58.900709][ T5311] ? __pfx_lock_acquire+0x10/0x10
[ 58.902660][ T5311] ? lockdep_hardirqs_on+0x99/0x150
[ 58.904670][ T5311] ? __cancel_work+0x2ee/0x390
[ 58.906405][ T5311] ? __pfx___cancel_work+0x10/0x10
[ 58.908317][ T5311] ? __sco_sock_close+0xe8/0x310
[ 58.910182][ T5311] ? __pfx___local_bh_enable_ip+0x10/0x10
[ 58.912387][ T5311] ? __sco_sock_close+0xe8/0x310
[ 58.914562][ T5311] _raw_spin_lock+0x2e/0x40
[ 58.916387][ T5311] ? sco_chan_del+0x74/0x180
[ 58.918176][ T5311] sco_chan_del+0x74/0x180
[ 58.919819][ T5311] __sco_sock_close+0x152/0x310
[ 58.921683][ T5311] sco_sock_release+0xb3/0x320
[ 58.923437][ T5311] sock_close+0xbc/0x240
[ 58.925090][ T5311] ? __pfx_sock_close+0x10/0x10
[ 58.927040][ T5311] __fput+0x23c/0xa50
[ 58.928551][ T5311] task_work_run+0x24f/0x310
[ 58.930421][ T5311] ? _raw_spin_unlock+0x28/0x50
[ 58.932345][ T5311] ? __pfx_task_work_run+0x10/0x10
[ 58.934472][ T5311] ? syscall_exit_to_user_mode+0xa3/0x340
[ 58.936655][ T5311] syscall_exit_to_user_mode+0x13f/0x340
[ 58.938869][ T5311] do_syscall_64+0x100/0x230
[ 58.940790][ T5311] ? clear_bhb_loop+0x35/0x90
[ 58.942615][ T5311] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 58.944877][ T5311] RIP: 0033:0x7f2ddb585d29
[ 58.946561][ T5311] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 58.953742][ T5311] RSP: 002b:00007ffda0462f38 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 58.956902][ T5311] RAX: 0000000000000000 RBX: 000000000000e3cf RCX: 00007f2ddb585d29
[ 58.960021][ T5311] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 58.962792][ T5311] RBP: 00007f2ddb777ba0 R08: 0000000000000001 R09: 00007ffda046322f
[ 58.965511][ T5311] R10: 00007f2ddb3ff034 R11: 0000000000000246 R12: 000000000000e4fd
[ 58.968294][ T5311] R13: 00007f2ddb775fa0 R14: 0000000000000032 R15: ffffffffffffffff
[ 58.971349][ T5311] </TASK>
[ 58.977072][ T4660] Bluetooth: hci0: command tx timeout