program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   68.752989][   T48] Bluetooth: hci0: command tx timeout
[   68.809022][   T48] BUG: sleeping function called from invalid context at net/core/sock.c:3624
[   68.816006][   T48] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 48, name: kworker/u5:0
[   68.819870][   T48] preempt_count: 1, expected: 0
[   68.821592][   T48] RCU nest depth: 0, expected: 0
[   68.823270][   T48] 5 locks held by kworker/u5:0/48:
[   68.824851][   T48]  #0: ffff888012542148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   68.828951][   T48]  #1: ffffc90000637d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   68.833394][   T48]  #2: ffff888043484078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   68.837875][   T48]  #3: ffff8880405f7820 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   68.841701][   T48]  #4: ffff888043d1c258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   68.846313][   T48] Preemption disabled at:
[   68.846326][   T48] [<0000000000000000>] 0x0
[   68.849688][   T48] CPU: 0 UID: 0 PID: 48 Comm: kworker/u5:0 Not tainted 6.13.0-rc3-syzkaller-00044-gaef25be35d23 #0
[   68.853610][   T48] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   68.857286][   T48] Workqueue: hci0 hci_rx_work
[   68.859000][   T48] Call Trace:
[   68.860265][   T48]  <TASK>
[   68.861395][   T48]  dump_stack_lvl+0x241/0x360
[   68.863153][   T48]  ? __pfx_dump_stack_lvl+0x10/0x10
[   68.865101][   T48]  ? __pfx__printk+0x10/0x10
[   68.866744][   T48]  __might_resched+0x5d4/0x780
[   68.868466][   T48]  ? __pfx_lock_acquire+0x10/0x10
[   68.871169][   T48]  ? __pfx___might_resched+0x10/0x10
[   68.873277][   T48]  ? __pfx_lock_release+0x10/0x10
[   68.875159][   T48]  ? do_raw_spin_lock+0x14f/0x370
[   68.877128][   T48]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   68.879106][   T48]  lock_sock_nested+0x5d/0x100
[   68.881189][   T48]  sco_connect_cfm+0x439/0xae0
[   68.883233][   T48]  ? hci_cb_lookup+0x1b3/0x3c0
[   68.885251][   T48]  ? __pfx_sco_connect_cfm+0x10/0x10
[   68.887382][   T48]  ? hci_cb_lookup+0x3a0/0x3c0
[   68.889191][   T48]  ? __pfx_sco_connect_cfm+0x10/0x10
[   68.891138][   T48]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   68.893234][   T48]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   68.895510][   T48]  ? skb_pull_data+0x112/0x230
[   68.897373][   T48]  hci_event_packet+0xac2/0x1540
[   68.899359][   T48]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   68.901692][   T48]  ? __pfx_hci_event_packet+0x10/0x10
[   68.903698][   T48]  ? do_raw_spin_unlock+0x58/0x8b0
[   68.905679][   T48]  ? hci_send_to_monitor+0xd8/0x7f0
[   68.907947][   T48]  ? kcov_remote_start+0x97/0x7d0
[   68.910516][   T48]  hci_rx_work+0x3f3/0xdb0
[   68.912191][   T48]  ? process_scheduled_works+0x976/0x1840
[   68.914271][   T48]  process_scheduled_works+0xa66/0x1840
[   68.916259][   T48]  ? __pfx_process_scheduled_works+0x10/0x10
[   68.918538][   T48]  ? assign_work+0x364/0x3d0
[   68.920278][   T48]  worker_thread+0x870/0xd30
[   68.921933][   T48]  ? __kthread_parkme+0x169/0x1d0
[   68.923766][   T48]  ? __pfx_worker_thread+0x10/0x10
[   68.925671][   T48]  kthread+0x2f0/0x390
[   68.927098][   T48]  ? __pfx_worker_thread+0x10/0x10
[   68.928967][   T48]  ? __pfx_kthread+0x10/0x10
[   68.930759][   T48]  ret_from_fork+0x4b/0x80
[   68.932315][   T48]  ? __pfx_kthread+0x10/0x10
[   68.933861][   T48]  ret_from_fork_asm+0x1a/0x30
[   68.935572][   T48]  </TASK>
[   68.948065][ T5315] 
[   68.949081][ T5315] ======================================================
[   68.951838][ T5315] WARNING: possible circular locking dependency detected
[   68.954502][ T5315] 6.13.0-rc3-syzkaller-00044-gaef25be35d23 #0 Tainted: G        W         
[   68.957741][ T5315] ------------------------------------------------------
[   68.960295][ T5315] syz.0.0/5315 is trying to acquire lock:
[   68.962464][ T5315] ffff8880405f7820 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   68.965744][ T5315] 
[   68.965744][ T5315] but task is already holding lock:
[   68.968469][ T5315] ffff88805306d258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   68.972269][ T5315] 
[   68.972269][ T5315] which lock already depends on the new lock.
