program:
ioctl$BTRFS_IOC_SUBVOL_GETFLAGS(0xffffffffffffffff, 0x80089419, &(0x7f0000000000))
r0 = socket$inet_udp(0x2, 0x2, 0x0)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000200), 0x8)
listen(r1, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
setsockopt$IPT_SO_SET_REPLACE(r0, 0x8001000000000000, 0x40, &(0x7f0000000440)=@raw={'raw\x00', 0x8, 0x3, 0x238, 0x0, 0x11, 0x148, 0x0, 0x0, 0x1a0, 0x2a8, 0x2a8, 0x1a0, 0x2a8, 0x3, 0x0, {[{{@ip={@local, @private=0xa010100, 0xffffff00, 0xffffffff, 'hsr0\x00', 'macvtap0\x00', {0xff}, {}, 0x56, 0x1, 0x40}, 0x0, 0x70, 0xd0}, @common=@SET={0x60, 'SET\x00', 0x0, {{0xffffffffffffffff, [0x2, 0x5, 0x5, 0x3, 0x20], 0x4}, {0xffffffffffffffff}}}}, {{@uncond, 0x0, 0x70, 0xd0}, @common=@SET={0x60, 'SET\x00', 0x0, {{0x0, [0x0, 0x4, 0x5, 0x4, 0x5, 0x1], 0x0, 0x2}, {0x1, [0x2, 0x7, 0x4, 0x1, 0x1, 0x6], 0x0, 0x2}}}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28}}}}, 0x298)
[ 75.973536][ T5310] Bluetooth: hci0: command tx timeout
[ 76.032289][ T5310] BUG: sleeping function called from invalid context at net/core/sock.c:3613
[ 76.036227][ T5310] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5310, name: kworker/u5:2
[ 76.039391][ T5310] preempt_count: 1, expected: 0
[ 76.041097][ T5310] RCU nest depth: 0, expected: 0
[ 76.042727][ T5310] 6 locks held by kworker/u5:2/5310:
[ 76.044874][ T5310] #0: ffff888044209948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 76.049180][ T5310] #1: ffffc9000d357d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 76.053967][ T5310] #2: ffff88804e890078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0
[ 76.058097][ T5310] #3: ffffffff8fe402a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0
[ 76.061841][ T5310] #4: ffff88803ce9ea20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40
[ 76.065273][ T5310] #5: ffff8880450a5258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40
[ 76.068393][ T5310] Preemption disabled at:
[ 76.068400][ T5310] [<0000000000000000>] 0x0
[ 76.071642][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Not tainted 6.12.0-rc7-syzkaller-00012-g3022e9d00ebe #0
[ 76.075389][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 76.079641][ T5310] Workqueue: hci0 hci_rx_work
[ 76.081492][ T5310] Call Trace:
[ 76.082839][ T5310]
[ 76.084047][ T5310] dump_stack_lvl+0x241/0x360
[ 76.085959][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10
[ 76.087729][ T5310] ? __pfx__printk+0x10/0x10
[ 76.089211][ T5310] __might_resched+0x5d4/0x780
[ 76.091075][ T5310] ? __pfx_lock_acquire+0x10/0x10
[ 76.093112][ T5310] ? __pfx___might_resched+0x10/0x10
[ 76.095007][ T5310] ? __pfx_lock_release+0x10/0x10
[ 76.096927][ T5310] ? do_raw_spin_lock+0x14f/0x370
[ 76.098906][ T5310] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.100904][ T5310] lock_sock_nested+0x5d/0x100
[ 76.102777][ T5310] sco_connect_cfm+0x461/0xb40
[ 76.104715][ T5310] ? __pfx_sco_connect_cfm+0x10/0x10
[ 76.106667][ T5310] ? hci_conn_add_sysfs+0xfc/0x200
[ 76.109686][ T5310] ? __pfx_sco_connect_cfm+0x10/0x10
[ 76.112069][ T5310] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 76.113972][ T5310] hci_event_packet+0xac2/0x1540
[ 76.115587][ T5310] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 76.117941][ T5310] ? __pfx_hci_event_packet+0x10/0x10
[ 76.119909][ T5310] ? set_advertising_complete+0x420/0x6f0
[ 76.122121][ T5310] ? kcov_remote_start+0x97/0x7d0
[ 76.124096][ T5310] hci_rx_work+0x3fe/0xd80
[ 76.125880][ T5310] ? process_scheduled_works+0x976/0x1850
[ 76.128180][ T5310] process_scheduled_works+0xa63/0x1850
[ 76.130349][ T5310] ? __pfx_process_scheduled_works+0x10/0x10
[ 76.132691][ T5310] ? assign_work+0x364/0x3d0
[ 76.134411][ T5310] worker_thread+0x870/0xd30
[ 76.136141][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 76.138457][ T5310] ? __kthread_parkme+0x169/0x1d0
[ 76.140398][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 76.142180][ T5310] kthread+0x2f0/0x390
[ 76.143700][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 76.145547][ T5310] ? __pfx_kthread+0x10/0x10
[ 76.147273][ T5310] ret_from_fork+0x4b/0x80
[ 76.148988][ T5310] ? __pfx_kthread+0x10/0x10
[ 76.150746][ T5310] ret_from_fork_asm+0x1a/0x30
[ 76.152534][ T5310]
[ 76.171921][ T5325] Cannot find add_set index 0 as target
[ 76.176757][ T5324]
[ 76.177703][ T5324] ======================================================
[ 76.180155][ T5324] WARNING: possible circular locking dependency detected
[ 76.182683][ T5324] 6.12.0-rc7-syzkaller-00012-g3022e9d00ebe #0 Tainted: G W
[ 76.185533][ T5324] ------------------------------------------------------
[ 76.188108][ T5324] syz.0.0/5324 is trying to acquire lock:
[ 76.190199][ T5324] ffff88803ce9ea20 (&conn->lock#2){+.+.}-{2:2}, at: __sco_sock_close+0x338/0x570
[ 76.193613][ T5324]
[ 76.193613][ T5324] but task is already holding lock:
[ 76.196194][ T5324] ffff8880450a6258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 76.200039][ T5324]
[ 76.200039][ T5324] which lock already depends on the new lock.
