program:
r0 = socket$igmp6(0xa, 0x3, 0x2)
dup(r0)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r1, &(0x7f0000000200), 0x8)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$ifreq_SIOCGIFINDEX_wireguard(r2, 0x8933, &(0x7f0000002140)={'wg2\x00', <r3=>0x0})
sendmsg$nl_route(r2, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000100)=@ipv6_newnexthop={0x34, 0x68, 0x1, 0x0, 0x0, {}, [@NHA_ENCAP_TYPE={0x6, 0x7, 0x4}, @NHA_OIF={0x8, 0x5, r3}, @NHA_ENCAP={0xc, 0x8, 0x0, 0x1, @LWTUNNEL_IP6_FLAGS={0x6, 0x6, 0x50}}]}, 0x34}}, 0x0)
listen(r1, 0x0)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)
r4 = syz_mount_image$minix(&(0x7f0000000200), &(0x7f0000000240)='./file0\x00', 0x0, &(0x7f0000000280), 0x1, 0x1d4, &(0x7f00000002c0)="$eJzs27tu0wAUBuDfaQCJR2BlgIWGXiislcr9fpnYqjZUFSkgytIKCXgU3oQ3gRfowAtglDSAEjEYm8agfp+U5GT4fY6HE9tDAhxf3eFbkSJro69lWb57n+Tp3SSdtocDjlLZcv9vJdCeueEafml7CmD2DlZH+59PRfL569uNH6+1itfvg9XxQ8JU/mrV/Idi9HmmO5m/luR6hXz58TB/LpP5G3/Y//RU/mbl/OH5nz87mb+V5HaSO0mGj1L3ktxP8iDJw9/035zq/6RifwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgL+lSDLfNN/gAJ0kz7YH/Ys18yfG+YWa+ZPj/GLD/FLN/Klxfn7j5WCz5jGgrk7L+z/XcP+7DfcfjrPdvf3n64NB/7VCoVD8LNr+ZQKOWu/Nzqve7t7+he2d9a3+Vv/F8sKV5ZXLlxaXVnqj+/Jek7tz4F/266Lf9iQAAAAAAAAAQF2PkjxuewgAAGAmZvF3orbPEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAID/3/cAAAD//2lo0uQ=")
pipe2$9p(&(0x7f0000000080)={<r5=>0xffffffffffffffff}, 0x80)
statx(r4, &(0x7f00000000c0)='./file0\x00', 0x0, 0x42, &(0x7f00000004c0)={0x0, 0x0, 0x0, 0x0, 0x0, <r6=>0x0})
mount$9p_fd(0x0, &(0x7f0000000000)='./file0\x00', &(0x7f0000000040), 0xb40001, &(0x7f00000005c0)={'trans=fd,', {'rfdno', 0x3d, r5}, 0x2c, {'wfdno', 0x3d, r4}, 0x2c, {[{@cache_loose}, {@cache_mmap}, {@dfltgid={'dfltgid', 0x3d, r6}}], [{@fsname={'fsname', 0x3d, 'minix\x00'}}, {@measure}, {@measure}, {@appraise}]}})

[   60.085962][ T4672] Bluetooth: hci0: command tx timeout
[   60.157394][ T4672] BUG: sleeping function called from invalid context at net/core/sock.c:3624
[   60.160695][ T4672] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4672, name: kworker/u5:1
[   60.164078][ T4672] preempt_count: 1, expected: 0
[   60.166039][ T4672] RCU nest depth: 0, expected: 0
[   60.167889][ T4672] 5 locks held by kworker/u5:1/4672:
[   60.169767][ T4672]  #0: ffff888043675948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   60.174102][ T4672]  #1: ffffc9000dce7d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   60.178489][ T4672]  #2: ffff888000c34078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   60.182162][ T4672]  #3: ffff88803ee0cc20 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   60.185818][ T4672]  #4: ffff888045ab4258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   60.189823][ T4672] Preemption disabled at:
[   60.189834][ T4672] [<0000000000000000>] 0x0
[   60.193140][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/u5:1 Not tainted 6.13.0-rc3-syzkaller-00193-ge9b8ffafd20a #0
[   60.196999][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   60.200961][ T4672] Workqueue: hci0 hci_rx_work
[   60.202742][ T4672] Call Trace:
[   60.203916][ T4672]  <TASK>
[   60.204918][ T4672]  dump_stack_lvl+0x241/0x360
