program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
bpf$BPF_BTF_LOAD(0x12, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
syz_clone(0x28280000, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc)
write$cgroup_type(0xffffffffffffffff, 0x0, 0x0)
perf_event_open(&(0x7f0000000380)={0x2, 0x80, 0xc, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f0000000780)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5d31, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
bpf$BPF_PROG_TEST_RUN(0xa, 0x0, 0x0)
r1 = syz_open_dev$dri(&(0x7f0000000340), 0x2, 0x40502)
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r1, 0xc00864bf, &(0x7f0000000100)={0x0, 0x1})
r2 = syz_open_dev$dri(&(0x7f0000000000), 0x2, 0x2000)
setrlimit(0x7, &(0x7f0000000000)={0x0, 0x9})
ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r2, 0xc00864bf, &(0x7f00000003c0)={<r3=>0x0})
ioctl$DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD_FD(r1, 0xc01064c1, &(0x7f0000000040)={r3})
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000000)={0x9, 0x8, &(0x7f0000000140)=@framed={{}, [@alu={0x6, 0x0, 0x3, 0x0, 0x0, 0x3}, @cb_func={0x18, 0x0, 0x4, 0x0, 0x3}, @alu={0x4}, @exit], {0x95, 0x2}}, &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   58.766077][ T5300] BUG: sleeping function called from invalid context at net/core/sock.c:3624
[   58.769497][ T5300] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5300, name: kworker/u5:2
[   58.772822][ T5300] preempt_count: 1, expected: 0
[   58.774569][ T5300] RCU nest depth: 0, expected: 0
[   58.776448][ T5300] 5 locks held by kworker/u5:2/5300:
[   58.778315][ T5300]  #0: ffff888035a44948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   58.782541][ T5300]  #1: ffffc9000d497d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   58.787364][ T5300]  #2: ffff8880438f8078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   58.791739][ T5300]  #3: ffff88803ecd5e20 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   58.795377][ T5300]  #4: ffff88803692a258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   58.799917][ T5300] Preemption disabled at:
[   58.799929][ T5300] [<0000000000000000>] 0x0
[   58.803369][ T5300] CPU: 0 UID: 0 PID: 5300 Comm: kworker/u5:2 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
[   58.807506][ T5300] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.811645][ T5300] Workqueue: hci0 hci_rx_work
[   58.813496][ T5300] Call Trace:
[   58.814798][ T5300]  <TASK>
[   58.815956][ T5300]  dump_stack_lvl+0x241/0x360
[   58.818030][ T5300]  ? __pfx_dump_stack_lvl+0x10/0x10
[   58.820079][ T5300]  ? __pfx__printk+0x10/0x10
[   58.821832][ T5300]  __might_resched+0x5d4/0x780
[   58.823669][ T5300]  ? __pfx_lock_acquire+0x10/0x10
[   58.825536][ T5300]  ? __pfx___might_resched+0x10/0x10
[   58.827527][ T5300]  ? __pfx_lock_release+0x10/0x10
[   58.829436][ T5300]  ? do_raw_spin_lock+0x14f/0x370
[   58.831367][ T5300]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   58.833346][ T5300]  lock_sock_nested+0x5d/0x100
[   58.835156][ T5300]  sco_connect_cfm+0x439/0xae0
[   58.836902][ T5300]  ? hci_cb_lookup+0x1b3/0x3c0
[   58.838713][ T5300]  ? __pfx_sco_connect_cfm+0x10/0x10
[   58.840933][ T5300]  ? hci_cb_lookup+0x3a0/0x3c0
[   58.842758][ T5300]  ? __pfx_sco_connect_cfm+0x10/0x10
[   58.844810][ T5300]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   58.846918][ T5300]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   58.849496][ T5300]  ? skb_pull_data+0x112/0x230
[   58.851261][ T5300]  hci_event_packet+0xac2/0x1540
[   58.853067][ T5300]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   58.855421][ T5300]  ? __pfx_hci_event_packet+0x10/0x10
[   58.857450][ T5300]  ? do_raw_spin_unlock+0x58/0x8b0
[   58.859412][ T5300]  ? hci_send_to_monitor+0xd8/0x7f0
[   58.861485][ T5300]  ? kcov_remote_start+0x97/0x7d0
[   58.863449][ T5300]  hci_rx_work+0x3f3/0xdb0
[   58.865185][ T5300]  ? process_scheduled_works+0x976/0x1840
[   58.867471][ T5300]  process_scheduled_works+0xa66/0x1840
[   58.869638][ T5300]  ? __pfx_process_scheduled_works+0x10/0x10
[   58.872071][ T5300]  ? assign_work+0x364/0x3d0
[   58.873951][ T5300]  worker_thread+0x870/0xd30
[   58.875599][ T5300]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   58.877887][ T5300]  ? __kthread_parkme+0x169/0x1d0
[   58.879888][ T5300]  ? __pfx_worker_thread+0x10/0x10
[   58.881824][ T5300]  kthread+0x2f0/0x390
[   58.883414][ T5300]  ? __pfx_worker_thread+0x10/0x10
[   58.885449][ T5300]  ? __pfx_kthread+0x10/0x10
[   58.887281][ T5300]  ret_from_fork+0x4b/0x80
[   58.889167][ T5300]  ? __pfx_kthread+0x10/0x10
[   58.891060][ T5300]  ret_from_fork_asm+0x1a/0x30
[   58.892925][ T5300]  </TASK>
[   58.902616][ T5313] 
[   58.903995][ T5313] ======================================================
[   58.906908][ T5313] WARNING: possible circular locking dependency detected
[   58.909334][ T5313] 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Tainted: G        W         
[   58.912713][ T5313] ------------------------------------------------------
[   58.915346][ T5313] syz.0.0/5313 is trying to acquire lock:
[   58.917586][ T5313] ffff88803ecd5e20 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   58.921255][ T5313] 
[   58.921255][ T5313] but task is already holding lock:
[   58.924338][ T5313] ffff8880438f4258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   58.928000][ T5313] 
[   58.928000][ T5313] which lock already depends on the new lock.
