program:
syz_emit_ethernet(0x81, &(0x7f0000000d80)={@link_local, @dev, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "f53a04", 0x4b, 0x3a, 0x0, @remote, @mcast2, {[], @param_prob={0x2, 0x0, 0x0, 0x500, {0x0, 0x6, "000100", 0x0, 0x0, 0x0, @private1={0xfc, 0x1, '\x00', 0x2}, @remote, [@hopopts={0x3a}], "df56d55afb0de3af04cfb8847c321f682afab7"}}}}}}}, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$inet6_IPV6_FLOWLABEL_MGR(r0, 0x29, 0x1b, &(0x7f0000000000)={@remote}, 0x20)
syz_emit_vhci(&(0x7f0000000e40)=ANY=[@ANYBLOB="0404"], 0xd)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000000), 0x8)
r2 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r2, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000001140)={&(0x7f0000000780)=@newlink={0x3c, 0x10, 0x503, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @bond={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_BOND_PACKETS_PER_SLAVE={0x8, 0x14, 0xffffffff}]}}}]}, 0x3c}}, 0x0)
listen(r1, 0x0)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   82.702985][ T4666] Bluetooth: hci0: command tx timeout
[   82.707374][ T1310] ieee802154 phy0 wpan0: encryption failed: -22
[   82.709738][ T1310] ieee802154 phy1 wpan1: encryption failed: -22
[   82.844563][ T5322] (unnamed net_device) (uninitialized): option packets_per_slave: invalid value (18446744073709551615)
[   82.848614][ T5322] (unnamed net_device) (uninitialized): option packets_per_slave: allowed values 0 - 65535
[   82.877350][ T5306] BUG: sleeping function called from invalid context at net/core/sock.c:3664
[   82.880814][ T5306] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5306, name: kworker/u5:2
[   82.884672][ T5306] preempt_count: 1, expected: 0
[   82.886628][ T5306] RCU nest depth: 0, expected: 0
[   82.888621][ T5306] 6 locks held by kworker/u5:2/5306:
[   82.890926][ T5306]  #0: ffff888043ac2148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x98b/0x18e0
[   82.895437][ T5306]  #1: ffffc9000d2ffc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0
[   82.899952][ T5306]  #2: ffff888051db8078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[   82.903978][ T5306]  #3: ffffffff9003b928 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[   82.907954][ T5306]  #4: ffff88803fb90420 (&conn->lock#3){+.+.}-{3:3}, at: sco_connect_cfm+0x293/0xc10
[   82.911740][ T5306]  #5: ffff888053193258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x456/0xc10
[   82.915929][ T5306] Preemption disabled at:
[   82.915939][ T5306] [<0000000000000000>] 0x0
[   82.919346][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Not tainted 6.14.0-rc7-syzkaller-00137-g5fc319360819 #0
[   82.919363][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   82.919372][ T5306] Workqueue: hci0 hci_rx_work
[   82.919390][ T5306] Call Trace:
[   82.919397][ T5306]  <TASK>
[   82.919403][ T5306]  dump_stack_lvl+0x241/0x360
[   82.919422][ T5306]  ? __pfx_dump_stack_lvl+0x10/0x10
[   82.919435][ T5306]  ? __pfx__printk+0x10/0x10
