program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8) (async)
listen(r0, 0x0) (async)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   70.933808][ T5305] Bluetooth: hci0: command tx timeout
[   70.972955][ T5305] BUG: sleeping function called from invalid context at net/core/sock.c:3624
[   70.976500][ T5305] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5305, name: kworker/u5:2
[   70.980233][ T5305] preempt_count: 1, expected: 0
[   70.982066][ T5305] RCU nest depth: 0, expected: 0
[   70.985617][ T5305] 5 locks held by kworker/u5:2/5305:
[   70.994307][ T5305]  #0: ffff88801ebbd148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   71.001510][ T5305]  #1: ffffc9000d207d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   71.006086][ T5305]  #2: ffff8880416f4078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   71.010141][ T5305]  #3: ffff88804040b220 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   71.013329][ T5305]  #4: ffff88804416b258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   71.017388][ T5305] Preemption disabled at:
[   71.017400][ T5305] [<0000000000000000>] 0x0
[   71.020624][ T5305] CPU: 0 UID: 0 PID: 5305 Comm: kworker/u5:2 Not tainted 6.13.0-rc3-syzkaller-00289-g48f506ad0b68 #0
[   71.024614][ T5305] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   71.028457][ T5305] Workqueue: hci0 hci_rx_work
[   71.030297][ T5305] Call Trace:
[   71.031506][ T5305]  <TASK>
[   71.032603][ T5305]  dump_stack_lvl+0x241/0x360
[   71.034380][ T5305]  ? __pfx_dump_stack_lvl+0x10/0x10
[   71.036299][ T5305]  ? __pfx__printk+0x10/0x10
[   71.038049][ T5305]  __might_resched+0x5d4/0x780
[   71.039844][ T5305]  ? __pfx_lock_acquire+0x10/0x10
[   71.041664][ T5305]  ? __pfx___might_resched+0x10/0x10
[   71.043582][ T5305]  ? __pfx_lock_release+0x10/0x10
[   71.045402][ T5305]  ? do_raw_spin_lock+0x14f/0x370
[   71.047250][ T5305]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   71.049162][ T5305]  lock_sock_nested+0x5d/0x100
[   71.050746][ T5305]  sco_connect_cfm+0x439/0xae0
[   71.052525][ T5305]  ? hci_cb_lookup+0x1b3/0x3c0
[   71.054244][ T5305]  ? __pfx_sco_connect_cfm+0x10/0x10
[   71.056296][ T5305]  ? hci_cb_lookup+0x3a0/0x3c0
[   71.058044][ T5305]  ? __pfx_sco_connect_cfm+0x10/0x10
[   71.059989][ T5305]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   71.062077][ T5305]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   71.064325][ T5305]  ? skb_pull_data+0x112/0x230
[   71.066088][ T5305]  hci_event_packet+0xac2/0x1540
[   71.067935][ T5305]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   71.070279][ T5305]  ? __pfx_hci_event_packet+0x10/0x10
[   71.072274][ T5305]  ? do_raw_spin_unlock+0x58/0x8b0
[   71.074205][ T5305]  ? hci_send_to_monitor+0xd8/0x7f0
[   71.076153][ T5305]  ? kcov_remote_start+0x97/0x7d0
[   71.078012][ T5305]  hci_rx_work+0x3f3/0xdb0
[   71.079742][ T5305]  ? process_scheduled_works+0x976/0x1840
[   71.081862][ T5305]  process_scheduled_works+0xa66/0x1840
[   71.084367][ T5305]  ? __pfx_process_scheduled_works+0x10/0x10
[   71.086562][ T5305]  ? assign_work+0x364/0x3d0
[   71.088323][ T5305]  worker_thread+0x870/0xd30
[   71.089894][ T5305]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   71.091998][ T5305]  ? __kthread_parkme+0x169/0x1d0
[   71.093755][ T5305]  ? __pfx_worker_thread+0x10/0x10
[   71.095728][ T5305]  kthread+0x2f0/0x390
[   71.097172][ T5305]  ? __pfx_worker_thread+0x10/0x10
[   71.099083][ T5305]  ? __pfx_kthread+0x10/0x10
[   71.100783][ T5305]  ret_from_fork+0x4b/0x80
[   71.102410][ T5305]  ? __pfx_kthread+0x10/0x10
[   71.104132][ T5305]  ret_from_fork_asm+0x1a/0x30
[   71.105839][ T5305]  </TASK>
[   71.117740][ T5319] 
[   71.118785][ T5319] ======================================================
[   71.121008][ T5319] WARNING: possible circular locking dependency detected
[   71.123381][ T5319] 6.13.0-rc3-syzkaller-00289-g48f506ad0b68 #0 Tainted: G        W         
[   71.126506][ T5319] ------------------------------------------------------
[   71.129091][ T5319] syz.0.0/5319 is trying to acquire lock:
[   71.131182][ T5319] ffff88804040b220 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   71.134217][ T5319] 
[   71.134217][ T5319] but task is already holding lock:
[   71.136861][ T5319] ffff88804416f258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   71.140756][ T5319] 
[   71.140756][ T5319] which lock already depends on the new lock.
