program:
r0 = socket$inet6_udp(0xa, 0x2, 0x0)
r1 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000400)=ANY=[@ANYBLOB="28000000fc00"/20, @ANYRES32=r0, @ANYRESHEX=0x0], 0x28}}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
request_key(&(0x7f0000000000)='rxrpc_s\x00', &(0x7f0000001ffb)={'syz', 0x3, 0x3}, &(0x7f0000001fee)='y\xa9rustV\x1eS=\xd4\x16\x95::\x01\x00\x00', 0x0)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r2, &(0x7f0000000480), 0x8)
listen(r2, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
openat$sequencer2(0xffffffffffffff9c, &(0x7f0000000000), 0x1, 0x0)
close(0x3)
sendmsg$WG_CMD_SET_DEVICE(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0xfffffffffffffdb0, 0x0, 0x1, 0x70bd31, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg2\x00'}, @WGDEVICE_A_PRIVATE_KEY={0x24, 0x3, @c}]}, 0x4c}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
r3 = socket$alg(0x26, 0x5, 0x0)
r4 = socket$inet6(0xa, 0x2, 0x3a)
setsockopt$inet6_int(r4, 0x29, 0x10, &(0x7f0000000000), 0x4)
sendto$inet6(r4, &(0x7f0000000180)="800037bbfa9ba1ce", 0x8, 0x488c0, &(0x7f00000003c0)={0xa, 0x1, 0x0, @dev={0xfe, 0x80, '\x00', 0x2d}, 0x9}, 0x1c)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$RFKILL_IOCTL_NOINPUT(r5, 0x5202)
bind$alg(r3, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'aegis128-generic\x00'}, 0x58)
setresgid(0xee01, 0xffffffffffffffff, 0xffffffffffffffff)
syz_open_dev$loop(&(0x7f00000000c0), 0x5, 0x101080)
setsockopt$ALG_SET_KEY(r3, 0x117, 0x1, &(0x7f0000000140)="2c385aa3d49100dc6626c892b6bc436a", 0x10)
r6 = accept4(r3, 0x0, 0x0, 0x0)
ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000240))
sendmsg$alg(r6, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000080)=[@assoc={0x18, 0x117, 0x4, 0x200}], 0x18}, 0x0)
sendmsg$nl_route_sched_retired(r6, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000012100), 0xe078}}, 0x0)
recvmmsg(r6, &(0x7f0000000b00)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, &(0x7f0000000200)=[{&(0x7f0000000c40)=""/232, 0xe8}], 0x1}}], 0x2, 0x0, 0x0)
ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000000340)={'wlan1\x00', &(0x7f00000003c0)=@ethtool_ringparam={0x10, 0x0, 0x10}})

[   75.847672][   T48] Bluetooth: hci0: command tx timeout
[   75.953489][   T48] BUG: sleeping function called from invalid context at net/core/sock.c:3624
[   75.956978][   T48] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 48, name: kworker/u5:0
[   75.960584][   T48] preempt_count: 1, expected: 0
[   75.962206][   T48] RCU nest depth: 0, expected: 0
[   75.963978][   T48] 6 locks held by kworker/u5:0/48:
[   75.965758][   T48]  #0: ffff8880438f0148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   75.969941][   T48]  #1: ffffc90000637d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   75.974108][   T48]  #2: ffff88804427c078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[   75.978008][   T48]  #3: ffffffff8fe0fda8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[   75.982377][   T48]  #4: ffff8880424e6c20 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x28a/0xb40
[   75.986041][   T48]  #5: ffff888052dd4258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40
[   75.990611][   T48] Preemption disabled at:
[   75.990629][   T48] [<0000000000000000>] 0x0
[   75.994095][   T48] CPU: 0 UID: 0 PID: 48 Comm: kworker/u5:0 Not tainted 6.13.0-rc1-syzkaller-00001-ge70140ba0d2b #0
[   75.997994][   T48] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.002019][   T48] Workqueue: hci0 hci_rx_work
[   76.003858][   T48] Call Trace:
[   76.005175][   T48]  <TASK>
[   76.006352][   T48]  dump_stack_lvl+0x241/0x360
[   76.008203][   T48]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.010053][   T48]  ? __pfx__printk+0x10/0x10
[   76.011578][   T48]  __might_resched+0x5d4/0x780
[   76.013186][   T48]  ? __pfx_lock_acquire+0x10/0x10
[   76.014868][   T48]  ? __pfx___might_resched+0x10/0x10
[   76.016556][   T48]  ? __pfx_lock_release+0x10/0x10
[   76.018214][   T48]  ? do_raw_spin_lock+0x14f/0x370
[   76.020433][   T48]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   76.022394][   T48]  lock_sock_nested+0x5d/0x100
[   76.024222][   T48]  sco_connect_cfm+0x461/0xb40
[   76.026099][   T48]  ? __pfx_sco_connect_cfm+0x10/0x10
[   76.028171][   T48]  ? hci_conn_add_sysfs+0xfc/0x200
[   76.030128][   T48]  ? __pfx_sco_connect_cfm+0x10/0x10
[   76.032173][   T48]  hci_sync_conn_complete_evt+0x5ab/0xaa0
[   76.034284][   T48]  hci_event_packet+0xac2/0x1540
[   76.036202][   T48]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   76.039010][   T48]  ? __pfx_hci_event_packet+0x10/0x10
[   76.041367][   T48]  ? do_raw_spin_unlock+0x58/0x8b0
[   76.043245][   T48]  ? hci_send_to_monitor+0xd8/0x7f0
[   76.045312][   T48]  ? kcov_remote_start+0x97/0x7d0
[   76.047149][   T48]  hci_rx_work+0x3f3/0xdb0
[   76.049076][   T48]  ? process_scheduled_works+0x976/0x1840
[   76.051137][   T48]  process_scheduled_works+0xa66/0x1840
[   76.053186][   T48]  ? __pfx_process_scheduled_works+0x10/0x10
[   76.055436][   T48]  ? assign_work+0x364/0x3d0
[   76.057146][   T48]  worker_thread+0x870/0xd30
[   76.058964][   T48]  ? __kthread_parkme+0x169/0x1d0
[   76.060874][   T48]  ? __pfx_worker_thread+0x10/0x10
[   76.062835][   T48]  kthread+0x2f0/0x390
[   76.064416][   T48]  ? __pfx_worker_thread+0x10/0x10
[   76.066275][   T48]  ? __pfx_kthread+0x10/0x10
[   76.068117][   T48]  ret_from_fork+0x4b/0x80
[   76.069864][   T48]  ? __pfx_kthread+0x10/0x10
[   76.071701][   T48]  ret_from_fork_asm+0x1a/0x30
[   76.073477][   T48]  </TASK>
[   76.098914][ T5315] trusted_key: syz.0.0 sent an empty control message without MSG_MORE.
[   76.104395][ T5313] 
[   76.105383][ T5313] ======================================================
[   76.108105][ T5313] WARNING: possible circular locking dependency detected
[   76.110912][ T5313] 6.13.0-rc1-syzkaller-00001-ge70140ba0d2b #0 Tainted: G        W         
[   76.114043][ T5313] ------------------------------------------------------
[   76.116644][ T5313] syz.0.0/5313 is trying to acquire lock:
[   76.118707][ T5313] ffff8880424e6c20 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   76.121909][ T5313] 
[   76.121909][ T5313] but task is already holding lock:
[   76.124647][ T5313] ffff888052dd5258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   76.128125][ T5313] 
[   76.128125][ T5313] which lock already depends on the new lock.
