program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8) (async)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd) (async)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   70.769049][ T5302] Bluetooth: hci0: command tx timeout
[   70.814780][ T5302] BUG: sleeping function called from invalid context at net/core/sock.c:3647
[   70.819397][ T5302] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5302, name: kworker/u5:2
[   70.826205][ T5302] preempt_count: 1, expected: 0
[   70.828258][ T5302] RCU nest depth: 0, expected: 0
[   70.830275][ T5302] 5 locks held by kworker/u5:2/5302:
[   70.833194][ T5302]  #0: ffff888012475148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   70.838243][ T5302]  #1: ffffc9000d26fc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   70.842822][ T5302]  #2: ffff8880388a4078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   70.847711][ T5302]  #3: ffff88804108c020 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   70.851339][ T5302]  #4: ffff8880531a2258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   70.857713][ T5302] Preemption disabled at:
[   70.857726][ T5302] [<0000000000000000>] 0x0
[   70.861507][ T5302] CPU: 0 UID: 0 PID: 5302 Comm: kworker/u5:2 Not tainted 6.13.0-syzkaller-08291-g805ba04cb7cc #0
[   70.861532][ T5302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   70.861542][ T5302] Workqueue: hci0 hci_rx_work
[   70.861587][ T5302] Call Trace:
[   70.861619][ T5302]  <TASK>
[   70.861626][ T5302]  dump_stack_lvl+0x241/0x360
[   70.861646][ T5302]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.861659][ T5302]  ? __pfx__printk+0x10/0x10
[   70.861689][ T5302]  __might_resched+0x5d4/0x780
[   70.861704][ T5302]  ? __pfx_lock_acquire+0x10/0x10
[   70.861725][ T5302]  ? __pfx___might_resched+0x10/0x10
[   70.861740][ T5302]  ? __pfx_lock_release+0x10/0x10
[   70.861756][ T5302]  ? do_raw_spin_lock+0x14f/0x370
[   70.861776][ T5302]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   70.861794][ T5302]  lock_sock_nested+0x5d/0x100
[   70.861811][ T5302]  sco_connect_cfm+0x439/0xae0
[   70.861830][ T5302]  ? hci_cb_lookup+0x1b3/0x3c0
[   70.861843][ T5302]  ? __pfx_sco_connect_cfm+0x10/0x10
[   70.861862][ T5302]  ? hci_cb_lookup+0x3a0/0x3c0
[   70.861875][ T5302]  ? __pfx_sco_connect_cfm+0x10/0x10
[   70.861894][ T5302]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   70.861911][ T5302]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   70.861924][ T5302]  ? skb_pull_data+0x112/0x230
[   70.861942][ T5302]  hci_event_packet+0xac2/0x1540
[   70.861961][ T5302]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   70.861978][ T5302]  ? __pfx_hci_event_packet+0x10/0x10
[   70.861994][ T5302]  ? do_raw_spin_unlock+0x58/0x8b0
[   70.862012][ T5302]  ? hci_send_to_monitor+0xd8/0x7f0
[   70.862025][ T5302]  ? kcov_remote_start+0x97/0x7d0
[   70.862043][ T5302]  hci_rx_work+0x3f3/0xdb0
[   70.862066][ T5302]  ? process_scheduled_works+0x976/0x1840
[   70.862081][ T5302]  process_scheduled_works+0xa66/0x1840
[   70.862114][ T5302]  ? __pfx_process_scheduled_works+0x10/0x10
[   70.862135][ T5302]  ? assign_work+0x364/0x3d0
[   70.862152][ T5302]  worker_thread+0x870/0xd30
[   70.862171][ T5302]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   70.862188][ T5302]  ? __kthread_parkme+0x169/0x1d0
[   70.862205][ T5302]  ? __pfx_worker_thread+0x10/0x10
[   70.862219][ T5302]  kthread+0x7a9/0x920
[   70.862234][ T5302]  ? __pfx_kthread+0x10/0x10
[   70.862251][ T5302]  ? __pfx_worker_thread+0x10/0x10
[   70.862266][ T5302]  ? __pfx_kthread+0x10/0x10
[   70.862285][ T5302]  ? __pfx_kthread+0x10/0x10
[   70.862303][ T5302]  ? __pfx_kthread+0x10/0x10
[   70.862318][ T5302]  ? _raw_spin_unlock_irq+0x23/0x50
[   70.862330][ T5302]  ? lockdep_hardirqs_on+0x99/0x150
[   70.862347][ T5302]  ? __pfx_kthread+0x10/0x10
[   70.862364][ T5302]  ret_from_fork+0x4b/0x80
[   70.862379][ T5302]  ? __pfx_kthread+0x10/0x10
[   70.862395][ T5302]  ret_from_fork_asm+0x1a/0x30
[   70.862420][ T5302]  </TASK>
[   70.986499][ T5316] 
[   70.987387][ T5316] ======================================================
[   70.989803][ T5316] WARNING: possible circular locking dependency detected
[   70.992696][ T5316] 6.13.0-syzkaller-08291-g805ba04cb7cc #0 Tainted: G        W         
[   70.995795][ T5316] ------------------------------------------------------
[   71.000309][ T5316] syz.0.0/5316 is trying to acquire lock:
[   71.003525][ T5316] ffff88804108c020 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   71.010371][ T5316] 
[   71.010371][ T5316] but task is already holding lock:
[   71.013288][ T5316] ffff8880531a3258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   71.017129][ T5316] 
[   71.017129][ T5316] which lock already depends on the new lock.