[   60.206731][ T4672]  ? __pfx_dump_stack_lvl+0x10/0x10
[   60.208670][ T4672]  ? __pfx__printk+0x10/0x10
[   60.210440][ T4672]  __might_resched+0x5d4/0x780
[   60.212279][ T4672]  ? __pfx_lock_acquire+0x10/0x10
[   60.213989][ T4672]  ? __pfx___might_resched+0x10/0x10
[   60.215833][ T4672]  ? __pfx_lock_release+0x10/0x10
[   60.217783][ T4672]  ? do_raw_spin_lock+0x14f/0x370
[   60.219816][ T4672]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   60.221924][ T4672]  lock_sock_nested+0x5d/0x100
[   60.223739][ T4672]  sco_connect_cfm+0x439/0xae0
[   60.225440][ T4672]  ? hci_cb_lookup+0x1b3/0x3c0
[   60.226968][ T4672]  ? __pfx_sco_connect_cfm+0x10/0x10
[   60.228936][ T4672]  ? hci_cb_lookup+0x3a0/0x3c0
[   60.230787][ T4672]  ? __pfx_sco_connect_cfm+0x10/0x10
[   60.232500][ T4672]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   60.234618][ T4672]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   60.237015][ T4672]  ? skb_pull_data+0x112/0x230
[   60.238883][ T4672]  hci_event_packet+0xac2/0x1540
[   60.240817][ T4672]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   60.243045][ T4672]  ? __pfx_hci_event_packet+0x10/0x10
[   60.245031][ T4672]  ? do_raw_spin_unlock+0x58/0x8b0
[   60.246683][ T4672]  ? hci_send_to_monitor+0xd8/0x7f0
[   60.248572][ T4672]  ? kcov_remote_start+0x97/0x7d0
[   60.250448][ T4672]  hci_rx_work+0x3f3/0xdb0
[   60.252468][ T4672]  ? process_scheduled_works+0x976/0x1840
[   60.254722][ T4672]  process_scheduled_works+0xa66/0x1840
[   60.256931][ T4672]  ? __pfx_process_scheduled_works+0x10/0x10
[   60.259178][ T4672]  ? assign_work+0x364/0x3d0
[   60.260746][ T4672]  worker_thread+0x870/0xd30
[   60.262337][ T4672]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   60.264501][ T4672]  ? __kthread_parkme+0x169/0x1d0
[   60.266225][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   60.268164][ T4672]  kthread+0x2f0/0x390
[   60.269779][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   60.271664][ T4672]  ? __pfx_kthread+0x10/0x10
[   60.273430][ T4672]  ret_from_fork+0x4b/0x80
[   60.275085][ T4672]  ? __pfx_kthread+0x10/0x10
[   60.276745][ T4672]  ret_from_fork_asm+0x1a/0x30
[   60.278747][ T4672]  </TASK>
[   60.293487][ T5312] loop0: detected capacity change from 0 to 256
[   60.324804][ T5312] MINIX-fs: deleted inode referenced: 1
[   60.349839][ T5312] MINIX-fs: get root inode failed
[   60.382615][ T5311] 
[   60.383550][ T5311] ======================================================
[   60.385943][ T5311] WARNING: possible circular locking dependency detected
[   60.388444][ T5311] 6.13.0-rc3-syzkaller-00193-ge9b8ffafd20a #0 Tainted: G        W         
[   60.391583][ T5311] ------------------------------------------------------
[   60.394080][ T5311] syz.0.0/5311 is trying to acquire lock:
[   60.396130][ T5311] ffff88803ee0cc20 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   60.399377][ T5311] 
[   60.399377][ T5311] but task is already holding lock:
[   60.402057][ T5311] ffff888052fc8258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   60.405576][ T5311] 
[   60.405576][ T5311] which lock already depends on the new lock.