[ 76.200039][ T5324]
[ 76.204555][ T5324]
[ 76.204555][ T5324] the existing dependency chain (in reverse order) is:
[ 76.208395][ T5324]
[ 76.208395][ T5324] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 76.211695][ T5324] lock_acquire+0x1ed/0x550
[ 76.213608][ T5324] lock_sock_nested+0x48/0x100
[ 76.215694][ T5324] bt_accept_dequeue+0xfa/0x570
[ 76.217723][ T5324] __sco_sock_close+0xd6/0x570
[ 76.219749][ T5324] sco_sock_release+0xb3/0x320
[ 76.221678][ T5324] sock_close+0xbc/0x240
[ 76.223443][ T5324] __fput+0x23f/0x880
[ 76.225142][ T5324] task_work_run+0x24f/0x310
[ 76.227037][ T5324] syscall_exit_to_user_mode+0x168/0x370
[ 76.229452][ T5324] do_syscall_64+0x100/0x230
[ 76.231307][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 76.233677][ T5324]
[ 76.233677][ T5324] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 76.236931][ T5324] lock_acquire+0x1ed/0x550
[ 76.238795][ T5324] lock_sock_nested+0x48/0x100
[ 76.240824][ T5324] sco_connect_cfm+0x461/0xb40
[ 76.242804][ T5324] hci_sync_conn_complete_evt+0x5ab/0xaa0
[ 76.245163][ T5324] hci_event_packet+0xac2/0x1540
[ 76.247157][ T5324] hci_rx_work+0x3fe/0xd80
[ 76.248980][ T5324] process_scheduled_works+0xa63/0x1850
[ 76.251170][ T5324] worker_thread+0x870/0xd30
[ 76.253040][ T5324] kthread+0x2f0/0x390
[ 76.254633][ T5324] ret_from_fork+0x4b/0x80
[ 76.256275][ T5324] ret_from_fork_asm+0x1a/0x30
[ 76.258270][ T5324]
[ 76.258270][ T5324] -> #0 (&conn->lock#2){+.+.}-{2:2}:
[ 76.261060][ T5324] validate_chain+0x18ef/0x5920
[ 76.263061][ T5324] __lock_acquire+0x1384/0x2050
[ 76.265038][ T5324] lock_acquire+0x1ed/0x550
[ 76.266782][ T5324] _raw_spin_lock+0x2e/0x40
[ 76.268371][ T5324] __sco_sock_close+0x338/0x570
[ 76.270188][ T5324] __sco_sock_close+0x154/0x570
[ 76.271996][ T5324] sco_sock_release+0xb3/0x320
[ 76.273938][ T5324] sock_close+0xbc/0x240
[ 76.275753][ T5324] __fput+0x23f/0x880
[ 76.277447][ T5324] task_work_run+0x24f/0x310
[ 76.279206][ T5324] syscall_exit_to_user_mode+0x168/0x370
[ 76.281489][ T5324] do_syscall_64+0x100/0x230
[ 76.283459][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 76.285853][ T5324]
[ 76.285853][ T5324] other info that might help us debug this:
[ 76.285853][ T5324]
[ 76.289783][ T5324] Chain exists of:
[ 76.289783][ T5324] &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 76.289783][ T5324]
[ 76.294976][ T5324] Possible unsafe locking scenario:
[ 76.294976][ T5324]
[ 76.297836][ T5324] CPU0 CPU1
[ 76.299782][ T5324] ---- ----
[ 76.301712][ T5324] lock(sk_lock-AF_BLUETOOTH);
[ 76.303560][ T5324] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 76.306573][ T5324] lock(sk_lock-AF_BLUETOOTH);
[ 76.309169][ T5324] lock(&conn->lock#2);
[ 76.310821][ T5324]
[ 76.310821][ T5324] *** DEADLOCK ***
[ 76.310821][ T5324]
[ 76.313648][ T5324] 3 locks held by syz.0.0/5324:
[ 76.315372][ T5324] #0: ffff888043eeda08 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: sock_close+0x90/0x240
[ 76.319135][ T5324] #1: ffff8880450a5258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 76.323160][ T5324] #2: ffff8880450a6258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xec/0x570
[ 76.327022][ T5324]
[ 76.327022][ T5324] stack backtrace:
