program:
syz_emit_vhci(&(0x7f0000000e40)=ANY=[@ANYBLOB="0404"], 0xd)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000000), 0x8)
r1 = socket$netlink(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_PKTINFO(r1, 0x10e, 0xc, &(0x7f0000000200)=0x5, 0x4)
sendmsg$nl_generic(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000007c0)={0x18, 0x3e, 0x229, 0x0, 0x0, {0xa}, [@nested={0x4}]}, 0x18}, 0x1, 0x0, 0x0, 0x24004011}, 0x0)
listen(r0, 0x0)
r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r2, &(0x7f0000000000)={0x1f, 0xd, @none, 0x7}, 0x47)
r3 = syz_init_net_socket$802154_raw(0x24, 0x3, 0x0)
ioctl$sock_inet_SIOCSIFADDR(r3, 0x8916, &(0x7f0000000940)={'ip6_vti0\x00', {0x2, 0x4e22, @initdev={0xac, 0x1e, 0x1, 0x0}}})
r4 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
r5 = io_uring_setup(0x3fb4, &(0x7f0000001380)={0x0, 0xa43, 0x40, 0x0, 0xb9})
io_uring_register$IORING_REGISTER_FILE_ALLOC_RANGE(r5, 0x19, &(0x7f0000001400)={0xa, 0x6}, 0x0)
ioctl$sock_bt_bnep_BNEPCONNADD(r4, 0x400442c8, &(0x7f0000000040)={r2, 0x0, 0x5, "df4a8b1cb5d1604b6539c53a"})
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   76.328527][ T5304] Bluetooth: hci0: command tx timeout
[   76.395802][ T5304] BUG: sleeping function called from invalid context at net/core/sock.c:3664
[   76.399294][ T5304] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5304, name: kworker/u5:2
[   76.402777][ T5304] preempt_count: 1, expected: 0
[   76.404853][ T5304] RCU nest depth: 0, expected: 0
[   76.406745][ T5304] 6 locks held by kworker/u5:2/5304:
[   76.408893][ T5304]  #0: ffff8880128fa948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x98b/0x18e0
[   76.413239][ T5304]  #1: ffffc9000d2efc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0
[   76.417703][ T5304]  #2: ffff888051b98078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[   76.421624][ T5304]  #3: ffffffff9003b928 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[   76.425989][ T5304]  #4: ffff88803f6c5c20 (&conn->lock#3){+.+.}-{3:3}, at: sco_connect_cfm+0x293/0xc10
[   76.429605][ T5304]  #5: ffff8880531eb258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x456/0xc10
[   76.434198][ T5304] Preemption disabled at:
[   76.434208][ T5304] [<0000000000000000>] 0x0
[   76.437544][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted 6.14.0-syzkaller #0
[   76.437560][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.437572][ T5304] Workqueue: hci0 hci_rx_work
[   76.437588][ T5304] Call Trace:
[   76.437594][ T5304]  <TASK>
[   76.437600][ T5304]  dump_stack_lvl+0x241/0x360
[   76.437617][ T5304]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.437630][ T5304]  ? __pfx__printk+0x10/0x10
[   76.437647][ T5304]  __might_resched+0x5d4/0x780
[   76.437664][ T5304]  ? __pfx_lock_acquire+0x10/0x10
[   76.437681][ T5304]  ? __pfx___might_resched+0x10/0x10
[   76.437692][ T5304]  ? __pfx_lock_release+0x10/0x10
