program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
r1 = syz_open_procfs(0x0, 0x0)
ioctl$FS_IOC_GET_ENCRYPTION_KEY_STATUS(r1, 0x40286608, 0x0)
r2 = openat$hwrng(0xffffffffffffff9c, 0x0, 0x0, 0x0)
preadv(r2, 0x0, 0x0, 0x0, 0x0)
r3 = socket$nl_xfrm(0x10, 0x3, 0x6)
r4 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r4, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000003c0)=ANY=[@ANYBLOB="b80000001900674c0000000000000000ff010000000000000000000000000001e000000100000000000000000000000000000000000000000a"], 0xb8}}, 0x0)
sendmsg$nl_xfrm(r3, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000c80)=@updpolicy={0xc4, 0x1b, 0xfd3649826d894c67, 0x0, 0x0, {{@in6=@mcast1, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0xa}}, [@mark={0xc}]}, 0xc4}}, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="042c1100"/20], 0x14)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async)
bind$bt_sco(r0, &(0x7f0000000200), 0x8) (async)
listen(r0, 0x0) (async)
syz_open_procfs(0x0, 0x0) (async)
ioctl$FS_IOC_GET_ENCRYPTION_KEY_STATUS(r1, 0x40286608, 0x0) (async)
openat$hwrng(0xffffffffffffff9c, 0x0, 0x0, 0x0) (async)
preadv(r2, 0x0, 0x0, 0x0, 0x0) (async)
socket$nl_xfrm(0x10, 0x3, 0x6) (async)
socket$nl_xfrm(0x10, 0x3, 0x6) (async)
sendmsg$nl_xfrm(r4, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000003c0)=ANY=[@ANYBLOB="b80000001900674c0000000000000000ff010000000000000000000000000001e000000100000000000000000000000000000000000000000a"], 0xb8}}, 0x0) (async)
sendmsg$nl_xfrm(r3, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000c80)=@updpolicy={0xc4, 0x1b, 0xfd3649826d894c67, 0x0, 0x0, {{@in6=@mcast1, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0xa}}, [@mark={0xc}]}, 0xc4}}, 0x0) (async)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd) (async)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="042c1100"/20], 0x14) (async)
[ 59.922760][ T4533] Bluetooth: hci0: command tx timeout
[ 60.008516][ T5104] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'.
[ 60.015472][ T5090] BUG: sleeping function called from invalid context at net/core/sock.c:3613
[ 60.018647][ T5090] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5090, name: kworker/u5:2
[ 60.022011][ T5090] preempt_count: 1, expected: 0
[ 60.024065][ T5090] RCU nest depth: 0, expected: 0
[ 60.026134][ T5090] 6 locks held by kworker/u5:2/5090:
[ 60.028081][ T5090] #0: ffff888035e54148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 60.033036][ T5090] #1: ffffc9000b067d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 60.037560][ T5090] #2: ffff888041654078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[ 60.041403][ T5090] #3: ffffffff8fe3f768 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[ 60.045810][ T5090] #4: ffff88803d1d4820 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40
[ 60.049490][ T5090] #5: ffff888034571258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40
[ 60.053743][ T5090] Preemption disabled at:
[ 60.053754][ T5090] [<0000000000000000>] 0x0
[ 60.057062][ T5090] CPU: 0 UID: 0 PID: 5090 Comm: kworker/u5:2 Not tainted 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
[ 60.060900][ T5090] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 60.064945][ T5090] Workqueue: hci0 hci_rx_work
[ 60.066592][ T5090] Call Trace:
[ 60.067781][ T5090]
[ 60.068834][ T5090] dump_stack_lvl+0x241/0x360
[ 60.070699][ T5090] ? __pfx_dump_stack_lvl+0x10/0x10
