================================
WARNING: inconsistent lock state
5.11.0-rc6-syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
syz-executor.3/13875 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff8880298490a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff8880298490a0 (slock-AF_BLUETOOTH-BTPROTO_SCO){+.?.}-{2:2}, at: sco_sock_timeout+0x33/0x1b0 net/bluetooth/sco.c:83
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire kernel/locking/lockdep.c:5442 [inline]
  lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407
  __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
  _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
  spin_lock include/linux/spinlock.h:354 [inline]
  sco_conn_del+0x134/0x2b0 net/bluetooth/sco.c:176
  sco_disconn_cfm+0x74/0xb0 net/bluetooth/sco.c:1189
  hci_disconn_cfm include/net/bluetooth/hci_core.h:1462 [inline]
  hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1565
  hci_dev_do_close+0x569/0x1110 net/bluetooth/hci_core.c:1776
  hci_unregister_dev+0x223/0xfe0 net/bluetooth/hci_core.c:3872
  vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340
  __fput+0x283/0x920 fs/file_table.c:280
  task_work_run+0xdd/0x190 kernel/task_work.c:140
  exit_task_work include/linux/task_work.h:30 [inline]
  do_exit+0xc5c/0x2ae0 kernel/exit.c:825
  do_group_exit+0x125/0x310 kernel/exit.c:922
  __do_sys_exit_group kernel/exit.c:933 [inline]
  __se_sys_exit_group kernel/exit.c:931 [inline]
  __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931
  do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
irq event stamp: 10614
hardirqs last  enabled at (10614): [<ffffffff89000ca2>] asm_sysvec_call_function_single+0x12/0x20 arch/x86/include/asm/idtentry.h:637
hardirqs last disabled at (10613): [<ffffffff88fa75ec>] sysvec_call_function_single+0xc/0x100 arch/x86/kernel/smp.c:243
softirqs last  enabled at (10506): [<ffffffff89000eaf>] asm_call_irq_on_stack+0xf/0x20
softirqs last disabled at (10555): [<ffffffff89000eaf>] asm_call_irq_on_stack+0xf/0x20

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(slock-AF_BLUETOOTH-BTPROTO_SCO);
  <Interrupt>
    lock(slock-AF_BLUETOOTH-BTPROTO_SCO);

 *** DEADLOCK ***

2 locks held by syz-executor.3/13875:
 #0: ffff888013d65498 (ptlock_ptr(page)#2
){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
){+.+.}-{2:2}, at: zap_pte_range mm/memory.c:1222 [inline]
){+.+.}-{2:2}, at: zap_pmd_range mm/memory.c:1368 [inline]
){+.+.}-{2:2}, at: zap_pud_range mm/memory.c:1397 [inline]
){+.+.}-{2:2}, at: zap_p4d_range mm/memory.c:1418 [inline]
){+.+.}-{2:2}, at: unmap_page_range+0x7fe/0x2640 mm/memory.c:1439
 #1: ffffc90000007d90 ((&sk->sk_timer)#2){+.-.}-{0:0}
, at: lockdep_copy_map include/linux/lockdep.h:35 [inline]
, at: call_timer_fn+0xd5/0x6b0 kernel/time/timer.c:1407

stack backtrace:
CPU: 0 PID: 13875 Comm: syz-executor.3 Not tainted 5.11.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_usage_bug kernel/locking/lockdep.c:4413 [inline]
 valid_state kernel/locking/lockdep.c:3751 [inline]
 mark_lock_irq kernel/locking/lockdep.c:3954 [inline]
 mark_lock.cold+0x56/0x73 kernel/locking/lockdep.c:4411
 mark_usage kernel/locking/lockdep.c:4306 [inline]
 __lock_acquire+0x11b4/0x54f0 kernel/locking/lockdep.c:4786
 lock_acquire kernel/locking/lockdep.c:5442 [inline]
 lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:354 [inline]
 sco_sock_timeout+0x33/0x1b0 net/bluetooth/sco.c:83
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1417
 expire_timers kernel/time/timer.c:1462 [inline]
 __run_timers.part.0+0x67c/0xa50 kernel/time/timer.c:1731
 __run_timers kernel/time/timer.c:1712 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1744
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:226 [inline]
 __irq_exit_rcu kernel/softirq.c:420 [inline]
 irq_exit_rcu+0x134/0x200 kernel/softirq.c:432
 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:629
RIP: 0010:check_kcov_mode kernel/kcov.c:163 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x7/0x60 kernel/kcov.c:197
Code: 0f bd c8 49 8b 14 24 48 63 c9 e9 66 ff ff ff 4c 01 ca 49 89 13 e9 00 fd ff ff 66 0f 1f 84 00 00 00 00 00 65 8b 05 59 1e 8f 7e <89> c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 00 f0 01 00 a9
RSP: 0018:ffffc90002b3f790 EFLAGS: 00000246
RAX: 0000000080000001 RBX: ffffea0000556e40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8880184d9bc0 RDI: 0000000000000003
RBP: ffffea0000556e40 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81a52e59 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888013bc7f80 R14: dffffc0000000000 R15: 00007f56e13f1000
 PageSwapBacked include/linux/page-flags.h:357 [inline]
 mm_counter_file include/linux/mm.h:1915 [inline]
 mm_counter include/linux/mm.h:1924 [inline]
 zap_pte_range mm/memory.c:1263 [inline]
 zap_pmd_range mm/memory.c:1368 [inline]
 zap_pud_range mm/memory.c:1397 [inline]
 zap_p4d_range mm/memory.c:1418 [inline]
 unmap_page_range+0xda7/0x2640 mm/memory.c:1439
 unmap_single_vma+0x198/0x300 mm/memory.c:1484
 unmap_vmas+0x168/0x2e0 mm/memory.c:1516
 exit_mmap+0x2b1/0x5a0 mm/mmap.c:3220
 __mmput+0x122/0x470 kernel/fork.c:1082
 mmput+0x53/0x60 kernel/fork.c:1103
 exit_mm kernel/exit.c:501 [inline]
 do_exit+0xb6a/0x2ae0 kernel/exit.c:812
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x427/0x20f0 kernel/signal.c:2773
 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
 handle_signal_work kernel/entry/common.c:147 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:302
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x465b09
Code: Unable to access opcode bytes at RIP 0x465adf.
RSP: 002b:00007f56df398218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000056bf68 RCX: 0000000000465b09
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056bf68
RBP: 000000000056bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf6c
R13: 00007ffe31b8a7af R14: 00007f56df398300 R15: 0000000000022000