[   76.437705][ T5304]  ? do_raw_spin_lock+0x14f/0x370
[   76.437720][ T5304]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   76.437734][ T5304]  lock_sock_nested+0x5d/0x100
[   76.437750][ T5304]  sco_connect_cfm+0x456/0xc10
[   76.437765][ T5304]  ? __pfx___mutex_lock+0x10/0x10
[   76.437785][ T5304]  ? __pfx_sco_connect_cfm+0x10/0x10
[   76.437801][ T5304]  ? hci_conn_add_sysfs+0xfc/0x200
[   76.437812][ T5304]  ? __pfx_sco_connect_cfm+0x10/0x10
[   76.437824][ T5304]  hci_sync_conn_complete_evt+0x5ab/0xaa0
[   76.437840][ T5304]  hci_event_packet+0xac1/0x1540
[   76.437854][ T5304]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   76.437870][ T5304]  ? __pfx_hci_event_packet+0x10/0x10
[   76.437883][ T5304]  ? do_raw_spin_unlock+0x58/0x8b0
[   76.437898][ T5304]  ? kcov_remote_start+0x420/0x7d0
[   76.437912][ T5304]  ? insn_decode_mmio+0x2c0/0x580
[   76.437928][ T5304]  ? hci_send_to_monitor+0xdc/0x530
[   76.437945][ T5304]  hci_rx_work+0x3f3/0xdb0
[   76.437958][ T5304]  ? process_scheduled_works+0x9c6/0x18e0
[   76.437966][ T5304]  process_scheduled_works+0xabe/0x18e0
[   76.437983][ T5304]  ? __pfx_process_scheduled_works+0x10/0x10
[   76.437995][ T5304]  ? assign_work+0x364/0x3d0
[   76.438005][ T5304]  worker_thread+0x870/0xd30
[   76.438018][ T5304]  ? __kthread_parkme+0x169/0x1d0
[   76.438028][ T5304]  ? __pfx_worker_thread+0x10/0x10
[   76.438046][ T5304]  kthread+0x7a9/0x920
[   76.438059][ T5304]  ? __pfx_kthread+0x10/0x10
[   76.438075][ T5304]  ? __pfx_worker_thread+0x10/0x10
[   76.438088][ T5304]  ? __pfx_kthread+0x10/0x10
[   76.438103][ T5304]  ? __pfx_kthread+0x10/0x10
[   76.438119][ T5304]  ? __pfx_kthread+0x10/0x10
[   76.438128][ T5304]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.438136][ T5304]  ? lockdep_hardirqs_on+0x99/0x150
[   76.438144][ T5304]  ? __pfx_kthread+0x10/0x10
[   76.438154][ T5304]  ret_from_fork+0x4b/0x80
[   76.438162][ T5304]  ? __pfx_kthread+0x10/0x10
[   76.438174][ T5304]  ret_from_fork_asm+0x1a/0x30
[   76.438194][ T5304]  </TASK>
[   76.554842][ T1310] ieee802154 phy0 wpan0: encryption failed: -22
[   76.557717][ T1310] ieee802154 phy1 wpan1: encryption failed: -22
[   76.570965][ T5319] 
[   76.571976][ T5319] ======================================================
[   76.574756][ T5319] WARNING: possible circular locking dependency detected
[   76.577404][ T5319] 6.14.0-syzkaller #0 Tainted: G        W         
[   76.579997][ T5319] ------------------------------------------------------
[   76.582629][ T5319] syz.0.0/5319 is trying to acquire lock:
[   76.584891][ T5319] ffff88803f6c5c20 (&conn->lock#3){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   76.588196][ T5319] 
[   76.588196][ T5319] but task is already holding lock:
[   76.591226][ T5319] ffff888012735258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   76.595011][ T5319] 
[   76.595011][ T5319] which lock already depends on the new lock.