[ 76.329423][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Tainted: G W 6.12.0-rc7-syzkaller-00012-g3022e9d00ebe #0
[ 76.333690][ T5324] Tainted: [W]=WARN
[ 76.335108][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 76.338898][ T5324] Call Trace:
[ 76.340267][ T5324]
[ 76.341444][ T5324] dump_stack_lvl+0x241/0x360
[ 76.343206][ T5324] ? __pfx_dump_stack_lvl+0x10/0x10
[ 76.345146][ T5324] ? __pfx__printk+0x10/0x10
[ 76.346879][ T5324] print_circular_bug+0x13a/0x1b0
[ 76.348842][ T5324] check_noncircular+0x36a/0x4a0
[ 76.350711][ T5324] ? mark_lock+0x9a/0x360
[ 76.352326][ T5324] ? __pfx_check_noncircular+0x10/0x10
[ 76.354204][ T5324] ? lockdep_lock+0x123/0x2b0
[ 76.355902][ T5324] validate_chain+0x18ef/0x5920
[ 76.357689][ T5324] ? __pfx_validate_chain+0x10/0x10
[ 76.359432][ T5324] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 76.361723][ T5324] ? __mod_timer+0xb89/0xeb0
[ 76.363306][ T5324] ? __pfx_lock_release+0x10/0x10
[ 76.365143][ T5324] ? do_raw_spin_unlock+0x58/0x8b0
[ 76.366891][ T5324] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 76.368995][ T5324] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 76.371196][ T5324] ? mark_lock+0x9a/0x360
[ 76.372751][ T5324] __lock_acquire+0x1384/0x2050
[ 76.374446][ T5324] lock_acquire+0x1ed/0x550
[ 76.376104][ T5324] ? __sco_sock_close+0x338/0x570
[ 76.377929][ T5324] ? __pfx_lock_acquire+0x10/0x10
[ 76.379687][ T5324] ? queue_delayed_work_on+0x267/0x390
[ 76.381667][ T5324] ? __pfx_queue_delayed_work_on+0x10/0x10
[ 76.383632][ T5324] ? __pfx___cancel_work+0x10/0x10
[ 76.385384][ T5324] ? __cancel_work+0x2ee/0x390
[ 76.387143][ T5324] ? __pfx___cancel_work+0x10/0x10
[ 76.389063][ T5324] ? __sco_sock_close+0xec/0x570
[ 76.390861][ T5324] _raw_spin_lock+0x2e/0x40
[ 76.392372][ T5324] ? __sco_sock_close+0x338/0x570
[ 76.394154][ T5324] __sco_sock_close+0x338/0x570
[ 76.395919][ T5324] __sco_sock_close+0x154/0x570
[ 76.397640][ T5324] sco_sock_release+0xb3/0x320
[ 76.399270][ T5324] sock_close+0xbc/0x240
[ 76.400816][ T5324] ? __pfx_sock_close+0x10/0x10
[ 76.402550][ T5324] __fput+0x23f/0x880
[ 76.403992][ T5324] task_work_run+0x24f/0x310
[ 76.405718][ T5324] ? __pfx_task_work_run+0x10/0x10
[ 76.407576][ T5324] ? syscall_exit_to_user_mode+0xa3/0x370
[ 76.409630][ T5324] syscall_exit_to_user_mode+0x168/0x370
[ 76.411718][ T5324] do_syscall_64+0x100/0x230
[ 76.413322][ T5324] ? clear_bhb_loop+0x35/0x90
[ 76.415071][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 76.417474][ T5324] RIP: 0033:0x7fcd3c77e719
[ 76.419395][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 76.426298][ T5324] RSP: 002b:00007ffd731729b8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 76.429264][ T5324] RAX: 0000000000000000 RBX: 000000000001286c RCX: 00007fcd3c77e719
[ 76.432310][ T5324] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 76.435139][ T5324] RBP: 00007fcd3c937a80 R08: 0000000000000001 R09: 00007ffd73172caf
[ 76.438448][ T5324] R10: 00007fcd3c5ff030 R11: 0000000000000246 R12: 0000000000012932
[ 76.441802][ T5324] R13: 00007ffd73172ac0 R14: 0000000000000032 R15: ffffffffffffffff
[ 76.444948][ T5324]
[ 76.455061][ T1304] ieee802154 phy0 wpan0: encryption failed: -22
[ 76.457422][ T1304] ieee802154 phy1 wpan1: encryption failed: -22