[ 60.072551][ T5090] ? __pfx__printk+0x10/0x10
[ 60.074103][ T5090] __might_resched+0x5d4/0x780
[ 60.075842][ T5090] ? __pfx_lock_acquire+0x10/0x10
[ 60.077738][ T5090] ? __pfx___might_resched+0x10/0x10
[ 60.079776][ T5090] ? __pfx_lock_release+0x10/0x10
[ 60.081555][ T5090] ? do_raw_spin_lock+0x14f/0x370
[ 60.083359][ T5090] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 60.085333][ T5090] lock_sock_nested+0x5d/0x100
[ 60.087215][ T5090] sco_connect_cfm+0x461/0xb40
[ 60.089120][ T5090] ? __pfx_sco_connect_cfm+0x10/0x10
[ 60.091183][ T5090] ? hci_conn_add_sysfs+0xfc/0x200
[ 60.093165][ T5090] ? __pfx_sco_connect_cfm+0x10/0x10
[ 60.095485][ T5090] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 60.097733][ T5090] hci_event_packet+0xac2/0x1540
[ 60.099688][ T5090] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 60.102071][ T5090] ? __pfx_hci_event_packet+0x10/0x10
[ 60.104023][ T5090] ? set_advertising_complete+0x410/0x6f0
[ 60.106165][ T5090] ? kcov_remote_start+0x97/0x7d0
[ 60.108084][ T5090] hci_rx_work+0x3fe/0xd80
[ 60.109755][ T5090] ? process_scheduled_works+0x976/0x1850
[ 60.111852][ T5090] process_scheduled_works+0xa63/0x1850
[ 60.113909][ T5090] ? __pfx_process_scheduled_works+0x10/0x10
[ 60.116109][ T5090] ? assign_work+0x364/0x3d0
[ 60.117852][ T5090] worker_thread+0x870/0xd30
[ 60.119698][ T5090] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 60.121976][ T5090] ? __kthread_parkme+0x169/0x1d0
[ 60.123881][ T5090] ? __pfx_worker_thread+0x10/0x10
[ 60.125888][ T5090] kthread+0x2f0/0x390
[ 60.127453][ T5090] ? __pfx_worker_thread+0x10/0x10
[ 60.129353][ T5090] ? __pfx_kthread+0x10/0x10
[ 60.131113][ T5090] ret_from_fork+0x4b/0x80
[ 60.132761][ T5090] ? __pfx_kthread+0x10/0x10
[ 60.134619][ T5090] ret_from_fork_asm+0x1a/0x30
[ 60.136476][ T5090]
[ 60.159541][ T5104]
[ 60.160340][ T5104] ======================================================
[ 60.162892][ T5104] WARNING: possible circular locking dependency detected
[ 60.165424][ T5104] 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0 Tainted: G W
[ 60.168563][ T5104] ------------------------------------------------------
[ 60.171044][ T5104] syz.0.0/5104 is trying to acquire lock:
[ 60.173269][ T5104] ffff88803d1d4820 (&conn->lock#2){+.+.}-{2:2}, at: __sco_sock_close+0x338/0x570
[ 60.176492][ T5104]
[ 60.176492][ T5104] but task is already holding lock:
[ 60.179173][ T5104] ffff888034576258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 60.182573][ T5104]
[ 60.182573][ T5104] which lock already depends on the new lock.
[ 60.182573][ T5104]
[ 60.186445][ T5104]
[ 60.186445][ T5104] the existing dependency chain (in reverse order) is:
[ 60.189698][ T5104]
[ 60.189698][ T5104] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 60.192651][ T5104] lock_acquire+0x1ed/0x550
[ 60.194481][ T5104] lock_sock_nested+0x48/0x100
[ 60.196358][ T5104] bt_accept_dequeue+0xfa/0x570
[ 60.198205][ T5104] __sco_sock_close+0xd6/0x570
[ 60.200183][ T5104] sco_sock_release+0xb3/0x320
[ 60.202171][ T5104] sock_close+0xbc/0x240
[ 60.203914][ T5104] __fput+0x23f/0x880
[ 60.205725][ T5104] task_work_run+0x24f/0x310
[ 60.207711][ T5104] do_exit+0xa2f/0x28e0
[ 60.209545][ T5104] do_group_exit+0x207/0x2c0
[ 60.211441][ T5104] get_signal+0x16a3/0x1740
[ 60.213079][ T5104] arch_do_signal_or_restart+0x96/0x860
[ 60.215396][ T5104] syscall_exit_to_user_mode+0xc9/0x370
[ 60.217642][ T5104] do_syscall_64+0x100/0x230