[   60.405576][ T5311] 
[   60.409358][ T5311] 
[   60.409358][ T5311] the existing dependency chain (in reverse order) is:
[   60.412607][ T5311] 
[   60.412607][ T5311] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   60.415708][ T5311]        lock_acquire+0x1ed/0x550
[   60.417603][ T5311]        lock_sock_nested+0x48/0x100
[   60.419592][ T5311]        bt_accept_dequeue+0xfa/0x570
[   60.421559][ T5311]        __sco_sock_close+0xd2/0x310
[   60.423544][ T5311]        sco_sock_release+0xb3/0x320
[   60.425477][ T5311]        sock_close+0xbc/0x240
[   60.427485][ T5311]        __fput+0x23c/0xa50
[   60.429084][ T5311]        task_work_run+0x24f/0x310
[   60.430585][ T5311]        syscall_exit_to_user_mode+0x13f/0x340
[   60.432918][ T5311]        do_syscall_64+0x100/0x230
[   60.434729][ T5311]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   60.437059][ T5311] 
[   60.437059][ T5311] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   60.440137][ T5311]        lock_acquire+0x1ed/0x550
[   60.441971][ T5311]        lock_sock_nested+0x48/0x100
[   60.443793][ T5311]        sco_connect_cfm+0x439/0xae0
[   60.445695][ T5311]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   60.447908][ T5311]        hci_event_packet+0xac2/0x1540
[   60.449782][ T5311]        hci_rx_work+0x3f3/0xdb0
[   60.451483][ T5311]        process_scheduled_works+0xa66/0x1840
[   60.453620][ T5311]        worker_thread+0x870/0xd30
[   60.455464][ T5311]        kthread+0x2f0/0x390
[   60.457176][ T5311]        ret_from_fork+0x4b/0x80
[   60.459035][ T5311]        ret_from_fork_asm+0x1a/0x30
[   60.460983][ T5311] 
[   60.460983][ T5311] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   60.464791][ T5311]        validate_chain+0x18ef/0x5920
[   60.466726][ T5311]        __lock_acquire+0x1397/0x2100
[   60.468678][ T5311]        lock_acquire+0x1ed/0x550
[   60.470524][ T5311]        _raw_spin_lock+0x2e/0x40
[   60.472422][ T5311]        sco_chan_del+0x74/0x180
[   60.474320][ T5311]        __sco_sock_close+0x152/0x310
[   60.476266][ T5311]        sco_sock_release+0xb3/0x320
[   60.478074][ T5311]        sock_close+0xbc/0x240
[   60.479826][ T5311]        __fput+0x23c/0xa50
[   60.481350][ T5311]        task_work_run+0x24f/0x310
[   60.483182][ T5311]        syscall_exit_to_user_mode+0x13f/0x340
[   60.485253][ T5311]        do_syscall_64+0x100/0x230
[   60.487078][ T5311]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   60.489508][ T5311] 
[   60.489508][ T5311] other info that might help us debug this:
[   60.489508][ T5311] 
[   60.493795][ T5311] Chain exists of:
[   60.493795][ T5311]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   60.493795][ T5311] 
[   60.499255][ T5311]  Possible unsafe locking scenario:
[   60.499255][ T5311] 
[   60.501810][ T5311]        CPU0                    CPU1
[   60.503845][ T5311]        ----                    ----
[   60.505653][ T5311]   lock(sk_lock-AF_BLUETOOTH);
[   60.507044][ T5311]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   60.509860][ T5311]                                lock(sk_lock-AF_BLUETOOTH);
[   60.512358][ T5311]   lock(&conn->lock#2);
[   60.514028][ T5311] 
[   60.514028][ T5311]  *** DEADLOCK ***
[   60.514028][ T5311] 
[   60.517053][ T5311] 3 locks held by syz.0.0/5311:
