program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000180)={0x4c, 0x2, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x11, 0x3, 'hash:ip,mark\x00'}]}, 0x4c}}, 0x0)
r2 = socket(0x840000000002, 0x3, 0x100)
setsockopt$IPT_SO_SET_REPLACE(r2, 0x4000000000000, 0x40, &(0x7f0000000000)=@raw={'raw\x00', 0x701, 0x3, 0x290, 0x100, 0xba02004b, 0x108, 0x100, 0x0, 0x1f8, 0x1c8, 0x1c8, 0x1f8, 0x1c8, 0x3, 0x0, {[{{@ip={@rand_addr, @dev, 0x0, 0x0, 'caif0\x00', 'ip6_vti0\x00', {}, {}, 0x32}, 0x0, 0xa0, 0x100, 0x0, {}, [@common=@inet=@esp={{0x30}}]}, @common=@SET={0x60}}, {{@uncond, 0x0, 0x98, 0xf8, 0x0, {}, [@inet=@rpfilter={{0x28}}]}, @common=@CLUSTERIP={0x60, 'CLUSTERIP\x00', 0x0, {0x0, @local}}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28, '\x00', 0x4}}}}, 0x2f0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
[ 90.197641][ T4532] Bluetooth: hci0: command tx timeout
[ 91.475858][ T4532] BUG: sleeping function called from invalid context at net/core/sock.c:3613
[ 91.479838][ T4532] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4532, name: kworker/u5:1
[ 91.484554][ T4532] preempt_count: 1, expected: 0
[ 91.486696][ T4532] RCU nest depth: 0, expected: 0
[ 91.488625][ T4532] 6 locks held by kworker/u5:1/4532:
[ 91.491026][ T4532] #0: ffff88803dd63148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 91.496631][ T4532] #1: ffffc9000da6fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 91.501542][ T4532] #2: ffff888040754078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[ 91.506013][ T4532] #3: ffffffff8fe3eda8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[ 91.511506][ T4532] #4: ffff88803431c220 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40
[ 91.515678][ T4532] #5: ffff88804b818258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40
[ 91.519998][ T4532] Preemption disabled at:
[ 91.520012][ T4532] [<0000000000000000>] 0x0
[ 91.523592][ T4532] CPU: 0 UID: 0 PID: 4532 Comm: kworker/u5:1 Not tainted 6.12.0-rc3-syzkaller-00013-geca631b8fe80 #0
[ 91.528286][ T4532] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 91.533178][ T4532] Workqueue: hci0 hci_rx_work
[ 91.535142][ T4532] Call Trace:
[ 91.536420][ T4532]
[ 91.537632][ T4532] dump_stack_lvl+0x241/0x360
[ 91.539646][ T4532] ? __pfx_dump_stack_lvl+0x10/0x10
[ 91.542237][ T4532] ? __pfx__printk+0x10/0x10
[ 91.544658][ T4532] __might_resched+0x5d4/0x780
[ 91.546635][ T4532] ? __pfx_lock_acquire+0x10/0x10
[ 91.548624][ T4532] ? __pfx___might_resched+0x10/0x10
[ 91.550791][ T4532] ? __pfx_lock_release+0x10/0x10
[ 91.552759][ T4532] ? do_raw_spin_lock+0x14f/0x370
[ 91.554990][ T4532] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 91.557599][ T4532] lock_sock_nested+0x5d/0x100
[ 91.559936][ T4532] sco_connect_cfm+0x461/0xb40
[ 91.561908][ T4532] ? __pfx_sco_connect_cfm+0x10/0x10
[ 91.564038][ T4532] ? hci_conn_add_sysfs+0xfc/0x200
[ 91.565974][ T4532] ? __pfx_sco_connect_cfm+0x10/0x10
[ 91.568139][ T4532] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 91.570688][ T4532] hci_event_packet+0xac2/0x1540
[ 91.572927][ T4532] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 91.575823][ T4532] ? __pfx_hci_event_packet+0x10/0x10
[ 91.578167][ T4532] ? send_count+0x1b0/0x1b0
[ 91.580003][ T4532] ? kcov_remote_start+0x97/0x7d0
[ 91.581993][ T4532] hci_rx_work+0x3fe/0xd80
[ 91.583809][ T4532] ? process_scheduled_works+0x976/0x1850
[ 91.586225][ T4532] process_scheduled_works+0xa63/0x1850
[ 91.589023][ T4532] ? __pfx_process_scheduled_works+0x10/0x10
[ 91.591972][ T4532] ? assign_work+0x364/0x3d0
[ 91.593905][ T4532] worker_thread+0x870/0xd30
[ 91.595755][ T4532] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 91.598081][ T4532] ? __kthread_parkme+0x169/0x1d0
[ 91.600139][ T4532] ? __pfx_worker_thread+0x10/0x10
[ 91.602400][ T4532] kthread+0x2f0/0x390
[ 91.604297][ T4532] ? __pfx_worker_thread+0x10/0x10
[ 91.606665][ T4532] ? __pfx_kthread+0x10/0x10
[ 91.608648][ T4532] ret_from_fork+0x4b/0x80
[ 91.610381][ T4532] ? __pfx_kthread+0x10/0x10
[ 91.612176][ T4532] ret_from_fork_asm+0x1a/0x30
[ 91.614070][ T4532]
[ 91.630484][ T5112]
[ 91.631506][ T5112] ======================================================
[ 91.634401][ T5112] WARNING: possible circular locking dependency detected
[ 91.637516][ T5112] 6.12.0-rc3-syzkaller-00013-geca631b8fe80 #0 Tainted: G W
[ 91.641094][ T5112] ------------------------------------------------------
[ 91.643793][ T5112] syz.0.0/5112 is trying to acquire lock:
[ 91.645961][ T5112] ffff88803431c220 (&conn->lock#2){+.+.}-{2:2}, at: __sco_sock_close+0x338/0x570
[ 91.650453][ T5112]
[ 91.650453][ T5112] but task is already holding lock:
[ 91.654175][ T5112] ffff88804b81b258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 91.657951][ T5112]
[ 91.657951][ T5112] which lock already depends on the new lock.