[   76.128125][ T5313] 
[   76.131909][ T5313] 
[   76.131909][ T5313] the existing dependency chain (in reverse order) is:
[   76.135172][ T5313] 
[   76.135172][ T5313] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   76.138138][ T5313]        lock_acquire+0x1ed/0x550
[   76.140081][ T5313]        lock_sock_nested+0x48/0x100
[   76.142020][ T5313]        bt_accept_dequeue+0xfa/0x570
[   76.144001][ T5313]        __sco_sock_close+0xd2/0x310
[   76.145981][ T5313]        sco_sock_release+0xb3/0x320
[   76.147922][ T5313]        sock_close+0xbc/0x240
[   76.149725][ T5313]        __fput+0x23c/0xa50
[   76.151518][ T5313]        task_work_run+0x24f/0x310
[   76.153523][ T5313]        syscall_exit_to_user_mode+0x13f/0x340
[   76.155956][ T5313]        do_syscall_64+0x100/0x230
[   76.158077][ T5313]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.160794][ T5313] 
[   76.160794][ T5313] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   76.164140][ T5313]        lock_acquire+0x1ed/0x550
[   76.166098][ T5313]        lock_sock_nested+0x48/0x100
[   76.168070][ T5313]        sco_connect_cfm+0x461/0xb40
[   76.170021][ T5313]        hci_sync_conn_complete_evt+0x5ab/0xaa0
[   76.172379][ T5313]        hci_event_packet+0xac2/0x1540
[   76.174370][ T5313]        hci_rx_work+0x3f3/0xdb0
[   76.176212][ T5313]        process_scheduled_works+0xa66/0x1840
[   76.178537][ T5313]        worker_thread+0x870/0xd30
[   76.180421][ T5313]        kthread+0x2f0/0x390
[   76.182009][ T5313]        ret_from_fork+0x4b/0x80
[   76.183712][ T5313]        ret_from_fork_asm+0x1a/0x30
[   76.185643][ T5313] 
[   76.185643][ T5313] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   76.188500][ T5313]        validate_chain+0x18ef/0x5920
[   76.190549][ T5313]        __lock_acquire+0x1397/0x2100
[   76.192491][ T5313]        lock_acquire+0x1ed/0x550
[   76.194348][ T5313]        _raw_spin_lock+0x2e/0x40
[   76.196181][ T5313]        sco_chan_del+0x74/0x180
[   76.198059][ T5313]        __sco_sock_close+0x152/0x310
[   76.200026][ T5313]        sco_sock_release+0xb3/0x320
[   76.201975][ T5313]        sock_close+0xbc/0x240
[   76.203813][ T5313]        __fput+0x23c/0xa50
[   76.205532][ T5313]        task_work_run+0x24f/0x310
[   76.207453][ T5313]        syscall_exit_to_user_mode+0x13f/0x340
[   76.209814][ T5313]        do_syscall_64+0x100/0x230
[   76.211706][ T5313]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.214019][ T5313] 
[   76.214019][ T5313] other info that might help us debug this:
[   76.214019][ T5313] 
[   76.217713][ T5313] Chain exists of:
[   76.217713][ T5313]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   76.217713][ T5313] 
[   76.222951][ T5313]  Possible unsafe locking scenario:
[   76.222951][ T5313] 
[   76.225616][ T5313]        CPU0                    CPU1
[   76.227661][ T5313]        ----                    ----
[   76.229616][ T5313]   lock(sk_lock-AF_BLUETOOTH);
[   76.231382][ T5313]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   76.234455][ T5313]                                lock(sk_lock-AF_BLUETOOTH);
[   76.237114][ T5313]   lock(&conn->lock#2);
[   76.238650][ T5313] 
[   76.238650][ T5313]  *** DEADLOCK ***
[   76.238650][ T5313] 
[   76.241851][ T5313] 3 locks held by syz.0.0/5313:
[   76.243645][ T5313]  #0: ffff888043dab208 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   76.247383][ T5313]  #1: ffff888052dd4258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   76.251485][ T5313]  #2: ffff888052dd5258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   76.254991][ T5313] 
