program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
r1 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r2 = ioctl$KVM_CREATE_VM(r1, 0xae01, 0x0)
r3 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r3, 0xc008ae88, &(0x7f00000000c0)={0x1, 0x0, [{0x571, 0x0, 0x3}]}) (async)
listen(r0, 0x0) (async)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd) (async, rerun: 64)
openat$vhost_vsock(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) (async, rerun: 64)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
[ 68.589970][ T4660] Bluetooth: hci0: command tx timeout
[ 68.733472][ T4660] BUG: sleeping function called from invalid context at net/core/sock.c:3624
[ 68.736926][ T4660] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4660, name: kworker/u5:1
[ 68.740800][ T4660] preempt_count: 1, expected: 0
[ 68.742623][ T4660] RCU nest depth: 0, expected: 0
[ 68.744556][ T4660] 5 locks held by kworker/u5:1/4660:
[ 68.746572][ T4660] #0: ffff888043426948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[ 68.750704][ T4660] #1: ffffc9000d3ffd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[ 68.755017][ T4660] #2: ffff888042ffc078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[ 68.758924][ T4660] #3: ffff8880400c7820 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[ 68.762647][ T4660] #4: ffff888043da7258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[ 68.766635][ T4660] Preemption disabled at:
[ 68.766645][ T4660] [<0000000000000000>] 0x0
[ 68.769898][ T4660] CPU: 0 UID: 0 PID: 4660 Comm: kworker/u5:1 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
[ 68.773837][ T4660] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 68.777703][ T4660] Workqueue: hci0 hci_rx_work
[ 68.779505][ T4660] Call Trace:
[ 68.780748][ T4660] <TASK>
[ 68.781895][ T4660] dump_stack_lvl+0x241/0x360
[ 68.783652][ T4660] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.785669][ T4660] ? __pfx__printk+0x10/0x10
[ 68.787431][ T4660] __might_resched+0x5d4/0x780
[ 68.789286][ T4660] ? __pfx_lock_acquire+0x10/0x10
[ 68.791111][ T4660] ? __pfx___might_resched+0x10/0x10
[ 68.793063][ T4660] ? __pfx_lock_release+0x10/0x10
[ 68.794995][ T4660] ? do_raw_spin_lock+0x14f/0x370
[ 68.796816][ T4660] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 68.798769][ T4660] lock_sock_nested+0x5d/0x100
[ 68.800709][ T4660] sco_connect_cfm+0x439/0xae0
[ 68.802575][ T4660] ? hci_cb_lookup+0x1b3/0x3c0
[ 68.804476][ T4660] ? __pfx_sco_connect_cfm+0x10/0x10
[ 68.806472][ T4660] ? hci_cb_lookup+0x3a0/0x3c0
[ 68.808363][ T4660] ? __pfx_sco_connect_cfm+0x10/0x10
[ 68.810473][ T4660] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 68.812703][ T4660] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 68.815050][ T4660] ? skb_pull_data+0x112/0x230
[ 68.816871][ T4660] hci_event_packet+0xac2/0x1540
[ 68.818806][ T4660] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 68.821277][ T4660] ? __pfx_hci_event_packet+0x10/0x10
[ 68.823377][ T4660] ? do_raw_spin_unlock+0x58/0x8b0
[ 68.825374][ T4660] ? hci_send_to_monitor+0xd8/0x7f0
[ 68.827204][ T4660] ? kcov_remote_start+0x97/0x7d0
[ 68.829176][ T4660] hci_rx_work+0x3f3/0xdb0
[ 68.830964][ T4660] ? process_scheduled_works+0x976/0x1840
[ 68.833367][ T4660] process_scheduled_works+0xa66/0x1840
[ 68.835741][ T4660] ? __pfx_process_scheduled_works+0x10/0x10
[ 68.837996][ T4660] ? assign_work+0x364/0x3d0
[ 68.839912][ T4660] worker_thread+0x870/0xd30
[ 68.841864][ T4660] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 68.844024][ T4660] ? __kthread_parkme+0x169/0x1d0
[ 68.846011][ T4660] ? __pfx_worker_thread+0x10/0x10
[ 68.847919][ T4660] kthread+0x2f0/0x390
[ 68.849574][ T4660] ? __pfx_worker_thread+0x10/0x10
[ 68.851621][ T4660] ? __pfx_kthread+0x10/0x10
[ 68.853426][ T4660] ret_from_fork+0x4b/0x80
[ 68.855183][ T4660] ? __pfx_kthread+0x10/0x10
[ 68.856951][ T4660] ret_from_fork_asm+0x1a/0x30
[ 68.858755][ T4660] </TASK>
[ 68.932054][ T5320]
[ 68.932989][ T5320] ======================================================
[ 68.935552][ T5320] WARNING: possible circular locking dependency detected
[ 68.938069][ T5320] 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Tainted: G W
[ 68.941216][ T5320] ------------------------------------------------------
[ 68.943831][ T5320] syz.0.0/5320 is trying to acquire lock:
[ 68.945954][ T5320] ffff8880400c7820 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[ 68.949191][ T5320]
[ 68.949191][ T5320] but task is already holding lock:
[ 68.951978][ T5320] ffff88801f16d258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 68.955429][ T5320]
[ 68.955429][ T5320] which lock already depends on the new lock.
