program:
syz_emit_vhci(&(0x7f0000000e40)=ANY=[@ANYBLOB="0404"], 0xd)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000000), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   75.475699][ T4666] Bluetooth: hci0: command tx timeout
[   75.551404][ T4666] BUG: sleeping function called from invalid context at net/core/sock.c:3664
[   75.554919][ T4666] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4666, name: kworker/u5:1
[   75.558825][ T4666] preempt_count: 1, expected: 0
[   75.560673][ T4666] RCU nest depth: 0, expected: 0
[   75.562543][ T4666] 6 locks held by kworker/u5:1/4666:
[   75.564527][ T4666]  #0: ffff88803ee3f148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x990/0x18e0
[   75.569089][ T4666]  #1: ffffc9000e2bfc60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0
[   75.574020][ T4666]  #2: ffff8880518e0078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[   75.578627][ T4666]  #3: ffffffff90039aa8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[   75.583013][ T4666]  #4: ffff8880340c8a20 (&conn->lock#3){+.+.}-{3:3}, at: sco_connect_cfm+0x212/0xc30
[   75.586869][ T4666]  #5: ffff888044318258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x458/0xc30
[   75.591352][ T4666] Preemption disabled at:
[   75.591363][ T4666] [<0000000000000000>] 0x0
[   75.594867][ T4666] CPU: 0 UID: 0 PID: 4666 Comm: kworker/u5:1 Not tainted 6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 PREEMPT(full) 
[   75.594886][ T4666] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.594895][ T4666] Workqueue: hci0 hci_rx_work
[   75.594910][ T4666] Call Trace:
[   75.594916][ T4666]  <TASK>
[   75.594921][ T4666]  dump_stack_lvl+0x241/0x360
[   75.594939][ T4666]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.594952][ T4666]  ? __pfx__printk+0x10/0x10
[   75.594970][ T4666]  __might_resched+0x558/0x6c0
[   75.594980][ T4666]  ? __lock_acquire+0xad5/0xd80
[   75.594996][ T4666]  ? __pfx___might_resched+0x10/0x10
[   75.595012][ T4666]  lock_sock_nested+0x5d/0x100
[   75.595026][ T4666]  sco_connect_cfm+0x458/0xc30
[   75.595043][ T4666]  ? __pfx_sco_connect_cfm+0x10/0x10
[   75.595056][ T4666]  ? hci_conn_add_sysfs+0xfc/0x200
[   75.595074][ T4666]  ? __pfx_sco_connect_cfm+0x10/0x10
[   75.595084][ T4666]  hci_sync_conn_complete_evt+0x5ab/0xaa0
[   75.595109][ T4666]  hci_event_packet+0xac9/0x1550
[   75.595122][ T4666]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   75.595137][ T4666]  ? __pfx_hci_event_packet+0x10/0x10
[   75.595150][ T4666]  ? kcov_remote_start+0x460/0x7d0
[   75.595165][ T4666]  ? lockdep_hardirqs_on+0x9d/0x150
[   75.595181][ T4666]  ? hci_send_to_monitor+0xdc/0x530
[   75.595195][ T4666]  hci_rx_work+0x3f3/0xdb0
[   75.595210][ T4666]  ? process_scheduled_works+0x9cb/0x18e0
[   75.595224][ T4666]  process_scheduled_works+0xac3/0x18e0
[   75.595250][ T4666]  ? __pfx_process_scheduled_works+0x10/0x10
[   75.595270][ T4666]  ? assign_work+0x367/0x3d0
[   75.595287][ T4666]  worker_thread+0x870/0xd30
[   75.595303][ T4666]  ? __kthread_parkme+0x169/0x1d0
[   75.595314][ T4666]  ? __pfx_worker_thread+0x10/0x10
[   75.595325][ T4666]  kthread+0x7a9/0x920
[   75.595337][ T4666]  ? __pfx_worker_thread+0x10/0x10
[   75.595347][ T4666]  ? __pfx_kthread+0x10/0x10
[   75.595358][ T4666]  ? __pfx_kthread+0x10/0x10
[   75.595369][ T4666]  ? __pfx_kthread+0x10/0x10
[   75.595380][ T4666]  ? __pfx_kthread+0x10/0x10
[   75.595391][ T4666]  ? _raw_spin_unlock_irq+0x23/0x50
[   75.595402][ T4666]  ? lockdep_hardirqs_on+0x9d/0x150
[   75.595414][ T4666]  ? __pfx_kthread+0x10/0x10
[   75.595426][ T4666]  ret_from_fork+0x4b/0x80
[   75.595435][ T4666]  ? __pfx_kthread+0x10/0x10
[   75.595446][ T4666]  ret_from_fork_asm+0x1a/0x30
[   75.595467][ T4666]  </TASK>
[   75.689413][ T5318] 
[   75.690368][ T5318] ======================================================
[   75.692890][ T5318] WARNING: possible circular locking dependency detected
[   75.695406][ T5318] 6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 Tainted: G        W         
[   75.698401][ T5318] ------------------------------------------------------
[   75.700896][ T5318] syz.0.0/5318 is trying to acquire lock:
[   75.703106][ T5318] ffff8880340c8a20 (&conn->lock#3){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   75.706437][ T5318] 
[   75.706437][ T5318] but task is already holding lock:
[   75.709144][ T5318] ffff888044319258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   75.712748][ T5318] 
[   75.712748][ T5318] which lock already depends on the new lock.
