program:
syz_emit_vhci(&(0x7f0000000e40)=ANY=[@ANYBLOB="0404"], 0xd)
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000000), 0x8)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   72.434765][ T5307] Bluetooth: hci0: command tx timeout
[   72.504778][ T5307] BUG: sleeping function called from invalid context at net/core/sock.c:3664
[   72.508220][ T5307] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5307, name: kworker/u5:2
[   72.511730][ T5307] preempt_count: 1, expected: 0
[   72.513714][ T5307] RCU nest depth: 0, expected: 0
[   72.515815][ T5307] 6 locks held by kworker/u5:2/5307:
[   72.517857][ T5307]  #0: ffff888040de1148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x990/0x18e0
[   72.522197][ T5307]  #1: ffffc9000d3a7c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0
[   72.526707][ T5307]  #2: ffff8880442a4078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[   72.530675][ T5307]  #3: ffffffff90039aa8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[   72.534875][ T5307]  #4: ffff88804256b220 (&conn->lock#3){+.+.}-{3:3}, at: sco_connect_cfm+0x212/0xc30
[   72.538592][ T5307]  #5: ffff8880127ce258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x458/0xc30
[   72.542878][ T5307] Preemption disabled at:
[   72.542888][ T5307] [<0000000000000000>] 0x0
[   72.546359][ T5307] CPU: 0 UID: 0 PID: 5307 Comm: kworker/u5:2 Not tainted 6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 PREEMPT(full) 
[   72.546374][ T5307] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   72.546382][ T5307] Workqueue: hci0 hci_rx_work
[   72.546396][ T5307] Call Trace:
[   72.546400][ T5307]  <TASK>
[   72.546406][ T5307]  dump_stack_lvl+0x241/0x360
[   72.546423][ T5307]  ? __pfx_dump_stack_lvl+0x10/0x10
[   72.546438][ T5307]  ? __pfx__printk+0x10/0x10
[   72.546456][ T5307]  __might_resched+0x558/0x6c0
[   72.546466][ T5307]  ? __lock_acquire+0xad5/0xd80
[   72.546485][ T5307]  ? __pfx___might_resched+0x10/0x10
[   72.546502][ T5307]  lock_sock_nested+0x5d/0x100
[   72.546516][ T5307]  sco_connect_cfm+0x458/0xc30
[   72.546532][ T5307]  ? __pfx_sco_connect_cfm+0x10/0x10
[   72.546546][ T5307]  ? hci_conn_add_sysfs+0xfc/0x200
[   72.546571][ T5307]  ? __pfx_sco_connect_cfm+0x10/0x10
[   72.546583][ T5307]  hci_sync_conn_complete_evt+0x5ab/0xaa0
[   72.546598][ T5307]  hci_event_packet+0xac9/0x1550
[   72.546609][ T5307]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   72.546622][ T5307]  ? __pfx_hci_event_packet+0x10/0x10
[   72.546634][ T5307]  ? kcov_remote_start+0x460/0x7d0
[   72.546645][ T5307]  ? lockdep_hardirqs_on+0x9d/0x150
[   72.546662][ T5307]  ? hci_send_to_monitor+0xdc/0x530
[   72.546677][ T5307]  hci_rx_work+0x3f3/0xdb0
[   72.546693][ T5307]  ? process_scheduled_works+0x9cb/0x18e0
[   72.546710][ T5307]  process_scheduled_works+0xac3/0x18e0
[   72.546733][ T5307]  ? __pfx_process_scheduled_works+0x10/0x10
[   72.546751][ T5307]  ? assign_work+0x367/0x3d0
[   72.546768][ T5307]  worker_thread+0x870/0xd30
[   72.546784][ T5307]  ? __kthread_parkme+0x169/0x1d0
[   72.546797][ T5307]  ? __pfx_worker_thread+0x10/0x10
[   72.546806][ T5307]  kthread+0x7a9/0x920
[   72.546820][ T5307]  ? __pfx_worker_thread+0x10/0x10
[   72.546830][ T5307]  ? __pfx_kthread+0x10/0x10
[   72.546839][ T5307]  ? __pfx_kthread+0x10/0x10
[   72.546849][ T5307]  ? __pfx_kthread+0x10/0x10
[   72.546860][ T5307]  ? __pfx_kthread+0x10/0x10
[   72.546872][ T5307]  ? _raw_spin_unlock_irq+0x23/0x50
[   72.546883][ T5307]  ? lockdep_hardirqs_on+0x9d/0x150
[   72.546896][ T5307]  ? __pfx_kthread+0x10/0x10
[   72.546907][ T5307]  ret_from_fork+0x4b/0x80
[   72.546915][ T5307]  ? __pfx_kthread+0x10/0x10
[   72.546925][ T5307]  ret_from_fork_asm+0x1a/0x30
[   72.546946][ T5307]  </TASK>
[   72.666394][ T5322] 
[   72.667342][ T5322] ======================================================
[   72.669994][ T5322] WARNING: possible circular locking dependency detected
[   72.672732][ T5322] 6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 Tainted: G        W         
[   72.676061][ T5322] ------------------------------------------------------
[   72.678665][ T5322] syz.0.0/5322 is trying to acquire lock:
[   72.680815][ T5322] ffff88804256b220 (&conn->lock#3){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   72.684149][ T5322] 
[   72.684149][ T5322] but task is already holding lock:
[   72.686814][ T5322] ffff8880436f0258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   72.690291][ T5322] 
[   72.690291][ T5322] which lock already depends on the new lock.