[   68.972269][ T5315] 
[   68.976130][ T5315] 
[   68.976130][ T5315] the existing dependency chain (in reverse order) is:
[   68.979408][ T5315] 
[   68.979408][ T5315] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   68.982305][ T5315]        lock_acquire+0x1ed/0x550
[   68.984196][ T5315]        lock_sock_nested+0x48/0x100
[   68.985984][ T5315]        bt_accept_dequeue+0xfa/0x570
[   68.988104][ T5315]        __sco_sock_close+0xd2/0x310
[   68.990157][ T5315]        sco_sock_release+0xb3/0x320
[   68.992076][ T5315]        sock_close+0xbc/0x240
[   68.993804][ T5315]        __fput+0x23c/0xa50
[   68.995218][ T5315]        task_work_run+0x24f/0x310
[   68.996923][ T5315]        syscall_exit_to_user_mode+0x13f/0x340
[   68.998982][ T5315]        do_syscall_64+0x100/0x230
[   69.000913][ T5315]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.003208][ T5315] 
[   69.003208][ T5315] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   69.006359][ T5315]        lock_acquire+0x1ed/0x550
[   69.008078][ T5315]        lock_sock_nested+0x48/0x100
[   69.009924][ T5315]        sco_connect_cfm+0x439/0xae0
[   69.011872][ T5315]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   69.014153][ T5315]        hci_event_packet+0xac2/0x1540
[   69.016064][ T5315]        hci_rx_work+0x3f3/0xdb0
[   69.017486][ T5315]        process_scheduled_works+0xa66/0x1840
[   69.019667][ T5315]        worker_thread+0x870/0xd30
[   69.021563][ T5315]        kthread+0x2f0/0x390
[   69.023287][ T5315]        ret_from_fork+0x4b/0x80
[   69.025217][ T5315]        ret_from_fork_asm+0x1a/0x30
[   69.027257][ T5315] 
[   69.027257][ T5315] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   69.029940][ T5315]        validate_chain+0x18ef/0x5920
[   69.031877][ T5315]        __lock_acquire+0x1397/0x2100
[   69.033772][ T5315]        lock_acquire+0x1ed/0x550
[   69.035574][ T5315]        _raw_spin_lock+0x2e/0x40
[   69.037369][ T5315]        sco_chan_del+0x74/0x180
[   69.039110][ T5315]        __sco_sock_close+0x152/0x310
[   69.040897][ T5315]        sco_sock_release+0xb3/0x320
[   69.042787][ T5315]        sock_close+0xbc/0x240
[   69.044455][ T5315]        __fput+0x23c/0xa50
[   69.046129][ T5315]        task_work_run+0x24f/0x310
[   69.048003][ T5315]        syscall_exit_to_user_mode+0x13f/0x340
[   69.050450][ T5315]        do_syscall_64+0x100/0x230
[   69.052253][ T5315]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.054600][ T5315] 
[   69.054600][ T5315] other info that might help us debug this:
[   69.054600][ T5315] 
[   69.058220][ T5315] Chain exists of:
[   69.058220][ T5315]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   69.058220][ T5315] 
[   69.063695][ T5315]  Possible unsafe locking scenario:
[   69.063695][ T5315] 
[   69.065838][ T5315]        CPU0                    CPU1
[   69.067400][ T5315]        ----                    ----
[   69.069262][ T5315]   lock(sk_lock-AF_BLUETOOTH);
[   69.070973][ T5315]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   69.074014][ T5315]                                lock(sk_lock-AF_BLUETOOTH);
[   69.076622][ T5315]   lock(&conn->lock#2);
[   69.078237][ T5315] 
[   69.078237][ T5315]  *** DEADLOCK ***
[   69.078237][ T5315] 
[   69.081246][ T5315] 3 locks held by syz.0.0/5315:
[   69.083063][ T5315]  #0: ffff888045484208 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   69.086884][ T5315]  #1: ffff888043d1c258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   69.090789][ T5315]  #2: ffff88805306d258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   69.094474][ T5315] 