[   82.919455][ T5306]  __might_resched+0x5d4/0x780
[   82.919470][ T5306]  ? __pfx_lock_acquire+0x10/0x10
[   82.919489][ T5306]  ? __pfx___might_resched+0x10/0x10
[   82.919505][ T5306]  ? __pfx_lock_release+0x10/0x10
[   82.919519][ T5306]  ? do_raw_spin_lock+0x14f/0x370
[   82.919537][ T5306]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   82.919555][ T5306]  lock_sock_nested+0x5d/0x100
[   82.919572][ T5306]  sco_connect_cfm+0x456/0xc10
[   82.919589][ T5306]  ? __pfx___mutex_lock+0x10/0x10
[   82.919610][ T5306]  ? __pfx_sco_connect_cfm+0x10/0x10
[   82.919630][ T5306]  ? hci_conn_add_sysfs+0xfc/0x200
[   82.919644][ T5306]  ? __pfx_sco_connect_cfm+0x10/0x10
[   82.919658][ T5306]  hci_sync_conn_complete_evt+0x5ab/0xaa0
[   82.919678][ T5306]  hci_event_packet+0xac1/0x1540
[   82.919694][ T5306]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   82.919713][ T5306]  ? __pfx_hci_event_packet+0x10/0x10
[   82.919725][ T5306]  ? do_raw_spin_unlock+0x58/0x8b0
[   82.919739][ T5306]  ? kcov_remote_start+0x470/0x7d0
[   82.919754][ T5306]  ? insn_decode_mmio+0x2c0/0x580
[   82.919771][ T5306]  ? hci_send_to_monitor+0xdc/0x530
[   82.919787][ T5306]  hci_rx_work+0x3f3/0xdb0
[   82.919804][ T5306]  ? process_scheduled_works+0x9c6/0x18e0
[   82.919818][ T5306]  process_scheduled_works+0xabe/0x18e0
[   82.919850][ T5306]  ? __pfx_process_scheduled_works+0x10/0x10
[   82.919869][ T5306]  ? assign_work+0x364/0x3d0
[   82.919886][ T5306]  worker_thread+0x870/0xd30
[   82.919921][ T5306]  ? __kthread_parkme+0x169/0x1d0
[   82.919941][ T5306]  ? __pfx_worker_thread+0x10/0x10
[   82.919957][ T5306]  kthread+0x7a9/0x920
[   82.919971][ T5306]  ? __pfx_kthread+0x10/0x10
[   82.919987][ T5306]  ? __pfx_worker_thread+0x10/0x10
[   82.920001][ T5306]  ? __pfx_kthread+0x10/0x10
[   82.920014][ T5306]  ? __pfx_kthread+0x10/0x10
[   82.920030][ T5306]  ? __pfx_kthread+0x10/0x10
[   82.920044][ T5306]  ? _raw_spin_unlock_irq+0x23/0x50
[   82.920057][ T5306]  ? lockdep_hardirqs_on+0x99/0x150
[   82.920071][ T5306]  ? __pfx_kthread+0x10/0x10
[   82.920087][ T5306]  ret_from_fork+0x4b/0x80
[   82.920101][ T5306]  ? __pfx_kthread+0x10/0x10
[   82.920116][ T5306]  ret_from_fork_asm+0x1a/0x30
[   82.920142][ T5306]  </TASK>
[   83.026101][ T5321] 
[   83.027089][ T5321] ======================================================
[   83.029715][ T5321] WARNING: possible circular locking dependency detected
[   83.032384][ T5321] 6.14.0-rc7-syzkaller-00137-g5fc319360819 #0 Tainted: G        W         
[   83.035754][ T5321] ------------------------------------------------------
[   83.038404][ T5321] syz.0.0/5321 is trying to acquire lock:
[   83.040560][ T5321] ffff88803fb90420 (&conn->lock#3){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   83.043802][ T5321] 
[   83.043802][ T5321] but task is already holding lock:
[   83.046472][ T5321] ffff888051df0258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   83.049961][ T5321] 
[   83.049961][ T5321] which lock already depends on the new lock.