[   72.690291][ T5322] 
[   72.694531][ T5322] 
[   72.694531][ T5322] the existing dependency chain (in reverse order) is:
[   72.698669][ T5322] 
[   72.698669][ T5322] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   72.701861][ T5322]        lock_acquire+0x116/0x2f0
[   72.703871][ T5322]        lock_sock_nested+0x48/0x100
[   72.705899][ T5322]        bt_accept_dequeue+0xfa/0x570
[   72.707772][ T5322]        __sco_sock_close+0xd2/0x310
[   72.709742][ T5322]        sco_sock_release+0xb3/0x320
[   72.711822][ T5322]        sock_close+0xbc/0x240
[   72.713702][ T5322]        __fput+0x3e9/0x9f0
[   72.715395][ T5322]        task_work_run+0x251/0x310
[   72.717230][ T5322]        syscall_exit_to_user_mode+0x13f/0x340
[   72.719556][ T5322]        do_syscall_64+0x100/0x230
[   72.721504][ T5322]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   72.724066][ T5322] 
[   72.724066][ T5322] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   72.727370][ T5322]        lock_acquire+0x116/0x2f0
[   72.729316][ T5322]        lock_sock_nested+0x48/0x100
[   72.731367][ T5322]        sco_connect_cfm+0x458/0xc30
[   72.733392][ T5322]        hci_sync_conn_complete_evt+0x5ab/0xaa0
[   72.735941][ T5322]        hci_event_packet+0xac9/0x1550
[   72.738103][ T5322]        hci_rx_work+0x3f3/0xdb0
[   72.739992][ T5322]        process_scheduled_works+0xac3/0x18e0
[   72.742345][ T5322]        worker_thread+0x870/0xd30
[   72.744448][ T5322]        kthread+0x7a9/0x920
[   72.746353][ T5322]        ret_from_fork+0x4b/0x80
[   72.748231][ T5322]        ret_from_fork_asm+0x1a/0x30
[   72.750240][ T5322] 
[   72.750240][ T5322] -> #0 (&conn->lock#3){+.+.}-{3:3}:
[   72.752846][ T5322]        validate_chain+0xa69/0x24e0
[   72.754868][ T5322]        __lock_acquire+0xad5/0xd80
[   72.757128][ T5322]        lock_acquire+0x116/0x2f0
[   72.759114][ T5322]        _raw_spin_lock+0x2e/0x40
[   72.760966][ T5322]        sco_chan_del+0x74/0x180
[   72.762795][ T5322]        __sco_sock_close+0x152/0x310
[   72.764767][ T5322]        sco_sock_release+0xb3/0x320
[   72.766837][ T5322]        sock_close+0xbc/0x240
[   72.768802][ T5322]        __fput+0x3e9/0x9f0
[   72.770568][ T5322]        task_work_run+0x251/0x310
[   72.772449][ T5322]        syscall_exit_to_user_mode+0x13f/0x340
[   72.774750][ T5322]        do_syscall_64+0x100/0x230
[   72.776679][ T5322]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   72.779122][ T5322] 
[   72.779122][ T5322] other info that might help us debug this:
[   72.779122][ T5322] 
[   72.782773][ T5322] Chain exists of:
[   72.782773][ T5322]   &conn->lock#3 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   72.782773][ T5322] 
[   72.788114][ T5322]  Possible unsafe locking scenario:
[   72.788114][ T5322] 
[   72.790826][ T5322]        CPU0                    CPU1
[   72.792838][ T5322]        ----                    ----
[   72.794739][ T5322]   lock(sk_lock-AF_BLUETOOTH);
[   72.796429][ T5322]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   72.799463][ T5322]                                lock(sk_lock-AF_BLUETOOTH);