[ 68.955429][ T5320]
[ 68.959293][ T5320]
[ 68.959293][ T5320] the existing dependency chain (in reverse order) is:
[ 68.963307][ T5320]
[ 68.963307][ T5320] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 68.966367][ T5320] lock_acquire+0x1ed/0x550
[ 68.968449][ T5320] lock_sock_nested+0x48/0x100
[ 68.970612][ T5320] bt_accept_dequeue+0xfa/0x570
[ 68.972602][ T5320] __sco_sock_close+0xd2/0x310
[ 68.974640][ T5320] sco_sock_release+0xb3/0x320
[ 68.976692][ T5320] sock_close+0xbc/0x240
[ 68.978500][ T5320] __fput+0x23c/0xa50
[ 68.980267][ T5320] task_work_run+0x24f/0x310
[ 68.982092][ T5320] syscall_exit_to_user_mode+0x13f/0x340
[ 68.984339][ T5320] do_syscall_64+0x100/0x230
[ 68.986453][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.989202][ T5320]
[ 68.989202][ T5320] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 68.992750][ T5320] lock_acquire+0x1ed/0x550
[ 68.995144][ T5320] lock_sock_nested+0x48/0x100
[ 68.997626][ T5320] sco_connect_cfm+0x439/0xae0
[ 69.000210][ T5320] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 69.003179][ T5320] hci_event_packet+0xac2/0x1540
[ 69.005400][ T5320] hci_rx_work+0x3f3/0xdb0
[ 69.007553][ T5320] process_scheduled_works+0xa66/0x1840
[ 69.010486][ T5320] worker_thread+0x870/0xd30
[ 69.012756][ T5320] kthread+0x2f0/0x390
[ 69.014881][ T5320] ret_from_fork+0x4b/0x80
[ 69.017176][ T5320] ret_from_fork_asm+0x1a/0x30
[ 69.019613][ T5320]
[ 69.019613][ T5320] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[ 69.022553][ T5320] validate_chain+0x18ef/0x5920
[ 69.024493][ T5320] __lock_acquire+0x1397/0x2100
[ 69.026562][ T5320] lock_acquire+0x1ed/0x550
[ 69.028443][ T5320] _raw_spin_lock+0x2e/0x40
[ 69.030306][ T5320] sco_chan_del+0x74/0x180
[ 69.032206][ T5320] __sco_sock_close+0x152/0x310
[ 69.034215][ T5320] sco_sock_release+0xb3/0x320
[ 69.036188][ T5320] sock_close+0xbc/0x240
[ 69.037963][ T5320] __fput+0x23c/0xa50
[ 69.039734][ T5320] task_work_run+0x24f/0x310
[ 69.041731][ T5320] syscall_exit_to_user_mode+0x13f/0x340
[ 69.044112][ T5320] do_syscall_64+0x100/0x230
[ 69.046105][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.048504][ T5320]
[ 69.048504][ T5320] other info that might help us debug this:
[ 69.048504][ T5320]
[ 69.052474][ T5320] Chain exists of:
[ 69.052474][ T5320] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 69.052474][ T5320]
[ 69.057787][ T5320] Possible unsafe locking scenario:
[ 69.057787][ T5320]
[ 69.060573][ T5320] CPU0 CPU1
[ 69.062572][ T5320] ---- ----
[ 69.064516][ T5320] lock(sk_lock-AF_BLUETOOTH);
[ 69.066378][ T5320] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 69.069960][ T5320] lock(sk_lock-AF_BLUETOOTH);
[ 69.072956][ T5320] lock(&conn->lock#2);
[ 69.074597][ T5320]
[ 69.074597][ T5320] *** DEADLOCK ***
[ 69.074597][ T5320]
[ 69.077639][ T5320] 3 locks held by syz.0.0/5320:
[ 69.079453][ T5320] #0: ffff888043b6b808 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[ 69.083231][ T5320] #1: ffff888043da7258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 69.086878][ T5320] #2: ffff88801f16d258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 69.090086][ T5320]