[   69.094474][ T5315] stack backtrace:
[   69.096700][ T5315] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Tainted: G        W          6.13.0-rc3-syzkaller-00044-gaef25be35d23 #0
[   69.101230][ T5315] Tainted: [W]=WARN
[   69.102709][ T5315] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.106710][ T5315] Call Trace:
[   69.107948][ T5315]  <TASK>
[   69.109064][ T5315]  dump_stack_lvl+0x241/0x360
[   69.110847][ T5315]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.112867][ T5315]  ? __pfx__printk+0x10/0x10
[   69.114525][ T5315]  print_circular_bug+0x13a/0x1b0
[   69.116324][ T5315]  check_noncircular+0x36a/0x4a0
[   69.118161][ T5315]  ? __pfx_check_noncircular+0x10/0x10
[   69.120187][ T5315]  ? lockdep_lock+0x123/0x2b0
[   69.122046][ T5315]  validate_chain+0x18ef/0x5920
[   69.123982][ T5315]  ? debug_object_assert_init+0x2dd/0x4b0
[   69.126134][ T5315]  ? do_raw_spin_unlock+0x58/0x8b0
[   69.127984][ T5315]  ? __pfx_validate_chain+0x10/0x10
[   69.129931][ T5315]  ? __pfx_stack_trace_save+0x10/0x10
[   69.131822][ T5315]  ? debug_object_assert_init+0x2dd/0x4b0
[   69.133884][ T5315]  ? __pfx_debug_object_assert_init+0x10/0x10
[   69.136111][ T5315]  ? mark_lock+0x9a/0x360
[   69.137763][ T5315]  __lock_acquire+0x1397/0x2100
[   69.139609][ T5315]  lock_acquire+0x1ed/0x550
[   69.141318][ T5315]  ? sco_chan_del+0x74/0x180
[   69.143136][ T5315]  ? __pfx_lock_acquire+0x10/0x10
[   69.145135][ T5315]  ? lockdep_hardirqs_on+0x99/0x150
[   69.147081][ T5315]  ? __cancel_work+0x2ee/0x390
[   69.148840][ T5315]  ? __pfx___cancel_work+0x10/0x10
[   69.150729][ T5315]  ? __sco_sock_close+0xe8/0x310
[   69.152723][ T5315]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   69.154963][ T5315]  ? __sco_sock_close+0xe8/0x310
[   69.156841][ T5315]  _raw_spin_lock+0x2e/0x40
[   69.158514][ T5315]  ? sco_chan_del+0x74/0x180
[   69.160029][ T5315]  sco_chan_del+0x74/0x180
[   69.161667][ T5315]  __sco_sock_close+0x152/0x310
[   69.163350][ T5315]  sco_sock_release+0xb3/0x320
[   69.165131][ T5315]  sock_close+0xbc/0x240
[   69.166581][ T5315]  ? __pfx_sock_close+0x10/0x10
[   69.168273][ T5315]  __fput+0x23c/0xa50
[   69.169878][ T5315]  task_work_run+0x24f/0x310
[   69.171520][ T5315]  ? _raw_spin_unlock+0x28/0x50
[   69.173282][ T5315]  ? __pfx_task_work_run+0x10/0x10
[   69.175116][ T5315]  ? syscall_exit_to_user_mode+0xa3/0x340
[   69.177127][ T5315]  syscall_exit_to_user_mode+0x13f/0x340
[   69.179149][ T5315]  do_syscall_64+0x100/0x230
[   69.180887][ T5315]  ? clear_bhb_loop+0x35/0x90
[   69.182680][ T5315]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.184973][ T5315] RIP: 0033:0x7f10c6585d29
[   69.186766][ T5315] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   69.193716][ T5315] RSP: 002b:00007ffd0da27b48 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   69.196641][ T5315] RAX: 0000000000000000 RBX: 0000000000010c20 RCX: 00007f10c6585d29
[   69.199371][ T5315] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   69.202271][ T5315] RBP: 00007f10c6777ba0 R08: 0000000000000001 R09: 00007ffd0da27e3f
[   69.205229][ T5315] R10: 00007f10c63ff030 R11: 0000000000000246 R12: 0000000000010cf6
[   69.208063][ T5315] R13: 00007f10c6775fa0 R14: 0000000000000032 R15: ffffffffffffffff
[   69.210980][ T5315]  </TASK>