[   75.712748][ T5318] 
[   75.716591][ T5318] 
[   75.716591][ T5318] the existing dependency chain (in reverse order) is:
[   75.720021][ T5318] 
[   75.720021][ T5318] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   75.723041][ T5318]        lock_acquire+0x116/0x2f0
[   75.724923][ T5318]        lock_sock_nested+0x48/0x100
[   75.727103][ T5318]        bt_accept_dequeue+0xfa/0x570
[   75.729236][ T5318]        __sco_sock_close+0xd2/0x310
[   75.731300][ T5318]        sco_sock_release+0xb3/0x320
[   75.733211][ T5318]        sock_close+0xbc/0x240
[   75.735203][ T5318]        __fput+0x3e9/0x9f0
[   75.736911][ T5318]        task_work_run+0x251/0x310
[   75.738861][ T5318]        syscall_exit_to_user_mode+0x13f/0x340
[   75.741025][ T5318]        do_syscall_64+0x100/0x230
[   75.742725][ T5318]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.745048][ T5318] 
[   75.745048][ T5318] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   75.748715][ T5318]        lock_acquire+0x116/0x2f0
[   75.750674][ T5318]        lock_sock_nested+0x48/0x100
[   75.752760][ T5318]        sco_connect_cfm+0x458/0xc30
[   75.754832][ T5318]        hci_sync_conn_complete_evt+0x5ab/0xaa0
[   75.757119][ T5318]        hci_event_packet+0xac9/0x1550
[   75.759106][ T5318]        hci_rx_work+0x3f3/0xdb0
[   75.760907][ T5318]        process_scheduled_works+0xac3/0x18e0
[   75.763187][ T5318]        worker_thread+0x870/0xd30
[   75.764980][ T5318]        kthread+0x7a9/0x920
[   75.766506][ T5318]        ret_from_fork+0x4b/0x80
[   75.768152][ T5318]        ret_from_fork_asm+0x1a/0x30
[   75.770069][ T5318] 
[   75.770069][ T5318] -> #0 (&conn->lock#3){+.+.}-{3:3}:
[   75.772850][ T5318]        validate_chain+0xa69/0x24e0
[   75.774616][ T5318]        __lock_acquire+0xad5/0xd80
[   75.776618][ T5318]        lock_acquire+0x116/0x2f0
[   75.778617][ T5318]        _raw_spin_lock+0x2e/0x40
[   75.780607][ T5318]        sco_chan_del+0x74/0x180
[   75.782568][ T5318]        __sco_sock_close+0x152/0x310
[   75.784660][ T5318]        sco_sock_release+0xb3/0x320
[   75.786770][ T5318]        sock_close+0xbc/0x240
[   75.788578][ T5318]        __fput+0x3e9/0x9f0
[   75.790203][ T5318]        task_work_run+0x251/0x310
[   75.792149][ T5318]        syscall_exit_to_user_mode+0x13f/0x340
[   75.794392][ T5318]        do_syscall_64+0x100/0x230
[   75.796281][ T5318]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.798553][ T5318] 
[   75.798553][ T5318] other info that might help us debug this:
[   75.798553][ T5318] 
[   75.801971][ T5318] Chain exists of:
[   75.801971][ T5318]   &conn->lock#3 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   75.801971][ T5318] 
[   75.807265][ T5318]  Possible unsafe locking scenario:
[   75.807265][ T5318] 
[   75.810254][ T5318]        CPU0                    CPU1
[   75.812443][ T5318]        ----                    ----
[   75.814575][ T5318]   lock(sk_lock-AF_BLUETOOTH);
[   75.816589][ T5318]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   75.819698][ T5318]                                lock(sk_lock-AF_BLUETOOTH);
[   75.822112][ T5318]   lock(&conn->lock#3);
