program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r1 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r1, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'authenc(sha512,adiantum(ctr(cast6),xeta-generic,sha3-512-ce))\x00'}, 0x58) (async)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0) (async)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd) (async)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="042c110000000000000000000000000000000000a95c467e330a2ec66c733f9dba31113ac42d63ef0945c4b89747d42d8db3a5b7a77abc519303fcd612091c9790faa0f9d3304f2647f636571f0021fcc78bfef42117495eb0c42c97b6"], 0x14)
[ 68.578483][ T5305] Bluetooth: hci0: command tx timeout
[ 68.649776][ T5305] BUG: sleeping function called from invalid context at net/core/sock.c:3647
[ 68.653239][ T5305] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5305, name: kworker/u5:2
[ 68.657060][ T5305] preempt_count: 1, expected: 0
[ 68.658953][ T5305] RCU nest depth: 0, expected: 0
[ 68.660871][ T5305] 5 locks held by kworker/u5:2/5305:
[ 68.662939][ T5305] #0: ffff888044030948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[ 68.667757][ T5305] #1: ffffc9000d18fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[ 68.672390][ T5305] #2: ffff8880409e8078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[ 68.676764][ T5305] #3: ffff888035eeae20 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[ 68.680442][ T5305] #4: ffff888043cad258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[ 68.684679][ T5305] Preemption disabled at:
[ 68.684690][ T5305] [<0000000000000000>] 0x0
[ 68.688433][ T5305] CPU: 0 UID: 0 PID: 5305 Comm: kworker/u5:2 Not tainted 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[ 68.688449][ T5305] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 68.688458][ T5305] Workqueue: hci0 hci_rx_work
[ 68.688479][ T5305] Call Trace:
[ 68.688483][ T5305]
[ 68.688490][ T5305] dump_stack_lvl+0x241/0x360
[ 68.688506][ T5305] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.688519][ T5305] ? __pfx__printk+0x10/0x10
[ 68.688547][ T5305] __might_resched+0x5d4/0x780
[ 68.688563][ T5305] ? __pfx_lock_acquire+0x10/0x10
[ 68.688582][ T5305] ? __pfx___might_resched+0x10/0x10
[ 68.688596][ T5305] ? __pfx_lock_release+0x10/0x10
[ 68.688612][ T5305] ? do_raw_spin_lock+0x14f/0x370
[ 68.688631][ T5305] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 68.688649][ T5305] lock_sock_nested+0x5d/0x100
[ 68.688666][ T5305] sco_connect_cfm+0x439/0xae0
[ 68.688679][ T5305] ? hci_cb_lookup+0x1b3/0x3c0
[ 68.688693][ T5305] ? __pfx_sco_connect_cfm+0x10/0x10
[ 68.688706][ T5305] ? hci_cb_lookup+0x3a0/0x3c0
[ 68.688719][ T5305] ? __pfx_sco_connect_cfm+0x10/0x10
[ 68.688732][ T5305] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 68.688749][ T5305] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 68.688763][ T5305] ? skb_pull_data+0x112/0x230
[ 68.688780][ T5305] hci_event_packet+0xac2/0x1540
[ 68.688800][ T5305] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 68.688817][ T5305] ? __pfx_hci_event_packet+0x10/0x10
[ 68.688834][ T5305] ? do_raw_spin_unlock+0x58/0x8b0
[ 68.688851][ T5305] ? hci_send_to_monitor+0xd8/0x7f0
[ 68.688865][ T5305] ? kcov_remote_start+0x97/0x7d0
[ 68.688883][ T5305] hci_rx_work+0x3f3/0xdb0
[ 68.688907][ T5305] ? process_scheduled_works+0x976/0x1840
[ 68.688921][ T5305] process_scheduled_works+0xa66/0x1840
[ 68.688960][ T5305] ? __pfx_process_scheduled_works+0x10/0x10
[ 68.688980][ T5305] ? assign_work+0x364/0x3d0
[ 68.688998][ T5305] worker_thread+0x870/0xd30
[ 68.689018][ T5305] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 68.689034][ T5305] ? __kthread_parkme+0x169/0x1d0
[ 68.689052][ T5305] ? __pfx_worker_thread+0x10/0x10
[ 68.689067][ T5305] kthread+0x7a9/0x920
[ 68.689082][ T5305] ? __pfx_kthread+0x10/0x10
[ 68.689099][ T5305] ? __pfx_worker_thread+0x10/0x10
[ 68.689113][ T5305] ? __pfx_kthread+0x10/0x10
[ 68.689128][ T5305] ? __pfx_kthread+0x10/0x10
[ 68.689147][ T5305] ? __pfx_kthread+0x10/0x10
[ 68.689162][ T5305] ? _raw_spin_unlock_irq+0x23/0x50
[ 68.689174][ T5305] ? lockdep_hardirqs_on+0x99/0x150
[ 68.689189][ T5305] ? __pfx_kthread+0x10/0x10
[ 68.689206][ T5305] ret_from_fork+0x4b/0x80
[ 68.689220][ T5305] ? __pfx_kthread+0x10/0x10
[ 68.689237][ T5305] ret_from_fork_asm+0x1a/0x30
[ 68.689261][ T5305]
[ 68.940530][ T5318]
[ 68.941599][ T5318] ======================================================
[ 68.944219][ T5318] WARNING: possible circular locking dependency detected
[ 68.946965][ T5318] 6.13.0-syzkaller-09760-g69e858e0b8b2 #0 Tainted: G W
[ 68.950091][ T5318] ------------------------------------------------------
[ 68.952755][ T5318] syz.0.0/5318 is trying to acquire lock:
[ 68.955012][ T5318] ffff888035eeae20 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[ 68.958354][ T5318]
[ 68.958354][ T5318] but task is already holding lock:
[ 68.961120][ T5318] ffff888040dc9258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 68.964692][ T5318]
[ 68.964692][ T5318] which lock already depends on the new lock.