[   76.254991][ T5313] stack backtrace:
[   76.257133][ T5313] CPU: 0 UID: 0 PID: 5313 Comm: syz.0.0 Tainted: G        W          6.13.0-rc1-syzkaller-00001-ge70140ba0d2b #0
[   76.261343][ T5313] Tainted: [W]=WARN
[   76.262760][ T5313] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.266766][ T5313] Call Trace:
[   76.268100][ T5313]  <TASK>
[   76.269225][ T5313]  dump_stack_lvl+0x241/0x360
[   76.270880][ T5313]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.272723][ T5313]  ? __pfx__printk+0x10/0x10
[   76.274344][ T5313]  print_circular_bug+0x13a/0x1b0
[   76.276113][ T5313]  check_noncircular+0x36a/0x4a0
[   76.277862][ T5313]  ? __pfx_check_noncircular+0x10/0x10
[   76.279805][ T5313]  ? lockdep_lock+0x123/0x2b0
[   76.281479][ T5313]  validate_chain+0x18ef/0x5920
[   76.283136][ T5313]  ? debug_object_assert_init+0x2dd/0x4b0
[   76.285333][ T5313]  ? do_raw_spin_unlock+0x58/0x8b0
[   76.287274][ T5313]  ? __pfx_validate_chain+0x10/0x10
[   76.289260][ T5313]  ? __pfx_stack_trace_save+0x10/0x10
[   76.291240][ T5313]  ? debug_object_assert_init+0x2dd/0x4b0
[   76.293253][ T5313]  ? __pfx_debug_object_assert_init+0x10/0x10
[   76.295436][ T5313]  ? mark_lock+0x9a/0x360
[   76.296961][ T5313]  __lock_acquire+0x1397/0x2100
[   76.298716][ T5313]  lock_acquire+0x1ed/0x550
[   76.300484][ T5313]  ? sco_chan_del+0x74/0x180
[   76.302283][ T5313]  ? __pfx_lock_acquire+0x10/0x10
[   76.304202][ T5313]  ? lockdep_hardirqs_on+0x99/0x150
[   76.306208][ T5313]  ? __cancel_work+0x2ee/0x390
[   76.308041][ T5313]  ? __pfx___cancel_work+0x10/0x10
[   76.309965][ T5313]  ? __sco_sock_close+0xe8/0x310
[   76.311825][ T5313]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   76.313917][ T5313]  ? __sco_sock_close+0xe8/0x310
[   76.315766][ T5313]  _raw_spin_lock+0x2e/0x40
[   76.317425][ T5313]  ? sco_chan_del+0x74/0x180
[   76.319205][ T5313]  sco_chan_del+0x74/0x180
[   76.320875][ T5313]  __sco_sock_close+0x152/0x310
[   76.322731][ T5313]  sco_sock_release+0xb3/0x320
[   76.324485][ T5313]  sock_close+0xbc/0x240
[   76.326204][ T5313]  ? __pfx_sock_close+0x10/0x10
[   76.328029][ T5313]  __fput+0x23c/0xa50
[   76.329673][ T5313]  task_work_run+0x24f/0x310
[   76.331441][ T5313]  ? _raw_spin_unlock+0x28/0x50
[   76.333287][ T5313]  ? __pfx_task_work_run+0x10/0x10
[   76.335194][ T5313]  ? syscall_exit_to_user_mode+0xa3/0x340
[   76.337410][ T5313]  syscall_exit_to_user_mode+0x13f/0x340
[   76.339626][ T5313]  do_syscall_64+0x100/0x230
[   76.341417][ T5313]  ? clear_bhb_loop+0x35/0x90
[   76.343268][ T5313]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.345549][ T5313] RIP: 0033:0x7f0fbfb7ff19
[   76.347231][ T5313] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.354501][ T5313] RSP: 002b:00007ffc3aa57c68 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   76.357526][ T5313] RAX: 0000000000000000 RBX: 0000000000012814 RCX: 00007f0fbfb7ff19
[   76.360523][ T5313] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   76.363509][ T5313] RBP: 00007f0fbfd47ba0 R08: 0000000000000001 R09: 00007ffc3aa57f4f
[   76.366575][ T5313] R10: 00007f0fbf9ff02c R11: 0000000000000246 R12: 00000000000128e4
[   76.369528][ T5313] R13: 00007f0fbfd45fa0 R14: 0000000000000032 R15: ffffffffffffffff
[   76.372550][ T5313]  </TASK>
[   76.391354][ T1308] ieee802154 phy0 wpan0: encryption failed: -22
[   76.393863][ T1308] ieee802154 phy1 wpan1: encryption failed: -22