program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000040)='./control\x00', 0x200080, &(0x7f0000000200), 0x3, 0x569, &(0x7f0000000580)="$eJzs3c+PG1cdAPDvzP6wk6bdBHqAqpAAhYCieLNOG1W9NLmAUFUJUXFAHNJl11ktseMQe0t3icT2bwAJBCf4EzggcUDqiQM3jkgcEFI5IAWIQAkCJKMZz26crK068a9m9/ORJvPjzZvve3HG782z4xfAkXUmInYjYjEi3o6IpeJ4Uixxubtk5927e3vt/t3ba0l0Om/9PcnTs2PRkyfzTHHNckR8/SsR304Oxm1t71xfrddrt4r95Xbj5nJre+f8ZmN1o7ZRu1GtXlq5dOHVi69Ux1bX041f3vny5hvf+M2vP/XB73e/9P2sWCeKtN56jFO36gv7cTLzEfHGJILNwFyxXjyQ8mL/DJcnWx4eTxoRH4uIz+b3/1LM5f86AYDDrNP5aXSWevcBgMMue/4/UU7SSkSkadEJqHTH8J6P42m92Wqfu9bcurHeHSs7GQvptc167cKp0h+/m5+8kGT7K3lanp7vVx/ZvxgRpyLiR6Vj+X5lrVlfn02XBwCOvGfyz8CK9j8i/lVK00plqKx9PtUDAJ4a5VkXAACYut72vzTDcgAA0+P5HwCOniHa/+LD/t2JlwUAmA7P/wBw9Gj/AeDoedz233cEAeCp9rU338yWzv3i96/X39neut585/x6rXW90thaq6w1b92sbDSbG/lv9jQeynysZ7voE9SbzZsrL8fWu8vtWqu93Nreudpobt1oX81/1/tqbWGqtQMA+jl1+v0/JBGx+9qxfImeuRy01XC4pbMuADAzc6Nk1kGAp9qTzfb1n7GXA5i+oZrwvJPwu4mXBZiNvj/mXe67+bCfPEYQ3zOGj5Sznxx+/P/gHM/A08z4PxxdTzb+//rYywFM35ON/wOHQaeTPDrn/+J+EgBwKI3wFb7OD8bVCQFm6sMm8x7L5/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwyJyIiO9EklbyucDT7M+0Uol4NiJOxkJybbNeuxARz8XpiFgoZfsrsy40ADCi9K9JMf/X2aWXTjyaupj8u5SvI+J7P3vrx++uttu3VrLj/9g/XtqbPqz6IN8I8woCAMPplIY8MW+/q8W650H+3t3ba3vLpArZz50r8b9iKuK1+3dv50s3ZT6ygxHlvC9x/J9JzBd5yhHxQkTMjSH+7nsR8Yl+9U/ysZGTxcynvfGjiP3sVOOnD8VP87TuOut8fXwMZYGj5v0rEXG53/2Xxpl83f/+L+fvUKO7c6V7sb33vvs98eeLSHN94mf3/JlhY7z8268eONhZ6qa9F/HCfL/4yX78ZED8l4aM/6cXP/3D1wekdX4ecTb6x++Ntdxu3Fxube+c32ysbtQ2ylGtXlq5dOHVi69Ul/Mx6uW9keqD/vbauecGlS2r//EB8ct967+4n/fzQ9b/F/99+1ufebBbejT+Fz/X//V/vm/8rqxN/MLDYTqD4q8e/9XA6buz+OsD6v9hr/+5YSofER/8ZWd9yFMBgClobe9cX63Xa7dG2sieQsdxnQMbWRGHO3mvuzha0D/HJGrxhBsLk/pbnfjG/H5fcbxX/mZ2xSlXJx17LUbauDetWLN7TwKm48FNP+uSAAAAAAAAAAAAAAAAg0zjvy7Nuo4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcXv8PAAD//4vC0Ck=")
r1 = io_uring_setup(0x203c, &(0x7f00000000c0)={0x0, 0xd4b5, 0x0, 0x3})
r2 = io_uring_register$IORING_REGISTER_PERSONALITY(r1, 0x9, 0x0, 0x0)
io_uring_register$IORING_UNREGISTER_PERSONALITY(r1, 0x16, 0x20000002, r2)
socket$vsock_stream(0x28, 0x1, 0x0)

[   75.988701][ T5306] Bluetooth: hci0: command tx timeout
[   76.076848][ T5306] BUG: sleeping function called from invalid context at net/core/sock.c:3627
[   76.080387][ T5306] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5306, name: kworker/u5:2
[   76.084275][ T5306] preempt_count: 1, expected: 0
[   76.086202][ T5306] RCU nest depth: 0, expected: 0
[   76.088161][ T5306] 5 locks held by kworker/u5:2/5306:
[   76.090261][ T5306]  #0: ffff888040934948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   76.094872][ T5306]  #1: ffffc9000d1ffd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   76.099638][ T5306]  #2: ffff88804faa8078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   76.103976][ T5306]  #3: ffff88803f476c20 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   76.107656][ T5306]  #4: ffff888052936258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   76.111814][ T5306] Preemption disabled at:
[   76.111825][ T5306] [<0000000000000000>] 0x0
[   76.115460][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Not tainted 6.13.0-rc6-syzkaller-00051-geea6e4b4dfb8 #0
[   76.119576][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.123778][ T5306] Workqueue: hci0 hci_rx_work
[   76.125630][ T5306] Call Trace:
[   76.126933][ T5306]  <TASK>
[   76.128127][ T5306]  dump_stack_lvl+0x241/0x360
[   76.129971][ T5306]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.132041][ T5306]  ? __pfx__printk+0x10/0x10
[   76.133804][ T5306]  __might_resched+0x5d4/0x780
[   76.135698][ T5306]  ? __pfx_lock_acquire+0x10/0x10
[   76.137679][ T5306]  ? __pfx___might_resched+0x10/0x10
[   76.139694][ T5306]  ? __pfx_lock_release+0x10/0x10
[   76.141527][ T5306]  ? do_raw_spin_lock+0x14f/0x370
[   76.143364][ T5306]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   76.145343][ T5306]  lock_sock_nested+0x5d/0x100
[   76.147248][ T5306]  sco_connect_cfm+0x439/0xae0
[   76.149168][ T5306]  ? hci_cb_lookup+0x1b3/0x3c0
[   76.151071][ T5306]  ? __pfx_sco_connect_cfm+0x10/0x10
[   76.153182][ T5306]  ? hci_cb_lookup+0x3a0/0x3c0
[   76.155086][ T5306]  ? __pfx_sco_connect_cfm+0x10/0x10
[   76.157228][ T5306]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   76.159543][ T5306]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   76.161850][ T5306]  ? skb_pull_data+0x112/0x230
[   76.163688][ T5306]  hci_event_packet+0xac2/0x1540
[   76.165639][ T5306]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   76.168048][ T5306]  ? __pfx_hci_event_packet+0x10/0x10
[   76.170156][ T5306]  ? do_raw_spin_unlock+0x58/0x8b0
[   76.172151][ T5306]  ? hci_send_to_monitor+0xd8/0x7f0
[   76.174241][ T5306]  ? kcov_remote_start+0x97/0x7d0
[   76.176251][ T5306]  hci_rx_work+0x3f3/0xdb0
[   76.178098][ T5306]  ? process_scheduled_works+0x976/0x1840
[   76.180372][ T5306]  process_scheduled_works+0xa66/0x1840
[   76.182570][ T5306]  ? __pfx_process_scheduled_works+0x10/0x10
[   76.184875][ T5306]  ? assign_work+0x364/0x3d0
[   76.186631][ T5306]  worker_thread+0x870/0xd30
[   76.188534][ T5306]  ? __kthread_parkme+0x169/0x1d0
[   76.190507][ T5306]  ? __pfx_worker_thread+0x10/0x10
[   76.192567][ T5306]  kthread+0x2f0/0x390
[   76.194174][ T5306]  ? __pfx_worker_thread+0x10/0x10
[   76.196186][ T5306]  ? __pfx_kthread+0x10/0x10
[   76.198039][ T5306]  ret_from_fork+0x4b/0x80
[   76.199726][ T5306]  ? __pfx_kthread+0x10/0x10
[   76.201474][ T5306]  ret_from_fork_asm+0x1a/0x30
[   76.203304][ T5306]  </TASK>
[   76.231451][ T5321] loop0: detected capacity change from 0 to 512
[   76.280475][ T5321] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[   76.288863][ T1308] ieee802154 phy0 wpan0: encryption failed: -22
[   76.291278][ T1308] ieee802154 phy1 wpan1: encryption failed: -22
[   76.294907][ T5321] ext4 filesystem being mounted at /0/control supports timestamps until 2038-01-19 (0x7fffffff)
[   76.306008][ T5320] 
[   76.306930][ T5320] ======================================================
[   76.309384][ T5320] WARNING: possible circular locking dependency detected
[   76.311896][ T5320] 6.13.0-rc6-syzkaller-00051-geea6e4b4dfb8 #0 Tainted: G        W         
[   76.314994][ T5320] ------------------------------------------------------
[   76.317563][ T5320] syz.0.0/5320 is trying to acquire lock:
[   76.319551][ T5320] ffff88803f476c20 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   76.322793][ T5320] 
[   76.322793][ T5320] but task is already holding lock:
[   76.325465][ T5320] ffff88805293f258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   76.328929][ T5320] 
[   76.328929][ T5320] which lock already depends on the new lock.