[   83.049961][ T5321] 
[   83.053863][ T5321] 
[   83.053863][ T5321] the existing dependency chain (in reverse order) is:
[   83.057250][ T5321] 
[   83.057250][ T5321] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   83.060280][ T5321]        lock_acquire+0x1ed/0x550
[   83.062247][ T5321]        lock_sock_nested+0x48/0x100
[   83.064162][ T5321]        bt_accept_dequeue+0xfa/0x570
[   83.066027][ T5321]        __sco_sock_close+0xd2/0x310
[   83.067965][ T5321]        sco_sock_release+0xb3/0x320
[   83.069986][ T5321]        sock_close+0xbc/0x240
[   83.072047][ T5321]        __fput+0x3e9/0x9f0
[   83.073804][ T5321]        task_work_run+0x24f/0x310
[   83.075808][ T5321]        syscall_exit_to_user_mode+0x13f/0x340
[   83.078139][ T5321]        do_syscall_64+0x100/0x230
[   83.080087][ T5321]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.082442][ T5321] 
[   83.082442][ T5321] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   83.085895][ T5321]        lock_acquire+0x1ed/0x550
[   83.087891][ T5321]        lock_sock_nested+0x48/0x100
[   83.089954][ T5321]        sco_connect_cfm+0x456/0xc10
[   83.092165][ T5321]        hci_sync_conn_complete_evt+0x5ab/0xaa0
[   83.094599][ T5321]        hci_event_packet+0xac1/0x1540
[   83.096664][ T5321]        hci_rx_work+0x3f3/0xdb0
[   83.098527][ T5321]        process_scheduled_works+0xabe/0x18e0
[   83.100998][ T5321]        worker_thread+0x870/0xd30
[   83.102944][ T5321]        kthread+0x7a9/0x920
[   83.104720][ T5321]        ret_from_fork+0x4b/0x80
[   83.106633][ T5321]        ret_from_fork_asm+0x1a/0x30
[   83.108562][ T5321] 
[   83.108562][ T5321] -> #0 (&conn->lock#3){+.+.}-{3:3}:
[   83.111335][ T5321]        validate_chain+0x18ef/0x5920
[   83.113382][ T5321]        __lock_acquire+0x1397/0x2100
[   83.115395][ T5321]        lock_acquire+0x1ed/0x550
[   83.117239][ T5321]        _raw_spin_lock+0x2e/0x40
[   83.119247][ T5321]        sco_chan_del+0x74/0x180
[   83.121176][ T5321]        __sco_sock_close+0x152/0x310
[   83.123247][ T5321]        sco_sock_release+0xb3/0x320
[   83.125331][ T5321]        sock_close+0xbc/0x240
[   83.127293][ T5321]        __fput+0x3e9/0x9f0
[   83.129102][ T5321]        task_work_run+0x24f/0x310
[   83.131167][ T5321]        syscall_exit_to_user_mode+0x13f/0x340
[   83.133616][ T5321]        do_syscall_64+0x100/0x230
[   83.135597][ T5321]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.138078][ T5321] 
[   83.138078][ T5321] other info that might help us debug this:
[   83.138078][ T5321] 
[   83.141924][ T5321] Chain exists of:
[   83.141924][ T5321]   &conn->lock#3 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   83.141924][ T5321] 
[   83.147495][ T5321]  Possible unsafe locking scenario:
[   83.147495][ T5321] 
[   83.150333][ T5321]        CPU0                    CPU1
[   83.152408][ T5321]        ----                    ----
[   83.154497][ T5321]   lock(sk_lock-AF_BLUETOOTH);
[   83.156386][ T5321]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   83.159641][ T5321]                                lock(sk_lock-AF_BLUETOOTH);
[   83.162508][ T5321]   lock(&conn->lock#3);
[   83.164147][ T5321] 
[   83.164147][ T5321]  *** DEADLOCK ***
[   83.164147][ T5321] 
[   83.167158][ T5321] 3 locks held by syz.0.0/5321:
[   83.168988][ T5321]  #0: ffff888044c71a08 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   83.172738][ T5321]  #1: ffff888053193258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   83.176647][ T5321]  #2: ffff888051df0258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   83.180286][ T5321] 