[ 69.090086][ T5320] stack backtrace:
[ 69.092047][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Tainted: G W 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
[ 69.096463][ T5320] Tainted: [W]=WARN
[ 69.097924][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 69.102194][ T5320] Call Trace:
[ 69.103467][ T5320] <TASK>
[ 69.104566][ T5320] dump_stack_lvl+0x241/0x360
[ 69.106364][ T5320] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.108366][ T5320] ? __pfx__printk+0x10/0x10
[ 69.110160][ T5320] print_circular_bug+0x13a/0x1b0
[ 69.112135][ T5320] check_noncircular+0x36a/0x4a0
[ 69.113970][ T5320] ? __pfx_check_noncircular+0x10/0x10
[ 69.115993][ T5320] ? lockdep_lock+0x123/0x2b0
[ 69.117741][ T5320] validate_chain+0x18ef/0x5920
[ 69.119613][ T5320] ? debug_object_assert_init+0x2dd/0x4b0
[ 69.121880][ T5320] ? do_raw_spin_unlock+0x58/0x8b0
[ 69.123757][ T5320] ? __pfx_validate_chain+0x10/0x10
[ 69.125651][ T5320] ? __pfx_stack_trace_save+0x10/0x10
[ 69.127629][ T5320] ? debug_object_assert_init+0x2dd/0x4b0
[ 69.129722][ T5320] ? __pfx_debug_object_assert_init+0x10/0x10
[ 69.131918][ T5320] ? mark_lock+0x9a/0x360
[ 69.133490][ T5320] __lock_acquire+0x1397/0x2100
[ 69.135268][ T5320] lock_acquire+0x1ed/0x550
[ 69.136961][ T5320] ? sco_chan_del+0x74/0x180
[ 69.138724][ T5320] ? __pfx_lock_acquire+0x10/0x10
[ 69.140586][ T5320] ? lockdep_hardirqs_on+0x99/0x150
[ 69.142459][ T5320] ? __cancel_work+0x2ee/0x390
[ 69.144124][ T5320] ? __pfx___cancel_work+0x10/0x10
[ 69.145938][ T5320] ? __sco_sock_close+0xe8/0x310
[ 69.147647][ T5320] ? __pfx___local_bh_enable_ip+0x10/0x10
[ 69.149722][ T5320] ? __sco_sock_close+0xe8/0x310
[ 69.151496][ T5320] _raw_spin_lock+0x2e/0x40
[ 69.153095][ T5320] ? sco_chan_del+0x74/0x180
[ 69.154691][ T5320] sco_chan_del+0x74/0x180
[ 69.156292][ T5320] __sco_sock_close+0x152/0x310
[ 69.158111][ T5320] sco_sock_release+0xb3/0x320
[ 69.159966][ T5320] sock_close+0xbc/0x240
[ 69.161604][ T5320] ? __pfx_sock_close+0x10/0x10
[ 69.163365][ T5320] __fput+0x23c/0xa50
[ 69.164845][ T5320] task_work_run+0x24f/0x310
[ 69.166592][ T5320] ? _raw_spin_unlock+0x28/0x50
[ 69.168350][ T5320] ? __pfx_task_work_run+0x10/0x10
[ 69.170434][ T5320] ? syscall_exit_to_user_mode+0xa3/0x340
[ 69.172603][ T5320] syscall_exit_to_user_mode+0x13f/0x340
[ 69.174709][ T5320] do_syscall_64+0x100/0x230
[ 69.176392][ T5320] ? clear_bhb_loop+0x35/0x90
[ 69.178156][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.180553][ T5320] RIP: 0033:0x7f7637385d29
[ 69.182271][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 69.189661][ T5320] RSP: 002b:00007fffc308fe08 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 69.192786][ T5320] RAX: 0000000000000000 RBX: 00007f7637577ba0 RCX: 00007f7637385d29
[ 69.195713][ T5320] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 69.198630][ T5320] RBP: 00007f7637577ba0 R08: 0000000000000000 R09: 00007fffc30900ff
[ 69.201680][ T5320] R10: 0000000000dffd80 R11: 0000000000000246 R12: 0000000000010eee
[ 69.204544][ T5320] R13: 00007fffc308ff10 R14: 0000000000000032 R15: ffffffffffffffff
[ 69.207505][ T5320] </TASK>