[ 91.657951][ T5112]
[ 91.662187][ T5112]
[ 91.662187][ T5112] the existing dependency chain (in reverse order) is:
[ 91.666476][ T5112]
[ 91.666476][ T5112] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 91.669859][ T5112] lock_acquire+0x1ed/0x550
[ 91.671888][ T5112] lock_sock_nested+0x48/0x100
[ 91.674030][ T5112] bt_accept_dequeue+0xfa/0x570
[ 91.676171][ T5112] __sco_sock_close+0xd6/0x570
[ 91.678514][ T5112] sco_sock_release+0xb3/0x320
[ 91.680803][ T5112] sock_close+0xbc/0x240
[ 91.682929][ T5112] __fput+0x23f/0x880
[ 91.684807][ T5112] task_work_run+0x24f/0x310
[ 91.686815][ T5112] syscall_exit_to_user_mode+0x168/0x370
[ 91.689282][ T5112] do_syscall_64+0x100/0x230
[ 91.691342][ T5112] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.693882][ T5112]
[ 91.693882][ T5112] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 91.697733][ T5112] lock_acquire+0x1ed/0x550
[ 91.700489][ T5112] lock_sock_nested+0x48/0x100
[ 91.702950][ T5112] sco_connect_cfm+0x461/0xb40
[ 91.704996][ T5112] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 91.707400][ T5112] hci_event_packet+0xac2/0x1540
[ 91.709495][ T5112] hci_rx_work+0x3fe/0xd80
[ 91.711626][ T5112] process_scheduled_works+0xa63/0x1850
[ 91.714744][ T5112] worker_thread+0x870/0xd30
[ 91.717254][ T5112] kthread+0x2f0/0x390
[ 91.719128][ T5112] ret_from_fork+0x4b/0x80
[ 91.721067][ T5112] ret_from_fork_asm+0x1a/0x30
[ 91.723198][ T5112]
[ 91.723198][ T5112] -> #0 (&conn->lock#2){+.+.}-{2:2}:
[ 91.726341][ T5112] validate_chain+0x18ef/0x5920
[ 91.728804][ T5112] __lock_acquire+0x1384/0x2050
[ 91.731318][ T5112] lock_acquire+0x1ed/0x550
[ 91.733473][ T5112] _raw_spin_lock+0x2e/0x40
[ 91.735541][ T5112] __sco_sock_close+0x338/0x570
[ 91.737676][ T5112] __sco_sock_close+0x154/0x570
[ 91.740140][ T5112] sco_sock_release+0xb3/0x320
[ 91.742499][ T5112] sock_close+0xbc/0x240
[ 91.744661][ T5112] __fput+0x23f/0x880
[ 91.746582][ T5112] task_work_run+0x24f/0x310
[ 91.748753][ T5112] syscall_exit_to_user_mode+0x168/0x370
[ 91.751208][ T5112] do_syscall_64+0x100/0x230
[ 91.753197][ T5112] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.755894][ T5112]
[ 91.755894][ T5112] other info that might help us debug this:
[ 91.755894][ T5112]
[ 91.761039][ T5112] Chain exists of:
[ 91.761039][ T5112] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 91.761039][ T5112]
[ 91.766866][ T5112] Possible unsafe locking scenario:
[ 91.766866][ T5112]
[ 91.769824][ T5112] CPU0 CPU1
[ 91.772218][ T5112] ---- ----
[ 91.774848][ T5112] lock(sk_lock-AF_BLUETOOTH);
[ 91.776970][ T5112] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 91.780294][ T5112] lock(sk_lock-AF_BLUETOOTH);
[ 91.783204][ T5112] lock(&conn->lock#2);
[ 91.784813][ T5112]
[ 91.784813][ T5112] *** DEADLOCK ***
[ 91.784813][ T5112]
[ 91.788507][ T5112] 3 locks held by syz.0.0/5112:
[ 91.791905][ T5112] #0: ffff88803fd2f208 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: sock_close+0x90/0x240
[ 91.796325][ T5112] #1: ffff88804b818258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 91.800721][ T5112] #2: ffff88804b81b258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 91.804651][ T5112]
[ 91.804651][ T5112] stack backtrace:
[ 91.806907][ T5112] CPU: 0 UID: 0 PID: 5112 Comm: syz.0.0 Tainted: G W 6.12.0-rc3-syzkaller-00013-geca631b8fe80 #0
[ 91.813158][ T5112] Tainted: [W]=WARN
[ 91.815039][ T5112] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 91.819438][ T5112] Call Trace:
[ 91.820592][ T5112]
[ 91.821676][ T5112] dump_stack_lvl+0x241/0x360
[ 91.823416][ T5112] ? __pfx_dump_stack_lvl+0x10/0x10
[ 91.825272][ T5112] ? __pfx__printk+0x10/0x10
[ 91.826952][ T5112] print_circular_bug+0x13a/0x1b0
[ 91.828775][ T5112] check_noncircular+0x36a/0x4a0
[ 91.831052][ T5112] ? mark_lock+0x9a/0x360
[ 91.833401][ T5112] ? __pfx_check_noncircular+0x10/0x10
[ 91.835965][ T5112] ? lockdep_lock+0x123/0x2b0
[ 91.837985][ T5112] validate_chain+0x18ef/0x5920
[ 91.839920][ T5112] ? __pfx_validate_chain+0x10/0x10
[ 91.841962][ T5112] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 91.844512][ T5112] ? __mod_timer+0xb89/0xeb0
[ 91.846470][ T5112] ? __pfx_lock_release+0x10/0x10
[ 91.848728][ T5112] ? do_raw_spin_unlock+0x58/0x8b0
[ 91.850962][ T5112] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 91.853358][ T5112] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 91.855916][ T5112] ? mark_lock+0x9a/0x360
[ 91.857573][ T5112] __lock_acquire+0x1384/0x2050
[ 91.859668][ T5112] lock_acquire+0x1ed/0x550
[ 91.861489][ T5112] ? __sco_sock_close+0x338/0x570
[ 91.863806][ T5112] ? __pfx_lock_acquire+0x10/0x10
[ 91.866221][ T5112] ? queue_delayed_work_on+0x267/0x390
[ 91.868591][ T5112] ? __pfx_queue_delayed_work_on+0x10/0x10
[ 91.870986][ T5112] ? __pfx___cancel_work+0x10/0x10
[ 91.872978][ T5112] ? __cancel_work+0x2ee/0x390
[ 91.876199][ T5112] ? __pfx___cancel_work+0x10/0x10
[ 91.878755][ T5112] ? __sco_sock_close+0xec/0x570
[ 91.881473][ T5112] _raw_spin_lock+0x2e/0x40
[ 91.883439][ T5112] ? __sco_sock_close+0x338/0x570
[ 91.885399][ T5112] __sco_sock_close+0x338/0x570
[ 91.887313][ T5112] __sco_sock_close+0x154/0x570
[ 91.889252][ T5112] sco_sock_release+0xb3/0x320
[ 91.891474][ T5112] sock_close+0xbc/0x240
[ 91.893507][ T5112] ? __pfx_sock_close+0x10/0x10
[ 91.895555][ T5112] __fput+0x23f/0x880
[ 91.897220][ T5112] task_work_run+0x24f/0x310
[ 91.899095][ T5112] ? __pfx_task_work_run+0x10/0x10
[ 91.901112][ T5112] ? syscall_exit_to_user_mode+0xa3/0x370
[ 91.903600][ T5112] syscall_exit_to_user_mode+0x168/0x370
[ 91.906095][ T5112] do_syscall_64+0x100/0x230
[ 91.908521][ T5112] ? clear_bhb_loop+0x35/0x90
[ 91.910872][ T5112] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.913721][ T5112] RIP: 0033:0x7f6922b7dff9
[ 91.915427][ T5112] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 91.922901][ T5112] RSP: 002b:00007fff3d5d8898 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 91.925792][ T5112] RAX: 0000000000000000 RBX: 00007f6922d37a80 RCX: 00007f6922b7dff9
[ 91.928684][ T5112] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 91.933015][ T5112] RBP: 00007f6922d37a80 R08: 0000000000000006 R09: 00007fff3d5d8b8f
[ 91.936764][ T5112] R10: 0000000000df69d8 R11: 0000000000000246 R12: 00000000000167be
[ 91.939772][ T5112] R13: 00007fff3d5d89a0 R14: 0000000000000032 R15: ffffffffffffffff
[ 91.942874][ T5112]
[ 92.020240][ T9] cfg80211: failed to load regulatory.db
[ 92.275686][ T5099] Bluetooth: hci0: command tx timeout