program:
r0 = socket$igmp(0x2, 0x3, 0x2)
ioctl$SIOCGETVIFCNT(r0, 0x89e0, &(0x7f0000000200)) (async)
socket$netlink(0x10, 0x3, 0x0)
prctl$PR_GET_ENDIAN(0x13, 0x0) (async)
syz_emit_vhci(&(0x7f0000000480)=ANY=[@ANYBLOB="0404"], 0xd) (async)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r2 = socket(0x10, 0x3, 0x0)
recvmmsg$unix(r2, &(0x7f0000005480), 0x0, 0x0, 0x0)
write(r2, &(0x7f0000000100)="1400000016004f7fb3e4bf80a000080000000000", 0x14) (async)
bind$bt_sco(r1, &(0x7f0000000200), 0x8) (async)
listen(r1, 0x9) (async)
setsockopt$bt_BT_VOICE(r1, 0x112, 0xb, 0x0, 0x0) (async)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r3, 0x800448f0, 0x0)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}, {0x0, 0x0, @any, 0x0, 0x0, 0x0, 0x0, 0x1}}}, 0x14) (async)
syz_emit_vhci(&(0x7f0000000180)=ANY=[@ANYBLOB="042c"], 0x14)
ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448ca, 0x0)
[ 59.319477][ T5310] Bluetooth: hci0: command tx timeout
[ 59.329920][ T5310] BUG: sleeping function called from invalid context at net/core/sock.c:3613
[ 59.334163][ T5310] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5310, name: kworker/u5:2
[ 59.340001][ T5310] preempt_count: 1, expected: 0
[ 59.342937][ T5310] RCU nest depth: 0, expected: 0
[ 59.345895][ T5310] 6 locks held by kworker/u5:2/5310:
[ 59.350060][ T5310] #0: ffff888043fe2148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 59.355374][ T5310] #1: ffffc9000d40fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 59.362379][ T5310] #2: ffff888043cec078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[ 59.367339][ T5310] #3: ffffffff8fe40368 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[ 59.375695][ T5310] #4: ffff88803da8d220 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40
[ 59.381755][ T5310] #5: ffff888042e2c258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40
[ 59.387792][ T5310] Preemption disabled at:
[ 59.387807][ T5310] [<0000000000000000>] 0x0
[ 59.392687][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Not tainted 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0
[ 59.400155][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 59.405637][ T5310] Workqueue: hci0 hci_rx_work
[ 59.408175][ T5310] Call Trace:
[ 59.409931][ T5310]
[ 59.412399][ T5310] dump_stack_lvl+0x241/0x360
[ 59.415800][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10
[ 59.418497][ T5310] ? __pfx__printk+0x10/0x10
[ 59.420777][ T5310] __might_resched+0x5d4/0x780
[ 59.457496][ T5310] ? __pfx_lock_acquire+0x10/0x10
[ 59.459315][ T5310] ? __pfx___might_resched+0x10/0x10
[ 59.461186][ T5310] ? __pfx_lock_release+0x10/0x10
[ 59.462995][ T5310] ? do_raw_spin_lock+0x14f/0x370
[ 59.464766][ T5310] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 59.466693][ T5310] lock_sock_nested+0x5d/0x100
[ 59.468391][ T5310] sco_connect_cfm+0x461/0xb40
[ 59.487365][ T5310] ? __pfx_sco_connect_cfm+0x10/0x10
[ 59.491343][ T5310] ? hci_conn_add_sysfs+0xfc/0x200
[ 59.494067][ T5310] ? __pfx_sco_connect_cfm+0x10/0x10
[ 59.511152][ T5310] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 59.514351][ T5310] hci_event_packet+0xac2/0x1540
[ 59.516742][ T5310] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 59.519076][ T5310] ? __pfx_hci_event_packet+0x10/0x10
[ 59.521039][ T5310] ? hci_send_to_sock+0x170/0x810
[ 59.522873][ T5310] ? kcov_remote_start+0x97/0x7d0
[ 59.524829][ T5310] hci_rx_work+0x3fe/0xd80
[ 59.546494][ T5310] ? process_scheduled_works+0x976/0x1850
[ 59.548737][ T5310] process_scheduled_works+0xa63/0x1850
[ 59.551003][ T5310] ? __pfx_process_scheduled_works+0x10/0x10
[ 59.553323][ T5310] ? assign_work+0x364/0x3d0
[ 59.555230][ T5310] worker_thread+0x870/0xd30
[ 59.557176][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 59.559691][ T5310] ? __kthread_parkme+0x169/0x1d0
[ 59.579284][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 59.581328][ T5310] kthread+0x2f0/0x390
[ 59.583073][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 59.585222][ T5310] ? __pfx_kthread+0x10/0x10
[ 59.587164][ T5310] ret_from_fork+0x4b/0x80
[ 59.589003][ T5310] ? __pfx_kthread+0x10/0x10
[ 59.590973][ T5310] ret_from_fork_asm+0x1a/0x30
[ 59.593020][ T5310]
[ 59.643556][ T5310] Bluetooth: hci0: Ignoring HCI_Sync_Conn_Complete event for existing connection
[ 59.659090][ T5323]
[ 59.659895][ T5323] ======================================================
[ 59.662028][ T5323] WARNING: possible circular locking dependency detected
[ 59.664294][ T5323] 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0 Tainted: G W
[ 59.667709][ T5323] ------------------------------------------------------
[ 59.670466][ T5323] syz.0.0/5323 is trying to acquire lock:
[ 59.673479][ T5323] ffff88803da8d220 (&conn->lock#2){+.+.}-{2:2}, at: __sco_sock_close+0x338/0x570
[ 59.680577][ T5323]
[ 59.680577][ T5323] but task is already holding lock:
[ 59.683542][ T5323] ffff888042e2f258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 59.687451][ T5323]
[ 59.687451][ T5323] which lock already depends on the new lock.