[ 60.219513][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.221975][ T5104]
[ 60.221975][ T5104] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 60.225049][ T5104] lock_acquire+0x1ed/0x550
[ 60.226938][ T5104] lock_sock_nested+0x48/0x100
[ 60.228937][ T5104] sco_connect_cfm+0x461/0xb40
[ 60.230888][ T5104] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 60.233293][ T5104] hci_event_packet+0xac2/0x1540
[ 60.235411][ T5104] hci_rx_work+0x3fe/0xd80
[ 60.237069][ T5104] process_scheduled_works+0xa63/0x1850
[ 60.239406][ T5104] worker_thread+0x870/0xd30
[ 60.241267][ T5104] kthread+0x2f0/0x390
[ 60.243033][ T5104] ret_from_fork+0x4b/0x80
[ 60.244919][ T5104] ret_from_fork_asm+0x1a/0x30
[ 60.247009][ T5104]
[ 60.247009][ T5104] -> #0 (&conn->lock#2){+.+.}-{2:2}:
[ 60.249734][ T5104] validate_chain+0x18ef/0x5920
[ 60.251733][ T5104] __lock_acquire+0x1384/0x2050
[ 60.253703][ T5104] lock_acquire+0x1ed/0x550
[ 60.255465][ T5104] _raw_spin_lock+0x2e/0x40
[ 60.257329][ T5104] __sco_sock_close+0x338/0x570
[ 60.259410][ T5104] __sco_sock_close+0x154/0x570
[ 60.261536][ T5104] sco_sock_release+0xb3/0x320
[ 60.263624][ T5104] sock_close+0xbc/0x240
[ 60.265484][ T5104] __fput+0x23f/0x880
[ 60.267217][ T5104] task_work_run+0x24f/0x310
[ 60.269132][ T5104] do_exit+0xa2f/0x28e0
[ 60.270853][ T5104] do_group_exit+0x207/0x2c0
[ 60.272754][ T5104] get_signal+0x16a3/0x1740
[ 60.274579][ T5104] arch_do_signal_or_restart+0x96/0x860
[ 60.276776][ T5104] syscall_exit_to_user_mode+0xc9/0x370
[ 60.279009][ T5104] do_syscall_64+0x100/0x230
[ 60.280943][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.283314][ T5104]
[ 60.283314][ T5104] other info that might help us debug this:
[ 60.283314][ T5104]
[ 60.287035][ T5104] Chain exists of:
[ 60.287035][ T5104] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 60.287035][ T5104]
[ 60.292059][ T5104] Possible unsafe locking scenario:
[ 60.292059][ T5104]
[ 60.294557][ T5104] CPU0 CPU1
[ 60.296707][ T5104] ---- ----
[ 60.298703][ T5104] lock(sk_lock-AF_BLUETOOTH);
[ 60.300371][ T5104] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 60.303548][ T5104] lock(sk_lock-AF_BLUETOOTH);
[ 60.306383][ T5104] lock(&conn->lock#2);
[ 60.308108][ T5104]
[ 60.308108][ T5104] *** DEADLOCK ***
[ 60.308108][ T5104]
[ 60.311102][ T5104] 3 locks held by syz.0.0/5104:
[ 60.312885][ T5104] #0: ffff888040e22608 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: sock_close+0x90/0x240
[ 60.316658][ T5104] #1: ffff888034571258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 60.320838][ T5104] #2: ffff888034576258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 60.324612][ T5104]
[ 60.324612][ T5104] stack backtrace:
[ 60.326868][ T5104] CPU: 0 UID: 0 PID: 5104 Comm: syz.0.0 Tainted: G W 6.12.0-rc4-syzkaller-00047-gc2ee9f594da8 #0
[ 60.331163][ T5104] Tainted: [W]=WARN
[ 60.332587][ T5104] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 60.336635][ T5104] Call Trace:
[ 60.337920][ T5104]
[ 60.339019][ T5104] dump_stack_lvl+0x241/0x360
[ 60.340700][ T5104] ? __pfx_dump_stack_lvl+0x10/0x10
[ 60.342520][ T5104] ? __pfx__printk+0x10/0x10
[ 60.344128][ T5104] print_circular_bug+0x13a/0x1b0
[ 60.345978][ T5104] check_noncircular+0x36a/0x4a0
[ 60.347896][ T5104] ? mark_lock+0x9a/0x360
[ 60.349440][ T5104] ? __pfx_check_noncircular+0x10/0x10
[ 60.351534][ T5104] ? lockdep_lock+0x123/0x2b0
[ 60.353399][ T5104] validate_chain+0x18ef/0x5920
