======================================================
WARNING: possible circular locking dependency detected
6.2.0-rc7-syzkaller-17891-geaed33698e35 #0 Not tainted
------------------------------------------------------
syz-executor.1/17895 is trying to acquire lock:
ffff00011830d130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0xa0/0x23c

but task is already holding lock:
ffff80000d8a0f58 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x68/0x14c

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (hci_cb_list_lock){+.+.}-{3:3}:
       __mutex_lock_common+0xd4/0xf64
       mutex_lock_nested+0x38/0x44
       hci_remote_features_evt+0x278/0x514
       hci_event_packet+0x564/0x740
       hci_rx_work+0x224/0x538
       process_one_work+0x3ac/0x9d0
       worker_thread+0x340/0x608
       kthread+0x12c/0x158
       ret_from_fork+0x10/0x20

-> #1 (&hdev->lock){+.+.}-{3:3}:
       __mutex_lock_common+0xd4/0xf64
       mutex_lock_nested+0x38/0x44
       sco_sock_connect+0x118/0x5f0
       __sys_connect+0x184/0x190
       __arm64_sys_connect+0x28/0x3c
       invoke_syscall+0x64/0x178
       el0_svc_common+0xbc/0x180
       do_el0_svc+0x48/0x110
       el0_svc+0x58/0x14c
       el0t_64_sync_handler+0x84/0xf0
       el0t_64_sync+0x190/0x194

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
       __lock_acquire+0x1670/0x2f48
       lock_acquire+0x164/0x334
       lock_sock_nested+0x70/0xd8
       sco_conn_del+0xa0/0x23c
       sco_disconn_cfm+0x68/0xac
       hci_conn_hash_flush+0x8c/0x14c
       hci_dev_close_sync+0x50c/0xaac
       hci_rfkill_set_block+0xa0/0x1a0
       rfkill_set_block+0xb4/0x1f8
       rfkill_fop_write+0x274/0x3dc
       vfs_write+0x198/0x44c
       ksys_write+0xb4/0x160
       __arm64_sys_write+0x24/0x34
       invoke_syscall+0x64/0x178
       el0_svc_common+0xbc/0x180
       do_el0_svc+0x48/0x110
       el0_svc+0x58/0x14c
       el0t_64_sync_handler+0x84/0xf0
       el0t_64_sync+0x190/0x194

other info that might help us debug this:

Chain exists of:
  sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(hci_cb_list_lock);
                               lock(&hdev->lock);
                               lock(hci_cb_list_lock);
  lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);

 *** DEADLOCK ***

4 locks held by syz-executor.1/17895:
 #0: ffff80000d9038d0 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x174/0x3dc
 #1: ffff00011491f028 (&hdev->req_lock){+.+.}-{3:3}, at: hci_rfkill_set_block+0x98/0x1a0
 #2: ffff00011491e078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x27c/0xaac
 #3: ffff80000d8a0f58 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x68/0x14c

stack backtrace:
CPU: 1 PID: 17895 Comm: syz-executor.1 Not tainted 6.2.0-rc7-syzkaller-17891-geaed33698e35 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
Call trace:
 dump_backtrace+0x1c8/0x1f4
 show_stack+0x2c/0x3c
 dump_stack_lvl+0xd0/0x124
 dump_stack+0x1c/0x28
 print_circular_bug+0x2c4/0x2c8
 check_noncircular+0x148/0x150
 __lock_acquire+0x1670/0x2f48
 lock_acquire+0x164/0x334
 lock_sock_nested+0x70/0xd8
 sco_conn_del+0xa0/0x23c
 sco_disconn_cfm+0x68/0xac
 hci_conn_hash_flush+0x8c/0x14c
 hci_dev_close_sync+0x50c/0xaac
 hci_rfkill_set_block+0xa0/0x1a0
 rfkill_set_block+0xb4/0x1f8
 rfkill_fop_write+0x274/0x3dc
 vfs_write+0x198/0x44c
 ksys_write+0xb4/0x160
 __arm64_sys_write+0x24/0x34
 invoke_syscall+0x64/0x178
 el0_svc_common+0xbc/0x180
 do_el0_svc+0x48/0x110
 el0_svc+0x58/0x14c
 el0t_64_sync_handler+0x84/0xf0
 el0t_64_sync+0x190/0x194