[   71.017129][ T5316] 
[   71.021189][ T5316] 
[   71.021189][ T5316] the existing dependency chain (in reverse order) is:
[   71.024654][ T5316] 
[   71.024654][ T5316] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   71.027962][ T5316]        lock_acquire+0x1ed/0x550
[   71.030106][ T5316]        lock_sock_nested+0x48/0x100
[   71.032443][ T5316]        bt_accept_dequeue+0xfa/0x570
[   71.034570][ T5316]        __sco_sock_close+0xd2/0x310
[   71.036734][ T5316]        sco_sock_release+0xb3/0x320
[   71.038809][ T5316]        sock_close+0xbc/0x240
[   71.041090][ T5316]        __fput+0x3e9/0x9f0
[   71.043001][ T5316]        task_work_run+0x24f/0x310
[   71.045629][ T5316]        syscall_exit_to_user_mode+0x13f/0x340
[   71.048167][ T5316]        do_syscall_64+0x100/0x230
[   71.050452][ T5316]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.053399][ T5316] 
[   71.053399][ T5316] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   71.057091][ T5316]        lock_acquire+0x1ed/0x550
[   71.059015][ T5316]        lock_sock_nested+0x48/0x100
[   71.061157][ T5316]        sco_connect_cfm+0x439/0xae0
[   71.063315][ T5316]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   71.065788][ T5316]        hci_event_packet+0xac2/0x1540
[   71.067974][ T5316]        hci_rx_work+0x3f3/0xdb0
[   71.069983][ T5316]        process_scheduled_works+0xa66/0x1840
[   71.072466][ T5316]        worker_thread+0x870/0xd30
[   71.074467][ T5316]        kthread+0x7a9/0x920
[   71.076266][ T5316]        ret_from_fork+0x4b/0x80
[   71.078239][ T5316]        ret_from_fork_asm+0x1a/0x30
[   71.080304][ T5316] 
[   71.080304][ T5316] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   71.083328][ T5316]        validate_chain+0x18ef/0x5920
[   71.085343][ T5316]        __lock_acquire+0x1397/0x2100
[   71.087518][ T5316]        lock_acquire+0x1ed/0x550
[   71.089526][ T5316]        _raw_spin_lock+0x2e/0x40
[   71.091591][ T5316]        sco_chan_del+0x74/0x180
[   71.093545][ T5316]        __sco_sock_close+0x152/0x310
[   71.095763][ T5316]        sco_sock_release+0xb3/0x320
[   71.097936][ T5316]        sock_close+0xbc/0x240
[   71.099794][ T5316]        __fput+0x3e9/0x9f0
[   71.101502][ T5316]        task_work_run+0x24f/0x310
[   71.103503][ T5316]        syscall_exit_to_user_mode+0x13f/0x340
[   71.105813][ T5316]        do_syscall_64+0x100/0x230
[   71.107879][ T5316]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.110365][ T5316] 
[   71.110365][ T5316] other info that might help us debug this:
[   71.110365][ T5316] 
[   71.114316][ T5316] Chain exists of:
[   71.114316][ T5316]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   71.114316][ T5316] 
[   71.119358][ T5316]  Possible unsafe locking scenario:
[   71.119358][ T5316] 
[   71.122121][ T5316]        CPU0                    CPU1
[   71.124104][ T5316]        ----                    ----
[   71.126090][ T5316]   lock(sk_lock-AF_BLUETOOTH);
[   71.128040][ T5316]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   71.131524][ T5316]                                lock(sk_lock-AF_BLUETOOTH);
[   71.135028][ T5316]   lock(&conn->lock#2);
[   71.136665][ T5316] 
[   71.136665][ T5316]  *** DEADLOCK ***
[   71.136665][ T5316] 
[   71.139860][ T5316] 3 locks held by syz.0.0/5316:
[   71.141799][ T5316]  #0: ffff888044c70808 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   71.145627][ T5316]  #1: ffff8880531a2258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   71.149748][ T5316]  #2: ffff8880531a3258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   71.153569][ T5316] 