[ 60.355241][ T5104] ? __pfx_validate_chain+0x10/0x10
[ 60.357127][ T5104] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 60.359488][ T5104] ? __mod_timer+0xb89/0xeb0
[ 60.361259][ T5104] ? __pfx_lock_release+0x10/0x10
[ 60.363137][ T5104] ? do_raw_spin_unlock+0x58/0x8b0
[ 60.364967][ T5104] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 60.367215][ T5104] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 60.369515][ T5104] ? mark_lock+0x9a/0x360
[ 60.371131][ T5104] __lock_acquire+0x1384/0x2050
[ 60.372899][ T5104] lock_acquire+0x1ed/0x550
[ 60.374619][ T5104] ? __sco_sock_close+0x338/0x570
[ 60.376527][ T5104] ? __pfx_lock_acquire+0x10/0x10
[ 60.378455][ T5104] ? queue_delayed_work_on+0x267/0x390
[ 60.380508][ T5104] ? __pfx_queue_delayed_work_on+0x10/0x10
[ 60.382789][ T5104] ? __pfx___cancel_work+0x10/0x10
[ 60.384740][ T5104] ? __cancel_work+0x2ee/0x390
[ 60.386487][ T5104] ? __pfx___cancel_work+0x10/0x10
[ 60.388423][ T5104] ? __sco_sock_close+0xec/0x570
[ 60.390338][ T5104] _raw_spin_lock+0x2e/0x40
[ 60.392219][ T5104] ? __sco_sock_close+0x338/0x570
[ 60.393904][ T5104] __sco_sock_close+0x338/0x570
[ 60.395615][ T5104] __sco_sock_close+0x154/0x570
[ 60.397421][ T5104] sco_sock_release+0xb3/0x320
[ 60.399205][ T5104] sock_close+0xbc/0x240
[ 60.400660][ T5104] ? __pfx_sock_close+0x10/0x10
[ 60.402374][ T5104] __fput+0x23f/0x880
[ 60.403897][ T5104] task_work_run+0x24f/0x310
[ 60.405683][ T5104] ? kasan_quarantine_put+0xdc/0x230
[ 60.407696][ T5104] ? __pfx_task_work_run+0x10/0x10
[ 60.409851][ T5104] ? do_exit+0xa2a/0x28e0
[ 60.411652][ T5104] ? kmem_cache_free+0x1a2/0x420
[ 60.413457][ T5104] ? do_exit+0xa2a/0x28e0
[ 60.415054][ T5104] do_exit+0xa2f/0x28e0
[ 60.416618][ T5104] ? __pfx_do_exit+0x10/0x10
[ 60.418215][ T5104] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 60.420232][ T5104] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 60.422380][ T5104] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 60.424707][ T5104] ? _raw_spin_lock_irq+0xdf/0x120
[ 60.426629][ T5104] do_group_exit+0x207/0x2c0
[ 60.428350][ T5104] ? _raw_spin_unlock_irq+0x23/0x50
[ 60.430279][ T5104] ? lockdep_hardirqs_on+0x99/0x150
[ 60.432129][ T5104] get_signal+0x16a3/0x1740
[ 60.433742][ T5104] ? __pfx_get_signal+0x10/0x10
[ 60.435539][ T5104] arch_do_signal_or_restart+0x96/0x860
[ 60.437566][ T5104] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 60.439810][ T5104] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 60.442006][ T5104] ? syscall_exit_to_user_mode+0xa3/0x370
[ 60.444047][ T5104] syscall_exit_to_user_mode+0xc9/0x370
[ 60.446124][ T5104] do_syscall_64+0x100/0x230
[ 60.447882][ T5104] ? clear_bhb_loop+0x35/0x90
[ 60.449609][ T5104] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.451855][ T5104] RIP: 0033:0x7fc166b7cadf
[ 60.453479][ T5104] Code: Unable to access opcode bytes at 0x7fc166b7cab5.
[ 60.455938][ T5104] RSP: 002b:00007fc167a35000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[ 60.458928][ T5104] RAX: 0000000000000014 RBX: 00007fc166d35f80 RCX: 00007fc166b7cadf
[ 60.461877][ T5104] RDX: 0000000000000014 RSI: 0000000020000140 RDI: 00000000000000ca
[ 60.464753][ T5104] RBP: 00007fc166bf0296 R08: 0000000000000000 R09: 0000000000000000
[ 60.467669][ T5104] R10: 0000000020000140 R11: 0000000000000293 R12: 0000000000000000
[ 60.470652][ T5104] R13: 0000000000000000 R14: 00007fc166d35f80 R15: 00007ffcbf8cee38
[ 60.473607][ T5104]