[   83.180286][ T5321] stack backtrace:
[   83.182519][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Tainted: G        W          6.14.0-rc7-syzkaller-00137-g5fc319360819 #0
[   83.182535][ T5321] Tainted: [W]=WARN
[   83.182538][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   83.182545][ T5321] Call Trace:
[   83.182550][ T5321]  <TASK>
[   83.182555][ T5321]  dump_stack_lvl+0x241/0x360
[   83.182569][ T5321]  ? __pfx_dump_stack_lvl+0x10/0x10
[   83.182579][ T5321]  ? __pfx__printk+0x10/0x10
[   83.182590][ T5321]  print_circular_bug+0x13a/0x1b0
[   83.182602][ T5321]  check_noncircular+0x36a/0x4a0
[   83.182613][ T5321]  ? __pfx_check_noncircular+0x10/0x10
[   83.182623][ T5321]  ? lockdep_lock+0x123/0x2b0
[   83.182637][ T5321]  validate_chain+0x18ef/0x5920
[   83.182649][ T5321]  ? do_raw_spin_lock+0x14f/0x370
[   83.182661][ T5321]  ? __pfx_validate_chain+0x10/0x10
[   83.182670][ T5321]  ? do_raw_spin_unlock+0x58/0x8b0
[   83.182682][ T5321]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   83.182699][ T5321]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   83.182710][ T5321]  ? __lock_acquire+0x1397/0x2100
[   83.182724][ T5321]  ? debug_object_assert_init+0x2dd/0x4b0
[   83.182776][ T5321]  ? __pfx_debug_object_assert_init+0x10/0x10
[   83.182791][ T5321]  ? mark_lock+0x9a/0x360
[   83.182800][ T5321]  __lock_acquire+0x1397/0x2100
[   83.182816][ T5321]  lock_acquire+0x1ed/0x550
[   83.182829][ T5321]  ? sco_chan_del+0x74/0x180
[   83.182843][ T5321]  ? __pfx_lock_acquire+0x10/0x10
[   83.182856][ T5321]  ? __cancel_work+0x24a/0x390
[   83.182870][ T5321]  ? lockdep_hardirqs_on+0x99/0x150
[   83.182883][ T5321]  ? __cancel_work+0x2ee/0x390
[   83.182896][ T5321]  ? __pfx___cancel_work+0x10/0x10
[   83.182913][ T5321]  ? __sco_sock_close+0xe8/0x310
[   83.182924][ T5321]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   83.182936][ T5321]  _raw_spin_lock+0x2e/0x40
[   83.182948][ T5321]  ? sco_chan_del+0x74/0x180
[   83.182959][ T5321]  sco_chan_del+0x74/0x180
[   83.182971][ T5321]  __sco_sock_close+0x152/0x310
[   83.182984][ T5321]  sco_sock_release+0xb3/0x320
[   83.182996][ T5321]  sock_close+0xbc/0x240
[   83.183009][ T5321]  ? __pfx_sock_close+0x10/0x10
[   83.183021][ T5321]  __fput+0x3e9/0x9f0
[   83.183036][ T5321]  task_work_run+0x24f/0x310
[   83.183046][ T5321]  ? _raw_spin_unlock+0x28/0x50
[   83.183058][ T5321]  ? __pfx_task_work_run+0x10/0x10
[   83.183068][ T5321]  ? syscall_exit_to_user_mode+0xa3/0x340
[   83.183081][ T5321]  syscall_exit_to_user_mode+0x13f/0x340
[   83.183096][ T5321]  do_syscall_64+0x100/0x230
[   83.183105][ T5321]  ? clear_bhb_loop+0x35/0x90
[   83.183118][ T5321]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.183131][ T5321] RIP: 0033:0x7f4af138d169
[   83.183141][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   83.183149][ T5321] RSP: 002b:00007ffe75609978 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   83.183159][ T5321] RAX: 0000000000000000 RBX: 00007f4af15a7ba0 RCX: 00007f4af138d169
[   83.183165][ T5321] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   83.183172][ T5321] RBP: 00007f4af15a7ba0 R08: 000000000000cd44 R09: 0000000a75609c6f
[   83.183178][ T5321] R10: 0000000000df3088 R11: 0000000000000246 R12: 0000000000014644
[   83.183183][ T5321] R13: 00007ffe75609a70 R14: ffffffffffffffff R15: 00007ffe75609a90
[   83.183194][ T5321]  </TASK>