[   76.328929][ T5320] 
[   76.332671][ T5320] 
[   76.332671][ T5320] the existing dependency chain (in reverse order) is:
[   76.335859][ T5320] 
[   76.335859][ T5320] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   76.338542][ T5320]        lock_acquire+0x1ed/0x550
[   76.340271][ T5320]        lock_sock_nested+0x48/0x100
[   76.342185][ T5320]        bt_accept_dequeue+0xfa/0x570
[   76.343976][ T5320]        __sco_sock_close+0xd2/0x310
[   76.345793][ T5320]        sco_sock_release+0xb3/0x320
[   76.348039][ T5320]        sock_close+0xbc/0x240
[   76.350057][ T5320]        __fput+0x23c/0xa50
[   76.351775][ T5320]        task_work_run+0x24f/0x310
[   76.353481][ T5320]        syscall_exit_to_user_mode+0x13f/0x340
[   76.355641][ T5320]        do_syscall_64+0x100/0x230
[   76.357411][ T5320]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.359669][ T5320] 
[   76.359669][ T5320] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   76.362923][ T5320]        lock_acquire+0x1ed/0x550
[   76.364739][ T5320]        lock_sock_nested+0x48/0x100
[   76.366695][ T5320]        sco_connect_cfm+0x439/0xae0
[   76.368667][ T5320]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   76.370956][ T5320]        hci_event_packet+0xac2/0x1540
[   76.372942][ T5320]        hci_rx_work+0x3f3/0xdb0
[   76.374726][ T5320]        process_scheduled_works+0xa66/0x1840
[   76.376866][ T5320]        worker_thread+0x870/0xd30
[   76.378749][ T5320]        kthread+0x2f0/0x390
[   76.380484][ T5320]        ret_from_fork+0x4b/0x80
[   76.382285][ T5320]        ret_from_fork_asm+0x1a/0x30
[   76.384200][ T5320] 
[   76.384200][ T5320] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   76.386849][ T5320]        validate_chain+0x18ef/0x5920
[   76.388807][ T5320]        __lock_acquire+0x1397/0x2100
[   76.390783][ T5320]        lock_acquire+0x1ed/0x550
[   76.392629][ T5320]        _raw_spin_lock+0x2e/0x40
[   76.394386][ T5320]        sco_chan_del+0x74/0x180
[   76.396286][ T5320]        __sco_sock_close+0x152/0x310
[   76.398433][ T5320]        sco_sock_release+0xb3/0x320
[   76.400416][ T5320]        sock_close+0xbc/0x240
[   76.402227][ T5320]        __fput+0x23c/0xa50
[   76.403934][ T5320]        task_work_run+0x24f/0x310
[   76.405806][ T5320]        syscall_exit_to_user_mode+0x13f/0x340
[   76.408086][ T5320]        do_syscall_64+0x100/0x230
[   76.409984][ T5320]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.412429][ T5320] 
[   76.412429][ T5320] other info that might help us debug this:
[   76.412429][ T5320] 
[   76.416139][ T5320] Chain exists of:
[   76.416139][ T5320]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   76.416139][ T5320] 
[   76.421563][ T5320]  Possible unsafe locking scenario:
[   76.421563][ T5320] 
[   76.424408][ T5320]        CPU0                    CPU1
[   76.426519][ T5320]        ----                    ----
[   76.428671][ T5320]   lock(sk_lock-AF_BLUETOOTH);
[   76.430608][ T5320]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   76.433829][ T5320]                                lock(sk_lock-AF_BLUETOOTH);
[   76.436672][ T5320]   lock(&conn->lock#2);
[   76.438325][ T5320] 
[   76.438325][ T5320]  *** DEADLOCK ***
[   76.438325][ T5320] 
[   76.441392][ T5320] 3 locks held by syz.0.0/5320:
[   76.443177][ T5320]  #0: ffff888052c05408 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   76.447062][ T5320]  #1: ffff888052936258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   76.451230][ T5320]  #2: ffff88805293f258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   76.455051][ T5320] 
[   76.455051][ T5320] stack backtrace:
[   76.457382][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Tainted: G        W          6.13.0-rc6-syzkaller-00051-geea6e4b4dfb8 #0
[   76.461983][ T5320] Tainted: [W]=WARN
[   76.463522][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.467403][ T5320] Call Trace:
[   76.468561][ T5320]  <TASK>
[   76.469642][ T5320]  dump_stack_lvl+0x241/0x360
[   76.471351][ T5320]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.473222][ T5320]  ? __pfx__printk+0x10/0x10
[   76.474900][ T5320]  print_circular_bug+0x13a/0x1b0
[   76.476699][ T5320]  check_noncircular+0x36a/0x4a0
[   76.478499][ T5320]  ? __pfx_check_noncircular+0x10/0x10
[   76.480485][ T5320]  ? lockdep_lock+0x123/0x2b0
[   76.482362][ T5320]  validate_chain+0x18ef/0x5920
[   76.484322][ T5320]  ? debug_object_assert_init+0x2dd/0x4b0
[   76.486552][ T5320]  ? do_raw_spin_unlock+0x58/0x8b0
[   76.488578][ T5320]  ? __pfx_validate_chain+0x10/0x10
[   76.490605][ T5320]  ? __pfx_stack_trace_save+0x10/0x10
[   76.492726][ T5320]  ? debug_object_assert_init+0x2dd/0x4b0
[   76.495027][ T5320]  ? __pfx_debug_object_assert_init+0x10/0x10
[   76.497501][ T5320]  ? mark_lock+0x9a/0x360
[   76.499240][ T5320]  __lock_acquire+0x1397/0x2100
[   76.501147][ T5320]  lock_acquire+0x1ed/0x550
[   76.502995][ T5320]  ? sco_chan_del+0x74/0x180
[   76.504857][ T5320]  ? __pfx_lock_acquire+0x10/0x10
[   76.506775][ T5320]  ? lockdep_hardirqs_on+0x99/0x150
[   76.508881][ T5320]  ? __cancel_work+0x2ee/0x390
[   76.510762][ T5320]  ? __pfx___cancel_work+0x10/0x10
[   76.512808][ T5320]  ? __sco_sock_close+0xe8/0x310
[   76.514692][ T5320]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   76.516947][ T5320]  ? __sco_sock_close+0xe8/0x310
[   76.519011][ T5320]  _raw_spin_lock+0x2e/0x40
[   76.520871][ T5320]  ? sco_chan_del+0x74/0x180
[   76.522726][ T5320]  sco_chan_del+0x74/0x180
[   76.524538][ T5320]  __sco_sock_close+0x152/0x310
[   76.526491][ T5320]  sco_sock_release+0xb3/0x320
[   76.528401][ T5320]  sock_close+0xbc/0x240
[   76.530069][ T5320]  ? __pfx_sock_close+0x10/0x10
[   76.532002][ T5320]  __fput+0x23c/0xa50
[   76.533607][ T5320]  task_work_run+0x24f/0x310
[   76.535460][ T5320]  ? _raw_spin_unlock+0x28/0x50
[   76.537311][ T5320]  ? __pfx_task_work_run+0x10/0x10
[   76.539129][ T5320]  ? syscall_exit_to_user_mode+0xa3/0x340
[   76.541188][ T5320]  syscall_exit_to_user_mode+0x13f/0x340
[   76.543243][ T5320]  do_syscall_64+0x100/0x230
[   76.544922][ T5320]  ? clear_bhb_loop+0x35/0x90
[   76.546603][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.548780][ T5320] RIP: 0033:0x7f7459385d29
[   76.550376][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.557777][ T5320] RSP: 002b:00007ffd003f0438 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   76.561030][ T5320] RAX: 0000000000000000 RBX: 0000000000012893 RCX: 00007f7459385d29
[   76.564133][ T5320] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   76.567176][ T5320] RBP: 00007f7459577ba0 R08: 0000000000000001 R09: 00007ffd003f072f
[   76.570293][ T5320] R10: 00007f74591ff02c R11: 0000000000000246 R12: 00000000000129b1
[   76.573388][ T5320] R13: 00007f7459575fa0 R14: 0000000000000032 R15: ffffffffffffffff
[   76.576383][ T5320]  </TASK>