[   58.928000][ T5313] 
[   58.931749][ T5313] 
[   58.931749][ T5313] the existing dependency chain (in reverse order) is:
[   58.934956][ T5313] 
[   58.934956][ T5313] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   58.937982][ T5313]        lock_acquire+0x1ed/0x550
[   58.939849][ T5313]        lock_sock_nested+0x48/0x100
[   58.941795][ T5313]        bt_accept_dequeue+0xfa/0x570
[   58.943825][ T5313]        __sco_sock_close+0xd2/0x310
[   58.945982][ T5313]        sco_sock_release+0xb3/0x320
[   58.948038][ T5313]        sock_close+0xbc/0x240
[   58.949850][ T5313]        __fput+0x23c/0xa50
[   58.951563][ T5313]        task_work_run+0x24f/0x310
[   58.953503][ T5313]        syscall_exit_to_user_mode+0x13f/0x340
[   58.955693][ T5313]        do_syscall_64+0x100/0x230
[   58.957814][ T5313]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.960721][ T5313] 
[   58.960721][ T5313] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   58.965171][ T5313]        lock_acquire+0x1ed/0x550
[   58.967640][ T5313]        lock_sock_nested+0x48/0x100
[   58.970089][ T5313]        sco_connect_cfm+0x439/0xae0
[   58.972265][ T5313]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   58.974760][ T5313]        hci_event_packet+0xac2/0x1540
[   58.976892][ T5313]        hci_rx_work+0x3f3/0xdb0
[   58.978930][ T5313]        process_scheduled_works+0xa66/0x1840
[   58.981328][ T5313]        worker_thread+0x870/0xd30
[   58.983296][ T5313]        kthread+0x2f0/0x390
[   58.984904][ T5313]        ret_from_fork+0x4b/0x80
[   58.986743][ T5313]        ret_from_fork_asm+0x1a/0x30
[   58.988734][ T5313] 
[   58.988734][ T5313] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   58.991484][ T5313]        validate_chain+0x18ef/0x5920
[   58.993411][ T5313]        __lock_acquire+0x1397/0x2100
[   58.995174][ T5313]        lock_acquire+0x1ed/0x550
[   58.997024][ T5313]        _raw_spin_lock+0x2e/0x40
[   58.998973][ T5313]        sco_chan_del+0x74/0x180
[   59.000888][ T5313]        __sco_sock_close+0x152/0x310
[   59.002900][ T5313]        sco_sock_release+0xb3/0x320
[   59.004801][ T5313]        sock_close+0xbc/0x240
[   59.006656][ T5313]        __fput+0x23c/0xa50
[   59.008332][ T5313]        task_work_run+0x24f/0x310
[   59.010222][ T5313]        syscall_exit_to_user_mode+0x13f/0x340
[   59.012589][ T5313]        do_syscall_64+0x100/0x230
[   59.014554][ T5313]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   59.016989][ T5313] 
[   59.016989][ T5313] other info that might help us debug this:
[   59.016989][ T5313] 
[   59.020713][ T5313] Chain exists of:
[   59.020713][ T5313]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   59.020713][ T5313] 
[   59.026449][ T5313]  Possible unsafe locking scenario:
[   59.026449][ T5313] 
[   59.029501][ T5313]        CPU0                    CPU1
[   59.031515][ T5313]        ----                    ----
[   59.033578][ T5313]   lock(sk_lock-AF_BLUETOOTH);
[   59.035431][ T5313]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   59.038610][ T5313]                                lock(sk_lock-AF_BLUETOOTH);
[   59.041424][ T5313]   lock(&conn->lock#2);
[   59.043056][ T5313] 
[   59.043056][ T5313]  *** DEADLOCK ***
[   59.043056][ T5313] 
[   59.046034][ T5313] 3 locks held by syz.0.0/5313:
[   59.047919][ T5313]  #0: ffff888043df8208 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   59.051715][ T5313]  #1: ffff88803692a258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   59.055817][ T5313]  #2: ffff8880438f4258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   59.059680][ T5313] 