[ 59.687451][ T5323]
[ 59.691524][ T5323]
[ 59.691524][ T5323] the existing dependency chain (in reverse order) is:
[ 59.713519][ T5323]
[ 59.713519][ T5323] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 59.716675][ T5323] lock_acquire+0x1ed/0x550
[ 59.729019][ T5323] lock_sock_nested+0x48/0x100
[ 59.733312][ T5323] bt_accept_dequeue+0xfa/0x570
[ 59.738507][ T5323] __sco_sock_close+0xd6/0x570
[ 59.740777][ T5323] sco_sock_release+0xb3/0x320
[ 59.742951][ T5323] sock_close+0xbc/0x240
[ 59.758137][ T5323] __fput+0x23f/0x880
[ 59.759948][ T5323] task_work_run+0x24f/0x310
[ 59.762535][ T5323] syscall_exit_to_user_mode+0x168/0x370
[ 59.765026][ T5323] do_syscall_64+0x100/0x230
[ 59.767639][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.770893][ T5323]
[ 59.770893][ T5323] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 59.793962][ T5323] lock_acquire+0x1ed/0x550
[ 59.796416][ T5323] lock_sock_nested+0x48/0x100
[ 59.800688][ T5323] sco_connect_cfm+0x461/0xb40
[ 59.804123][ T5323] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 59.807251][ T5323] hci_event_packet+0xac2/0x1540
[ 59.809871][ T5323] hci_rx_work+0x3fe/0xd80
[ 59.812163][ T5323] process_scheduled_works+0xa63/0x1850
[ 59.814342][ T5323] worker_thread+0x870/0xd30
[ 59.816179][ T5323] kthread+0x2f0/0x390
[ 59.817846][ T5323] ret_from_fork+0x4b/0x80
[ 59.819586][ T5323] ret_from_fork_asm+0x1a/0x30
[ 59.821442][ T5323]
[ 59.821442][ T5323] -> #0 (&conn->lock#2){+.+.}-{2:2}:
[ 59.838955][ T5323] validate_chain+0x18ef/0x5920
[ 59.841278][ T5323] __lock_acquire+0x1384/0x2050
[ 59.853737][ T5323] lock_acquire+0x1ed/0x550
[ 59.855466][ T5323] _raw_spin_lock+0x2e/0x40
[ 59.857176][ T5323] __sco_sock_close+0x338/0x570
[ 59.872018][ T5323] __sco_sock_close+0x154/0x570
[ 59.874087][ T5323] sco_sock_release+0xb3/0x320
[ 59.876078][ T5323] sock_close+0xbc/0x240
[ 59.893765][ T5323] __fput+0x23f/0x880
[ 59.895515][ T5323] task_work_run+0x24f/0x310
[ 59.897458][ T5323] syscall_exit_to_user_mode+0x168/0x370
[ 59.899592][ T5323] do_syscall_64+0x100/0x230
[ 59.901459][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 59.903916][ T5323]
[ 59.903916][ T5323] other info that might help us debug this:
[ 59.903916][ T5323]
[ 59.907514][ T5323] Chain exists of:
[ 59.907514][ T5323] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 59.907514][ T5323]
[ 59.912928][ T5323] Possible unsafe locking scenario:
[ 59.912928][ T5323]
[ 59.915791][ T5323] CPU0 CPU1
[ 59.926432][ T5323] ---- ----
[ 59.929130][ T5323] lock(sk_lock-AF_BLUETOOTH);
[ 59.930999][ T5323] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 59.934174][ T5323] lock(sk_lock-AF_BLUETOOTH);
[ 59.937032][ T5323] lock(&conn->lock#2);
[ 59.941854][ T5323]
[ 59.941854][ T5323] *** DEADLOCK ***
[ 59.941854][ T5323]
[ 59.944879][ T5323] 3 locks held by syz.0.0/5323:
[ 59.946810][ T5323] #0: ffff888043357208 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: sock_close+0x90/0x240
[ 59.973395][ T5323] #1: ffff888042e2c258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 59.993934][ T5323] #2: ffff888042e2f258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 59.997840][ T5323]