[   76.595011][ T5319] 
[   76.599119][ T5319] 
[   76.599119][ T5319] the existing dependency chain (in reverse order) is:
[   76.602443][ T5319] 
[   76.602443][ T5319] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   76.605601][ T5319]        lock_acquire+0x1ed/0x550
[   76.607581][ T5319]        lock_sock_nested+0x48/0x100
[   76.609637][ T5319]        bt_accept_dequeue+0xfa/0x570
[   76.611653][ T5319]        __sco_sock_close+0xd2/0x310
[   76.613790][ T5319]        sco_sock_release+0xb3/0x320
[   76.615873][ T5319]        sock_close+0xbc/0x240
[   76.617932][ T5319]        __fput+0x3e9/0x9f0
[   76.619821][ T5319]        task_work_run+0x24f/0x310
[   76.621835][ T5319]        syscall_exit_to_user_mode+0x13f/0x340
[   76.624120][ T5319]        do_syscall_64+0x100/0x230
[   76.626038][ T5319]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.628541][ T5319] 
[   76.628541][ T5319] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   76.632009][ T5319]        lock_acquire+0x1ed/0x550
[   76.633827][ T5319]        lock_sock_nested+0x48/0x100
[   76.635875][ T5319]        sco_connect_cfm+0x456/0xc10
[   76.638013][ T5319]        hci_sync_conn_complete_evt+0x5ab/0xaa0
[   76.640122][ T5319]        hci_event_packet+0xac1/0x1540
[   76.642015][ T5319]        hci_rx_work+0x3f3/0xdb0
[   76.643861][ T5319]        process_scheduled_works+0xabe/0x18e0
[   76.646009][ T5319]        worker_thread+0x870/0xd30
[   76.647666][ T5319]        kthread+0x7a9/0x920
[   76.649263][ T5319]        ret_from_fork+0x4b/0x80
[   76.651148][ T5319]        ret_from_fork_asm+0x1a/0x30
[   76.653289][ T5319] 
[   76.653289][ T5319] -> #0 (&conn->lock#3){+.+.}-{3:3}:
[   76.656279][ T5319]        validate_chain+0x18ef/0x5920
[   76.658433][ T5319]        __lock_acquire+0x1397/0x2100
[   76.660657][ T5319]        lock_acquire+0x1ed/0x550
[   76.662610][ T5319]        _raw_spin_lock+0x2e/0x40
[   76.664646][ T5319]        sco_chan_del+0x74/0x180
[   76.666645][ T5319]        __sco_sock_close+0x152/0x310
[   76.668771][ T5319]        sco_sock_release+0xb3/0x320
[   76.670872][ T5319]        sock_close+0xbc/0x240
[   76.672795][ T5319]        __fput+0x3e9/0x9f0
[   76.674833][ T5319]        task_work_run+0x24f/0x310
[   76.676756][ T5319]        syscall_exit_to_user_mode+0x13f/0x340
[   76.678968][ T5319]        do_syscall_64+0x100/0x230
[   76.680903][ T5319]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.683287][ T5319] 
[   76.683287][ T5319] other info that might help us debug this:
[   76.683287][ T5319] 
[   76.686832][ T5319] Chain exists of:
[   76.686832][ T5319]   &conn->lock#3 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   76.686832][ T5319] 
[   76.692356][ T5319]  Possible unsafe locking scenario:
[   76.692356][ T5319] 
[   76.695264][ T5319]        CPU0                    CPU1
[   76.697427][ T5319]        ----                    ----
[   76.699564][ T5319]   lock(sk_lock-AF_BLUETOOTH);
[   76.701227][ T5319]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   76.703563][ T5319]                                lock(sk_lock-AF_BLUETOOTH);
[   76.705871][ T5319]   lock(&conn->lock#3);
[   76.707603][ T5319] 
[   76.707603][ T5319]  *** DEADLOCK ***
[   76.707603][ T5319] 
[   76.710795][ T5319] 3 locks held by syz.0.0/5319:
[   76.712722][ T5319]  #0: ffff8880436df808 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   76.716712][ T5319]  #1: ffff8880531eb258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   76.720732][ T5319]  #2: ffff888012735258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   76.724732][ T5319] 