[   71.140756][ T5319] 
[   71.144511][ T5319] 
[   71.144511][ T5319] the existing dependency chain (in reverse order) is:
[   71.147744][ T5319] 
[   71.147744][ T5319] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   71.150796][ T5319]        lock_acquire+0x1ed/0x550
[   71.152704][ T5319]        lock_sock_nested+0x48/0x100
[   71.154721][ T5319]        bt_accept_dequeue+0xfa/0x570
[   71.156714][ T5319]        __sco_sock_close+0xd2/0x310
[   71.158577][ T5319]        sco_sock_release+0xb3/0x320
[   71.160465][ T5319]        sock_close+0xbc/0x240
[   71.162153][ T5319]        __fput+0x23c/0xa50
[   71.163809][ T5319]        task_work_run+0x24f/0x310
[   71.165572][ T5319]        syscall_exit_to_user_mode+0x13f/0x340
[   71.167824][ T5319]        do_syscall_64+0x100/0x230
[   71.169639][ T5319]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.172062][ T5319] 
[   71.172062][ T5319] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   71.175308][ T5319]        lock_acquire+0x1ed/0x550
[   71.177193][ T5319]        lock_sock_nested+0x48/0x100
[   71.179223][ T5319]        sco_connect_cfm+0x439/0xae0
[   71.181142][ T5319]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   71.183441][ T5319]        hci_event_packet+0xac2/0x1540
[   71.185413][ T5319]        hci_rx_work+0x3f3/0xdb0
[   71.187251][ T5319]        process_scheduled_works+0xa66/0x1840
[   71.189310][ T5319]        worker_thread+0x870/0xd30
[   71.191286][ T5319]        kthread+0x2f0/0x390
[   71.193010][ T5319]        ret_from_fork+0x4b/0x80
[   71.194802][ T5319]        ret_from_fork_asm+0x1a/0x30
[   71.196774][ T5319] 
[   71.196774][ T5319] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   71.199464][ T5319]        validate_chain+0x18ef/0x5920
[   71.201369][ T5319]        __lock_acquire+0x1397/0x2100
[   71.203384][ T5319]        lock_acquire+0x1ed/0x550
[   71.205207][ T5319]        _raw_spin_lock+0x2e/0x40
[   71.207273][ T5319]        sco_chan_del+0x74/0x180
[   71.209080][ T5319]        __sco_sock_close+0x152/0x310
[   71.210999][ T5319]        sco_sock_release+0xb3/0x320
[   71.213257][ T5319]        sock_close+0xbc/0x240
[   71.215124][ T5319]        __fput+0x23c/0xa50
[   71.216931][ T5319]        task_work_run+0x24f/0x310
[   71.218993][ T5319]        syscall_exit_to_user_mode+0x13f/0x340
[   71.221296][ T5319]        do_syscall_64+0x100/0x230
[   71.223349][ T5319]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.225824][ T5319] 
[   71.225824][ T5319] other info that might help us debug this:
[   71.225824][ T5319] 
[   71.229392][ T5319] Chain exists of:
[   71.229392][ T5319]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   71.229392][ T5319] 
[   71.239185][ T5319]  Possible unsafe locking scenario:
[   71.239185][ T5319] 
[   71.242040][ T5319]        CPU0                    CPU1
[   71.244081][ T5319]        ----                    ----
[   71.246100][ T5319]   lock(sk_lock-AF_BLUETOOTH);
[   71.247944][ T5319]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   71.251134][ T5319]                                lock(sk_lock-AF_BLUETOOTH);
[   71.253773][ T5319]   lock(&conn->lock#2);
[   71.255215][ T5319] 
[   71.255215][ T5319]  *** DEADLOCK ***
[   71.255215][ T5319] 
[   71.257961][ T5319] 3 locks held by syz.0.0/5319:
[   71.259743][ T5319]  #0: ffff888045909408 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   71.263436][ T5319]  #1: ffff88804416b258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   71.267285][ T5319]  #2: ffff88804416f258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   71.270659][ T5319] 
[   71.270659][ T5319] stack backtrace:
[   71.272644][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Tainted: G        W          6.13.0-rc3-syzkaller-00289-g48f506ad0b68 #0
[   71.276867][ T5319] Tainted: [W]=WARN
[   71.278295][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   71.282302][ T5319] Call Trace:
[   71.283614][ T5319]  <TASK>
[   71.284782][ T5319]  dump_stack_lvl+0x241/0x360
[   71.286609][ T5319]  ? __pfx_dump_stack_lvl+0x10/0x10
[   71.288605][ T5319]  ? __pfx__printk+0x10/0x10
[   71.290343][ T5319]  print_circular_bug+0x13a/0x1b0
[   71.292269][ T5319]  check_noncircular+0x36a/0x4a0
[   71.294131][ T5319]  ? __pfx_check_noncircular+0x10/0x10
[   71.296268][ T5319]  ? lockdep_lock+0x123/0x2b0
[   71.298114][ T5319]  validate_chain+0x18ef/0x5920
[   71.299991][ T5319]  ? debug_object_assert_init+0x2dd/0x4b0
[   71.302144][ T5319]  ? do_raw_spin_unlock+0x58/0x8b0
[   71.304099][ T5319]  ? __pfx_validate_chain+0x10/0x10
[   71.305914][ T5319]  ? __pfx_stack_trace_save+0x10/0x10
[   71.307861][ T5319]  ? debug_object_assert_init+0x2dd/0x4b0
[   71.310140][ T5319]  ? __pfx_debug_object_assert_init+0x10/0x10
[   71.312299][ T5319]  ? mark_lock+0x9a/0x360
[   71.313737][ T5319]  __lock_acquire+0x1397/0x2100
[   71.315445][ T5319]  lock_acquire+0x1ed/0x550
[   71.317181][ T5319]  ? sco_chan_del+0x74/0x180
[   71.318898][ T5319]  ? __pfx_lock_acquire+0x10/0x10
[   71.320794][ T5319]  ? lockdep_hardirqs_on+0x99/0x150
[   71.322775][ T5319]  ? __cancel_work+0x2ee/0x390
[   71.324617][ T5319]  ? __pfx___cancel_work+0x10/0x10
[   71.326532][ T5319]  ? __sco_sock_close+0xe8/0x310
[   71.328400][ T5319]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   71.330582][ T5319]  ? __sco_sock_close+0xe8/0x310
[   71.332484][ T5319]  _raw_spin_lock+0x2e/0x40
[   71.334263][ T5319]  ? sco_chan_del+0x74/0x180
[   71.335994][ T5319]  sco_chan_del+0x74/0x180
[   71.337724][ T5319]  __sco_sock_close+0x152/0x310
[   71.339656][ T5319]  sco_sock_release+0xb3/0x320
[   71.341553][ T5319]  sock_close+0xbc/0x240
[   71.343192][ T5319]  ? __pfx_sock_close+0x10/0x10
[   71.344993][ T5319]  __fput+0x23c/0xa50
[   71.346484][ T5319]  task_work_run+0x24f/0x310
[   71.348237][ T5319]  ? _raw_spin_unlock+0x28/0x50
[   71.350070][ T5319]  ? __pfx_task_work_run+0x10/0x10
[   71.351987][ T5319]  ? syscall_exit_to_user_mode+0xa3/0x340
[   71.354190][ T5319]  syscall_exit_to_user_mode+0x13f/0x340
[   71.356340][ T5319]  do_syscall_64+0x100/0x230
[   71.358086][ T5319]  ? clear_bhb_loop+0x35/0x90
[   71.359893][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.362099][ T5319] RIP: 0033:0x7f6fa9785d29
[   71.363831][ T5319] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   71.371462][ T5319] RSP: 002b:00007ffca5781f18 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   71.374510][ T5319] RAX: 0000000000000000 RBX: 00000000000114ae RCX: 00007f6fa9785d29
[   71.377466][ T5319] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   71.380474][ T5319] RBP: 00007f6fa9977ba0 R08: 0000000000000001 R09: 00007ffca578220f
[   71.383480][ T5319] R10: 00007f6fa95ff030 R11: 0000000000000246 R12: 0000000000011575
[   71.386468][ T5319] R13: 00007f6fa9975fa0 R14: 0000000000000032 R15: ffffffffffffffff
[   71.389412][ T5319]  </TASK>