[   72.802299][ T5322]   lock(&conn->lock#3);
[   72.803908][ T5322] 
[   72.803908][ T5322]  *** DEADLOCK ***
[   72.803908][ T5322] 
[   72.806926][ T5322] 3 locks held by syz.0.0/5322:
[   72.808823][ T5322]  #0: ffff888045864808 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   72.812728][ T5322]  #1: ffff8880127ce258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   72.816822][ T5322]  #2: ffff8880436f0258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   72.820631][ T5322] 
[   72.820631][ T5322] stack backtrace:
[   72.822690][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Tainted: G        W          6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 PREEMPT(full) 
[   72.822706][ T5322] Tainted: [W]=WARN
[   72.822709][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   72.822716][ T5322] Call Trace:
[   72.822722][ T5322]  <TASK>
[   72.822728][ T5322]  dump_stack_lvl+0x241/0x360
[   72.822743][ T5322]  ? __pfx_dump_stack_lvl+0x10/0x10
[   72.822752][ T5322]  ? __pfx__printk+0x10/0x10
[   72.822759][ T5322]  ? print_lock+0x171/0x1a0
[   72.822770][ T5322]  print_circular_bug+0x2e1/0x300
[   72.822778][ T5322]  check_noncircular+0x142/0x160
[   72.822784][ T5322]  validate_chain+0xa69/0x24e0
[   72.822791][ T5322]  ? rcu_is_watching+0x15/0xb0
[   72.822797][ T5322]  ? work_grab_pending+0x4d6/0xb00
[   72.822805][ T5322]  __lock_acquire+0xad5/0xd80
[   72.822816][ T5322]  lock_acquire+0x116/0x2f0
[   72.822828][ T5322]  ? sco_chan_del+0x74/0x180
[   72.822839][ T5322]  ? __pfx___cancel_work+0x10/0x10
[   72.822849][ T5322]  ? __sco_sock_close+0xe8/0x310
[   72.822860][ T5322]  _raw_spin_lock+0x2e/0x40
[   72.822871][ T5322]  ? sco_chan_del+0x74/0x180
[   72.822881][ T5322]  sco_chan_del+0x74/0x180
[   72.822891][ T5322]  __sco_sock_close+0x152/0x310
[   72.822901][ T5322]  sco_sock_release+0xb3/0x320
[   72.822908][ T5322]  sock_close+0xbc/0x240
[   72.822914][ T5322]  ? __pfx_sock_close+0x10/0x10
[   72.822923][ T5322]  __fput+0x3e9/0x9f0
[   72.822938][ T5322]  task_work_run+0x251/0x310
[   72.822950][ T5322]  ? _raw_spin_unlock+0x28/0x50
[   72.822961][ T5322]  ? __pfx_task_work_run+0x10/0x10
[   72.822974][ T5322]  ? syscall_exit_to_user_mode+0xa3/0x340
[   72.822988][ T5322]  syscall_exit_to_user_mode+0x13f/0x340
[   72.823000][ T5322]  do_syscall_64+0x100/0x230
[   72.823014][ T5322]  ? clear_bhb_loop+0x45/0xa0
[   72.823024][ T5322]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   72.823033][ T5322] RIP: 0033:0x7f208b18d169
[   72.823044][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   72.823052][ T5322] RSP: 002b:00007ffd4a4f11e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   72.823063][ T5322] RAX: 0000000000000000 RBX: 0000000000011a9a RCX: 00007f208b18d169
[   72.823070][ T5322] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   72.823076][ T5322] RBP: 00007f208b3a7ba0 R08: 0000000000000001 R09: 000000054a4f14df
[   72.823083][ T5322] R10: 00007f208afff038 R11: 0000000000000246 R12: 00007f208b3a5fac
[   72.823090][ T5322] R13: 00007f208b3a5fa0 R14: ffffffffffffffff R15: 00007ffd4a4f1300
[   72.823100][ T5322]  </TASK>