[   76.724732][ T5319] stack backtrace:
[   76.727019][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Tainted: G        W          6.14.0-syzkaller #0
[   76.727038][ T5319] Tainted: [W]=WARN
[   76.727041][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.727047][ T5319] Call Trace:
[   76.727054][ T5319]  <TASK>
[   76.727060][ T5319]  dump_stack_lvl+0x241/0x360
[   76.727074][ T5319]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.727082][ T5319]  ? __pfx__printk+0x10/0x10
[   76.727093][ T5319]  print_circular_bug+0x13a/0x1b0
[   76.727106][ T5319]  check_noncircular+0x36a/0x4a0
[   76.727117][ T5319]  ? __pfx_check_noncircular+0x10/0x10
[   76.727128][ T5319]  ? lockdep_lock+0x123/0x2b0
[   76.727143][ T5319]  validate_chain+0x18ef/0x5920
[   76.727157][ T5319]  ? do_raw_spin_lock+0x14f/0x370
[   76.727169][ T5319]  ? __pfx_validate_chain+0x10/0x10
[   76.727179][ T5319]  ? do_raw_spin_unlock+0x58/0x8b0
[   76.727192][ T5319]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   76.727206][ T5319]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.727218][ T5319]  ? __lock_acquire+0x1397/0x2100
[   76.727233][ T5319]  ? debug_object_assert_init+0x2dd/0x4b0
[   76.727289][ T5319]  ? __pfx_debug_object_assert_init+0x10/0x10
[   76.727303][ T5319]  ? mark_lock+0x9a/0x360
[   76.727313][ T5319]  __lock_acquire+0x1397/0x2100
[   76.727330][ T5319]  lock_acquire+0x1ed/0x550
[   76.727343][ T5319]  ? sco_chan_del+0x74/0x180
[   76.727357][ T5319]  ? __pfx_lock_acquire+0x10/0x10
[   76.727370][ T5319]  ? __cancel_work+0x24a/0x390
[   76.727384][ T5319]  ? lockdep_hardirqs_on+0x99/0x150
[   76.727398][ T5319]  ? __cancel_work+0x2ee/0x390
[   76.727412][ T5319]  ? __pfx___cancel_work+0x10/0x10
[   76.727425][ T5319]  ? __sco_sock_close+0xe8/0x310
[   76.727436][ T5319]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   76.727448][ T5319]  _raw_spin_lock+0x2e/0x40
[   76.727460][ T5319]  ? sco_chan_del+0x74/0x180
[   76.727471][ T5319]  sco_chan_del+0x74/0x180
[   76.727484][ T5319]  __sco_sock_close+0x152/0x310
[   76.727496][ T5319]  sco_sock_release+0xb3/0x320
[   76.727508][ T5319]  sock_close+0xbc/0x240
[   76.727521][ T5319]  ? __pfx_sock_close+0x10/0x10
[   76.727533][ T5319]  __fput+0x3e9/0x9f0
[   76.727549][ T5319]  task_work_run+0x24f/0x310
[   76.727559][ T5319]  ? _raw_spin_unlock+0x28/0x50
[   76.727571][ T5319]  ? __pfx_task_work_run+0x10/0x10
[   76.727581][ T5319]  ? syscall_exit_to_user_mode+0xa3/0x340
[   76.727595][ T5319]  syscall_exit_to_user_mode+0x13f/0x340
[   76.727610][ T5319]  do_syscall_64+0x100/0x230
[   76.727619][ T5319]  ? clear_bhb_loop+0x35/0x90
[   76.727635][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.727648][ T5319] RIP: 0033:0x7f850818d169
[   76.727660][ T5319] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.727668][ T5319] RSP: 002b:00007ffe4e32af98 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   76.727680][ T5319] RAX: 0000000000000000 RBX: 00000000000129ae RCX: 00007f850818d169
[   76.727686][ T5319] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   76.727692][ T5319] RBP: 00007f85083a7ba0 R08: 0000000000000001 R09: 000000104e32b28f
[   76.727698][ T5319] R10: 00007f8507fff02c R11: 0000000000000246 R12: 00007f85083a5fac
[   76.727705][ T5319] R13: 00007f85083a5fa0 R14: ffffffffffffffff R15: 00007ffe4e32b0b0
[   76.727715][ T5319]  </TASK>