[   59.059680][ T5313] stack backtrace:
[   59.062035][ T5313] CPU: 0 UID: 0 PID: 5313 Comm: syz.0.0 Tainted: G        W          6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
[   59.066375][ T5313] Tainted: [W]=WARN
[   59.067826][ T5313] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   59.071820][ T5313] Call Trace:
[   59.073155][ T5313]  <TASK>
[   59.074275][ T5313]  dump_stack_lvl+0x241/0x360
[   59.076021][ T5313]  ? __pfx_dump_stack_lvl+0x10/0x10
[   59.077952][ T5313]  ? __pfx__printk+0x10/0x10
[   59.079768][ T5313]  print_circular_bug+0x13a/0x1b0
[   59.081639][ T5313]  check_noncircular+0x36a/0x4a0
[   59.083679][ T5313]  ? __pfx_check_noncircular+0x10/0x10
[   59.085853][ T5313]  ? lockdep_lock+0x123/0x2b0
[   59.087549][ T5313]  validate_chain+0x18ef/0x5920
[   59.089056][ T5313]  ? debug_object_assert_init+0x2dd/0x4b0
[   59.091003][ T5313]  ? do_raw_spin_unlock+0x58/0x8b0
[   59.092918][ T5313]  ? __pfx_validate_chain+0x10/0x10
[   59.094599][ T5313]  ? __pfx_stack_trace_save+0x10/0x10
[   59.096348][ T5313]  ? debug_object_assert_init+0x2dd/0x4b0
[   59.098323][ T5313]  ? __pfx_debug_object_assert_init+0x10/0x10
[   59.100805][ T5313]  ? mark_lock+0x9a/0x360
[   59.102440][ T5313]  __lock_acquire+0x1397/0x2100
[   59.104259][ T5313]  lock_acquire+0x1ed/0x550
[   59.106280][ T5313]  ? sco_chan_del+0x74/0x180
[   59.107998][ T5313]  ? __pfx_lock_acquire+0x10/0x10
[   59.109895][ T5313]  ? lockdep_hardirqs_on+0x99/0x150
[   59.111996][ T5313]  ? __cancel_work+0x2ee/0x390
[   59.113759][ T5313]  ? __pfx___cancel_work+0x10/0x10
[   59.115661][ T5313]  ? __sco_sock_close+0xe8/0x310
[   59.117696][ T5313]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   59.119742][ T5313]  ? __sco_sock_close+0xe8/0x310
[   59.121573][ T5313]  _raw_spin_lock+0x2e/0x40
[   59.123231][ T5313]  ? sco_chan_del+0x74/0x180
[   59.125013][ T5313]  sco_chan_del+0x74/0x180
[   59.126754][ T5313]  __sco_sock_close+0x152/0x310
[   59.128510][ T5313]  sco_sock_release+0xb3/0x320
[   59.130084][ T5313]  sock_close+0xbc/0x240
[   59.131840][ T5313]  ? __pfx_sock_close+0x10/0x10
[   59.133682][ T5313]  __fput+0x23c/0xa50
[   59.135096][ T5313]  task_work_run+0x24f/0x310
[   59.136712][ T5313]  ? _raw_spin_unlock+0x28/0x50
[   59.138478][ T5313]  ? __pfx_task_work_run+0x10/0x10
[   59.140404][ T5313]  ? syscall_exit_to_user_mode+0xa3/0x340
[   59.142507][ T5313]  syscall_exit_to_user_mode+0x13f/0x340
[   59.144511][ T5313]  do_syscall_64+0x100/0x230
[   59.146292][ T5313]  ? clear_bhb_loop+0x35/0x90
[   59.148143][ T5313]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   59.150790][ T5313] RIP: 0033:0x7f0cf0385d29
[   59.152523][ T5313] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   59.159757][ T5313] RSP: 002b:00007fffc0cdc198 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   59.162756][ T5313] RAX: 0000000000000000 RBX: 000000000000e485 RCX: 00007f0cf0385d29
[   59.165809][ T5313] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   59.168780][ T5313] RBP: 00007f0cf0577ba0 R08: 0000000000000001 R09: 00007fffc0cdc48f
[   59.171706][ T5313] R10: 00007f0cf01ff02c R11: 0000000000000246 R12: 000000000000e5b2
[   59.174634][ T5313] R13: 00007f0cf0575fa0 R14: 0000000000000032 R15: ffffffffffffffff
[   59.177653][ T5313]  </TASK>
[   59.179879][ T5300] Bluetooth: hci0: command tx timeout