[   60.518796][ T5311]  #0: ffff8880432a0808 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   60.522440][ T5311]  #1: ffff888045ab4258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   60.526203][ T5311]  #2: ffff888052fc8258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   60.529839][ T5311] 
[   60.529839][ T5311] stack backtrace:
[   60.531996][ T5311] CPU: 0 UID: 0 PID: 5311 Comm: syz.0.0 Tainted: G        W          6.13.0-rc3-syzkaller-00193-ge9b8ffafd20a #0
[   60.535972][ T5311] Tainted: [W]=WARN
[   60.537347][ T5311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   60.541391][ T5311] Call Trace:
[   60.542678][ T5311]  <TASK>
[   60.543750][ T5311]  dump_stack_lvl+0x241/0x360
[   60.545444][ T5311]  ? __pfx_dump_stack_lvl+0x10/0x10
[   60.547360][ T5311]  ? __pfx__printk+0x10/0x10
[   60.549089][ T5311]  print_circular_bug+0x13a/0x1b0
[   60.550893][ T5311]  check_noncircular+0x36a/0x4a0
[   60.552576][ T5311]  ? __pfx_check_noncircular+0x10/0x10
[   60.554420][ T5311]  ? lockdep_lock+0x123/0x2b0
[   60.556229][ T5311]  validate_chain+0x18ef/0x5920
[   60.558136][ T5311]  ? debug_object_assert_init+0x2dd/0x4b0
[   60.560358][ T5311]  ? do_raw_spin_unlock+0x58/0x8b0
[   60.562245][ T5311]  ? __pfx_validate_chain+0x10/0x10
[   60.564230][ T5311]  ? __pfx_stack_trace_save+0x10/0x10
[   60.566157][ T5311]  ? debug_object_assert_init+0x2dd/0x4b0
[   60.568383][ T5311]  ? __pfx_debug_object_assert_init+0x10/0x10
[   60.570487][ T5311]  ? mark_lock+0x9a/0x360
[   60.571766][ T5311]  __lock_acquire+0x1397/0x2100
[   60.573418][ T5311]  lock_acquire+0x1ed/0x550
[   60.575070][ T5311]  ? sco_chan_del+0x74/0x180
[   60.576716][ T5311]  ? __pfx_lock_acquire+0x10/0x10
[   60.578568][ T5311]  ? lockdep_hardirqs_on+0x99/0x150
[   60.580484][ T5311]  ? __cancel_work+0x2ee/0x390
[   60.582254][ T5311]  ? __pfx___cancel_work+0x10/0x10
[   60.584132][ T5311]  ? __sco_sock_close+0xe8/0x310
[   60.585949][ T5311]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   60.588365][ T5311]  ? __sco_sock_close+0xe8/0x310
[   60.590604][ T5311]  _raw_spin_lock+0x2e/0x40
[   60.592717][ T5311]  ? sco_chan_del+0x74/0x180
[   60.594476][ T5311]  sco_chan_del+0x74/0x180
[   60.596096][ T5311]  __sco_sock_close+0x152/0x310
[   60.597846][ T5311]  sco_sock_release+0xb3/0x320
[   60.599589][ T5311]  sock_close+0xbc/0x240
[   60.601119][ T5311]  ? __pfx_sock_close+0x10/0x10
[   60.602803][ T5311]  __fput+0x23c/0xa50
[   60.604247][ T5311]  task_work_run+0x24f/0x310
[   60.605818][ T5311]  ? _raw_spin_unlock+0x28/0x50
[   60.607698][ T5311]  ? __pfx_task_work_run+0x10/0x10
[   60.609527][ T5311]  ? syscall_exit_to_user_mode+0xa3/0x340
[   60.611566][ T5311]  syscall_exit_to_user_mode+0x13f/0x340
[   60.613642][ T5311]  do_syscall_64+0x100/0x230
[   60.615383][ T5311]  ? clear_bhb_loop+0x35/0x90
[   60.617089][ T5311]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   60.619306][ T5311] RIP: 0033:0x7f712cb85d29
[   60.620929][ T5311] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   60.627840][ T5311] RSP: 002b:00007fff20d55bf8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   60.631081][ T5311] RAX: 0000000000000000 RBX: 000000000000ea52 RCX: 00007f712cb85d29
[   60.633900][ T5311] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   60.636725][ T5311] RBP: 00007f712cd77ba0 R08: 0000000000000001 R09: 00007fff20d55eef
[   60.639823][ T5311] R10: 00007f712c9ff030 R11: 0000000000000246 R12: 000000000000eb89
[   60.642744][ T5311] R13: 00007f712cd75fa0 R14: 0000000000000032 R15: ffffffffffffffff
[   60.645490][ T5311]  </TASK>