[ 59.997840][ T5323] stack backtrace:
[ 60.012823][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Tainted: G W 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0
[ 60.023746][ T5323] Tainted: [W]=WARN
[ 60.025386][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 60.046676][ T5323] Call Trace:
[ 60.048047][ T5323]
[ 60.049232][ T5323] dump_stack_lvl+0x241/0x360
[ 60.051399][ T5323] ? __pfx_dump_stack_lvl+0x10/0x10
[ 60.053730][ T5323] ? __pfx__printk+0x10/0x10
[ 60.055855][ T5323] print_circular_bug+0x13a/0x1b0
[ 60.058454][ T5323] check_noncircular+0x36a/0x4a0
[ 60.060308][ T5323] ? mark_lock+0x9a/0x360
[ 60.061983][ T5323] ? __pfx_check_noncircular+0x10/0x10
[ 60.076454][ T5323] ? lockdep_lock+0x123/0x2b0
[ 60.078095][ T5323] validate_chain+0x18ef/0x5920
[ 60.079731][ T5323] ? __pfx_validate_chain+0x10/0x10
[ 60.081476][ T5323] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 60.083577][ T5323] ? __mod_timer+0xb89/0xeb0
[ 60.085119][ T5323] ? __pfx_lock_release+0x10/0x10
[ 60.086838][ T5323] ? do_raw_spin_unlock+0x58/0x8b0
[ 60.088550][ T5323] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 60.114904][ T5323] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 60.117445][ T5323] ? mark_lock+0x9a/0x360
[ 60.119180][ T5323] __lock_acquire+0x1384/0x2050
[ 60.121156][ T5323] lock_acquire+0x1ed/0x550
[ 60.123024][ T5323] ? __sco_sock_close+0x338/0x570
[ 60.125044][ T5323] ? __pfx_lock_acquire+0x10/0x10
[ 60.143287][ T5323] ? queue_delayed_work_on+0x267/0x390
[ 60.145603][ T5323] ? __pfx_queue_delayed_work_on+0x10/0x10
[ 60.148094][ T5323] ? __pfx___cancel_work+0x10/0x10
[ 60.150359][ T5323] ? __cancel_work+0x2ee/0x390
[ 60.152636][ T5323] ? __pfx___cancel_work+0x10/0x10
[ 60.155089][ T5323] ? __sco_sock_close+0xec/0x570
[ 60.173536][ T5323] _raw_spin_lock+0x2e/0x40
[ 60.175163][ T5323] ? __sco_sock_close+0x338/0x570
[ 60.178001][ T5323] __sco_sock_close+0x338/0x570
[ 60.180752][ T5323] __sco_sock_close+0x154/0x570
[ 60.195538][ T5323] sco_sock_release+0xb3/0x320
[ 60.198156][ T5323] sock_close+0xbc/0x240
[ 60.200450][ T5323] ? __pfx_sock_close+0x10/0x10
[ 60.208693][ T5323] __fput+0x23f/0x880
[ 60.211787][ T5323] task_work_run+0x24f/0x310
[ 60.215924][ T5323] ? __pfx_task_work_run+0x10/0x10
[ 60.220546][ T5323] ? syscall_exit_to_user_mode+0xa3/0x370
[ 60.224635][ T5323] syscall_exit_to_user_mode+0x168/0x370
[ 60.228421][ T5323] do_syscall_64+0x100/0x230
[ 60.231101][ T5323] ? clear_bhb_loop+0x35/0x90
[ 60.233775][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 60.237103][ T5323] RIP: 0033:0x7f0f17b7e719
[ 60.251148][ T5323] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 60.293847][ T5323] RSP: 002b:00007ffcc6481658 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 60.313745][ T5323] RAX: 0000000000000000 RBX: 000000000000e72f RCX: 00007f0f17b7e719
[ 60.317851][ T5323] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 60.320714][ T5323] RBP: 00007f0f17d37a80 R08: 0000000000000001 R09: 00007ffcc648194f
[ 60.323704][ T5323] R10: 00007f0f179ff02c R11: 0000000000000246 R12: 000000000000e89e
[ 60.327164][ T5323] R13: 00007ffcc6481760 R14: 0000000000000032 R15: ffffffffffffffff
[ 60.346246][ T5323]