[ 68.964692][ T5318]
[ 68.968640][ T5318]
[ 68.968640][ T5318] the existing dependency chain (in reverse order) is:
[ 68.971971][ T5318]
[ 68.971971][ T5318] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 68.974943][ T5318] lock_acquire+0x1ed/0x550
[ 68.976810][ T5318] lock_sock_nested+0x48/0x100
[ 68.978714][ T5318] bt_accept_dequeue+0xfa/0x570
[ 68.980725][ T5318] __sco_sock_close+0xd2/0x310
[ 68.982751][ T5318] sco_sock_release+0xb3/0x320
[ 68.984638][ T5318] sock_close+0xbc/0x240
[ 68.986443][ T5318] __fput+0x3e9/0x9f0
[ 68.988215][ T5318] task_work_run+0x24f/0x310
[ 68.990122][ T5318] syscall_exit_to_user_mode+0x13f/0x340
[ 68.992435][ T5318] do_syscall_64+0x100/0x230
[ 68.994328][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.996998][ T5318]
[ 68.996998][ T5318] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 69.000697][ T5318] lock_acquire+0x1ed/0x550
[ 69.002790][ T5318] lock_sock_nested+0x48/0x100
[ 69.004856][ T5318] sco_connect_cfm+0x439/0xae0
[ 69.006934][ T5318] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 69.009282][ T5318] hci_event_packet+0xac2/0x1540
[ 69.011350][ T5318] hci_rx_work+0x3f3/0xdb0
[ 69.013244][ T5318] process_scheduled_works+0xa66/0x1840
[ 69.015558][ T5318] worker_thread+0x870/0xd30
[ 69.017555][ T5318] kthread+0x7a9/0x920
[ 69.019393][ T5318] ret_from_fork+0x4b/0x80
[ 69.021246][ T5318] ret_from_fork_asm+0x1a/0x30
[ 69.023182][ T5318]
[ 69.023182][ T5318] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[ 69.025909][ T5318] validate_chain+0x18ef/0x5920
[ 69.028004][ T5318] __lock_acquire+0x1397/0x2100
[ 69.030085][ T5318] lock_acquire+0x1ed/0x550
[ 69.032013][ T5318] _raw_spin_lock+0x2e/0x40
[ 69.034035][ T5318] sco_chan_del+0x74/0x180
[ 69.036068][ T5318] __sco_sock_close+0x152/0x310
[ 69.038134][ T5318] sco_sock_release+0xb3/0x320
[ 69.040154][ T5318] sock_close+0xbc/0x240
[ 69.041929][ T5318] __fput+0x3e9/0x9f0
[ 69.043615][ T5318] task_work_run+0x24f/0x310
[ 69.045551][ T5318] syscall_exit_to_user_mode+0x13f/0x340
[ 69.047757][ T5318] do_syscall_64+0x100/0x230
[ 69.049706][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.052011][ T5318]
[ 69.052011][ T5318] other info that might help us debug this:
[ 69.052011][ T5318]
[ 69.055723][ T5318] Chain exists of:
[ 69.055723][ T5318] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 69.055723][ T5318]
[ 69.060867][ T5318] Possible unsafe locking scenario:
[ 69.060867][ T5318]
[ 69.063585][ T5318] CPU0 CPU1
[ 69.065476][ T5318] ---- ----
[ 69.067480][ T5318] lock(sk_lock-AF_BLUETOOTH);
[ 69.069250][ T5318] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 69.072242][ T5318] lock(sk_lock-AF_BLUETOOTH);
[ 69.074987][ T5318] lock(&conn->lock#2);
[ 69.076737][ T5318]
[ 69.076737][ T5318] *** DEADLOCK ***
[ 69.076737][ T5318]
[ 69.079699][ T5318] 3 locks held by syz.0.0/5318:
[ 69.081583][ T5318] #0: ffff8880433ff208 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[ 69.085202][ T5318] #1: ffff888043cad258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 69.089331][ T5318] #2: ffff888040dc9258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 69.093169][ T5318]
[ 69.093169][ T5318] stack backtrace:
[ 69.095448][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Tainted: G W 6.13.0-syzkaller-09760-g69e858e0b8b2 #0
[ 69.095464][ T5318] Tainted: [W]=WARN
[ 69.095468][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 69.095474][ T5318] Call Trace:
[ 69.095482][ T5318]
[ 69.095487][ T5318] dump_stack_lvl+0x241/0x360
[ 69.095503][ T5318] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.095512][ T5318] ? __pfx__printk+0x10/0x10
[ 69.095528][ T5318] print_circular_bug+0x13a/0x1b0
[ 69.095540][ T5318] check_noncircular+0x36a/0x4a0
[ 69.095551][ T5318] ? __pfx_check_noncircular+0x10/0x10
[ 69.095560][ T5318] ? lockdep_lock+0x123/0x2b0
[ 69.095575][ T5318] validate_chain+0x18ef/0x5920
[ 69.095587][ T5318] ? do_raw_spin_lock+0x14f/0x370
[ 69.095598][ T5318] ? __pfx_validate_chain+0x10/0x10
[ 69.095607][ T5318] ? do_raw_spin_unlock+0x58/0x8b0
[ 69.095619][ T5318] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 69.095631][ T5318] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 69.095642][ T5318] ? __lock_acquire+0x1397/0x2100
[ 69.095655][ T5318] ? debug_object_assert_init+0x2dd/0x4b0
[ 69.095706][ T5318] ? __pfx_debug_object_assert_init+0x10/0x10
[ 69.095717][ T5318] ? mark_lock+0x9a/0x360
[ 69.095731][ T5318] __lock_acquire+0x1397/0x2100
[ 69.095747][ T5318] lock_acquire+0x1ed/0x550
[ 69.095760][ T5318] ? sco_chan_del+0x74/0x180
[ 69.095775][ T5318] ? __pfx_lock_acquire+0x10/0x10
[ 69.095786][ T5318] ? __cancel_work+0x24a/0x390
[ 69.095799][ T5318] ? lockdep_hardirqs_on+0x99/0x150
[ 69.095810][ T5318] ? __cancel_work+0x2ee/0x390
[ 69.095821][ T5318] ? __pfx___cancel_work+0x10/0x10
[ 69.095832][ T5318] ? __sco_sock_close+0xe8/0x310
[ 69.095846][ T5318] ? __pfx___local_bh_enable_ip+0x10/0x10
[ 69.095856][ T5318] _raw_spin_lock+0x2e/0x40
[ 69.095866][ T5318] ? sco_chan_del+0x74/0x180
[ 69.095878][ T5318] sco_chan_del+0x74/0x180
[ 69.095893][ T5318] __sco_sock_close+0x152/0x310
[ 69.095908][ T5318] sco_sock_release+0xb3/0x320
[ 69.095923][ T5318] sock_close+0xbc/0x240
[ 69.095932][ T5318] ? __pfx_sock_close+0x10/0x10
[ 69.095940][ T5318] __fput+0x3e9/0x9f0
[ 69.095956][ T5318] task_work_run+0x24f/0x310
[ 69.095970][ T5318] ? _raw_spin_unlock+0x28/0x50
[ 69.095980][ T5318] ? __pfx_task_work_run+0x10/0x10
[ 69.095995][ T5318] ? syscall_exit_to_user_mode+0xa3/0x340
[ 69.096007][ T5318] syscall_exit_to_user_mode+0x13f/0x340
[ 69.096018][ T5318] do_syscall_64+0x100/0x230
[ 69.096031][ T5318] ? clear_bhb_loop+0x35/0x90
[ 69.096046][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.096059][ T5318] RIP: 0033:0x7f554cd8cda9
[ 69.096071][ T5318] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 69.096078][ T5318] RSP: 002b:00007ffe7cc11a68 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 69.096089][ T5318] RAX: 0000000000000000 RBX: 00007f554cfa7ba0 RCX: 00007f554cd8cda9
[ 69.096095][ T5318] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 69.096101][ T5318] RBP: 00007f554cfa7ba0 R08: 0000000000000000 R09: 00007ffe7cc11d6f
[ 69.096107][ T5318] R10: 0000000000dffd94 R11: 0000000000000246 R12: 0000000000010ec9
[ 69.096113][ T5318] R13: 00007f554cfa6080 R14: 0000000000000032 R15: ffffffffffffffff
[ 69.096122][ T5318]