[   75.823868][ T5318] 
[   75.823868][ T5318]  *** DEADLOCK ***
[   75.823868][ T5318] 
[   75.826717][ T5318] 3 locks held by syz.0.0/5318:
[   75.828527][ T5318]  #0: ffff888045922008 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   75.832386][ T5318]  #1: ffff888044318258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   75.836379][ T5318]  #2: ffff888044319258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   75.840291][ T5318] 
[   75.840291][ T5318] stack backtrace:
[   75.842642][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Tainted: G        W          6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 PREEMPT(full) 
[   75.842660][ T5318] Tainted: [W]=WARN
[   75.842663][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.842670][ T5318] Call Trace:
[   75.842676][ T5318]  <TASK>
[   75.842681][ T5318]  dump_stack_lvl+0x241/0x360
[   75.842697][ T5318]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.842709][ T5318]  ? __pfx__printk+0x10/0x10
[   75.842721][ T5318]  ? print_lock+0x171/0x1a0
[   75.842736][ T5318]  print_circular_bug+0x2e1/0x300
[   75.842770][ T5318]  check_noncircular+0x142/0x160
[   75.842781][ T5318]  validate_chain+0xa69/0x24e0
[   75.842790][ T5318]  ? rcu_is_watching+0x15/0xb0
[   75.842799][ T5318]  ? work_grab_pending+0x4d6/0xb00
[   75.842812][ T5318]  __lock_acquire+0xad5/0xd80
[   75.842826][ T5318]  lock_acquire+0x116/0x2f0
[   75.842837][ T5318]  ? sco_chan_del+0x74/0x180
[   75.842848][ T5318]  ? __pfx___cancel_work+0x10/0x10
[   75.842856][ T5318]  ? __sco_sock_close+0xe8/0x310
[   75.842866][ T5318]  _raw_spin_lock+0x2e/0x40
[   75.842877][ T5318]  ? sco_chan_del+0x74/0x180
[   75.842887][ T5318]  sco_chan_del+0x74/0x180
[   75.842897][ T5318]  __sco_sock_close+0x152/0x310
[   75.842908][ T5318]  sco_sock_release+0xb3/0x320
[   75.842918][ T5318]  sock_close+0xbc/0x240
[   75.842929][ T5318]  ? __pfx_sock_close+0x10/0x10
[   75.842938][ T5318]  __fput+0x3e9/0x9f0
[   75.842950][ T5318]  task_work_run+0x251/0x310
[   75.842958][ T5318]  ? _raw_spin_unlock+0x28/0x50
[   75.842966][ T5318]  ? __pfx_task_work_run+0x10/0x10
[   75.842974][ T5318]  ? syscall_exit_to_user_mode+0xa3/0x340
[   75.842982][ T5318]  syscall_exit_to_user_mode+0x13f/0x340
[   75.842991][ T5318]  do_syscall_64+0x100/0x230
[   75.843000][ T5318]  ? clear_bhb_loop+0x45/0xa0
[   75.843007][ T5318]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.843013][ T5318] RIP: 0033:0x7f8bf898d169
[   75.843022][ T5318] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.843027][ T5318] RSP: 002b:00007ffc35178208 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   75.843037][ T5318] RAX: 0000000000000000 RBX: 0000000000012678 RCX: 00007f8bf898d169
[   75.843043][ T5318] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   75.843049][ T5318] RBP: 00007f8bf8ba7ba0 R08: 0000000000000001 R09: 00000005351784ff
[   75.843054][ T5318] R10: 00007f8bf87ff030 R11: 0000000000000246 R12: 00007f8bf8ba5fac
[   75.843060][ T5318] R13: 00007f8bf8ba5fa0 R14: ffffffffffffffff R15: 00007ffc35178320
[   75.843069][ T5318]  </TASK>