[   71.153569][ T5316] stack backtrace:
[   71.155765][ T5316] CPU: 0 UID: 0 PID: 5316 Comm: syz.0.0 Tainted: G        W          6.13.0-syzkaller-08291-g805ba04cb7cc #0
[   71.155782][ T5316] Tainted: [W]=WARN
[   71.155786][ T5316] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   71.155793][ T5316] Call Trace:
[   71.155801][ T5316]  <TASK>
[   71.155806][ T5316]  dump_stack_lvl+0x241/0x360
[   71.155821][ T5316]  ? __pfx_dump_stack_lvl+0x10/0x10
[   71.155832][ T5316]  ? __pfx__printk+0x10/0x10
[   71.155851][ T5316]  print_circular_bug+0x13a/0x1b0
[   71.155868][ T5316]  check_noncircular+0x36a/0x4a0
[   71.155880][ T5316]  ? __pfx_check_noncircular+0x10/0x10
[   71.155891][ T5316]  ? lockdep_lock+0x123/0x2b0
[   71.155912][ T5316]  validate_chain+0x18ef/0x5920
[   71.155926][ T5316]  ? do_raw_spin_lock+0x14f/0x370
[   71.155939][ T5316]  ? __pfx_validate_chain+0x10/0x10
[   71.155949][ T5316]  ? do_raw_spin_unlock+0x58/0x8b0
[   71.155963][ T5316]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   71.155975][ T5316]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   71.155986][ T5316]  ? __lock_acquire+0x1397/0x2100
[   71.156001][ T5316]  ? debug_object_assert_init+0x2dd/0x4b0
[   71.156052][ T5316]  ? __pfx_debug_object_assert_init+0x10/0x10
[   71.156064][ T5316]  ? mark_lock+0x9a/0x360
[   71.156080][ T5316]  __lock_acquire+0x1397/0x2100
[   71.156098][ T5316]  lock_acquire+0x1ed/0x550
[   71.156111][ T5316]  ? sco_chan_del+0x74/0x180
[   71.156129][ T5316]  ? __pfx_lock_acquire+0x10/0x10
[   71.156143][ T5316]  ? __cancel_work+0x24a/0x390
[   71.156157][ T5316]  ? lockdep_hardirqs_on+0x99/0x150
[   71.156170][ T5316]  ? __cancel_work+0x2ee/0x390
[   71.156184][ T5316]  ? __pfx___cancel_work+0x10/0x10
[   71.156197][ T5316]  ? __sco_sock_close+0xe8/0x310
[   71.156212][ T5316]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   71.156224][ T5316]  _raw_spin_lock+0x2e/0x40
[   71.156235][ T5316]  ? sco_chan_del+0x74/0x180
[   71.156259][ T5316]  sco_chan_del+0x74/0x180
[   71.156275][ T5316]  __sco_sock_close+0x152/0x310
[   71.156291][ T5316]  sco_sock_release+0xb3/0x320
[   71.156306][ T5316]  sock_close+0xbc/0x240
[   71.156318][ T5316]  ? __pfx_sock_close+0x10/0x10
[   71.156329][ T5316]  __fput+0x3e9/0x9f0
[   71.156344][ T5316]  task_work_run+0x24f/0x310
[   71.156360][ T5316]  ? _raw_spin_unlock+0x28/0x50
[   71.156372][ T5316]  ? __pfx_task_work_run+0x10/0x10
[   71.156388][ T5316]  ? syscall_exit_to_user_mode+0xa3/0x340
[   71.156402][ T5316]  syscall_exit_to_user_mode+0x13f/0x340
[   71.156416][ T5316]  do_syscall_64+0x100/0x230
[   71.156430][ T5316]  ? clear_bhb_loop+0x35/0x90
[   71.156446][ T5316]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.156465][ T5316] RIP: 0033:0x7f4f1178cda9
[   71.156475][ T5316] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   71.156484][ T5316] RSP: 002b:00007fffe4dfd068 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   71.156496][ T5316] RAX: 0000000000000000 RBX: 000000000001140a RCX: 00007f4f1178cda9
[   71.156503][ T5316] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   71.156510][ T5316] RBP: 00007f4f119a7ba0 R08: 0000000000000001 R09: 00007fffe4dfd36f
[   71.156517][ T5316] R10: 00007f4f115ff030 R11: 0000000000000246 R12: 00000000000114ea
[   71.156523][ T5316] R13: 00007f4f119a5fa0 R14: 0000000000000032 R15: ffffffffffffffff
[   71.156535][ T5316]  </TASK>