program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000200), 0x8)
listen(r0, 0x0)
r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x18, 0x5, &(0x7f0000000480)=ANY=[@ANYBLOB="1801000021000000000000003b810000850000006d000000850000005000000095"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
r2 = bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000340)={&(0x7f00000002c0)='mmap_lock_acquire_returned\x00', r1}, 0x10)
r3 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDGKBLED(r3, 0x4bfa, 0x0)
shmget$private(0x0, 0x13000, 0x0, &(0x7f0000feb000/0x13000)=nil)
shmat(0x0, &(0x7f0000ff7000/0x3000)=nil, 0x4000)
r4 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000000), 0xa0200, 0x0)
write$rfkill(r4, &(0x7f0000000080)={0x6, 0x1, 0x2, 0x0, 0x1}, 0x8)
ioctl$PIO_UNIMAP(r3, 0x4b67, &(0x7f0000000100)={0x1, &(0x7f00000000c0)=[{0x3, 0x2}]})
r5 = socket$inet6_sctp(0xa, 0x5, 0x84)
bind$inet6(r5, &(0x7f00004b8fe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
r6 = socket$inet6_sctp(0xa, 0x1, 0x84)
ioctl$BTRFS_IOC_SCRUB_PROGRESS(r2, 0xc400941d, &(0x7f00000004c0)={<r7=>0x0, 0x10001, 0x200})
ioctl$BTRFS_IOC_SUBVOL_CREATE_V2(r6, 0x50009418, &(0x7f0000000940)={{r5}, 0x0, 0x16, @unused=[0x5578a476, 0x7, 0x36, 0x4], @devid=r7})
setsockopt$inet_sctp6_SCTP_SOCKOPT_BINDX_ADD(r6, 0x84, 0x64, &(0x7f0000000900)=[@in={0x2, 0x4e23, @loopback}, @in6={0xa, 0x0, 0x0, @loopback}], 0x2c)
syz_emit_vhci(&(0x7f0000000440)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_sync_conn_complete={{0x2c, 0x11}}}, 0x14)

[   58.110074][ T5298] BUG: sleeping function called from invalid context at net/core/sock.c:3627
[   58.113294][ T5298] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5298, name: kworker/u5:2
[   58.116600][ T5298] preempt_count: 1, expected: 0
[   58.118367][ T5298] RCU nest depth: 0, expected: 0
[   58.120171][ T5298] 5 locks held by kworker/u5:2/5298:
[   58.122302][ T5298]  #0: ffff888012415948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840
[   58.126622][ T5298]  #1: ffffc9000d40fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840
[   58.131058][ T5298]  #2: ffff888042fdc078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[   58.135214][ T5298]  #3: ffff888034597a20 (&conn->lock#2){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[   58.138724][ T5298]  #4: ffff8880529f1258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[   58.143010][ T5298] Preemption disabled at:
[   58.143023][ T5298] [<0000000000000000>] 0x0
[   58.146647][ T5298] CPU: 0 UID: 0 PID: 5298 Comm: kworker/u5:2 Not tainted 6.13.0-rc6-syzkaller-00262-gb62cef9a5c67 #0
[   58.150383][ T5298] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.154125][ T5298] Workqueue: hci0 hci_rx_work
[   58.155752][ T5298] Call Trace:
[   58.156963][ T5298]  <TASK>
[   58.158077][ T5298]  dump_stack_lvl+0x241/0x360
[   58.159892][ T5298]  ? __pfx_dump_stack_lvl+0x10/0x10
[   58.161494][ T5298]  ? __pfx__printk+0x10/0x10
[   58.162798][ T5298]  __might_resched+0x5d4/0x780
[   58.164330][ T5298]  ? __pfx_lock_acquire+0x10/0x10
[   58.165852][ T5298]  ? __pfx___might_resched+0x10/0x10
[   58.167476][ T5298]  ? __pfx_lock_release+0x10/0x10
[   58.169276][ T5298]  ? do_raw_spin_lock+0x14f/0x370
[   58.171047][ T5298]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   58.173045][ T5298]  lock_sock_nested+0x5d/0x100
[   58.174731][ T5298]  sco_connect_cfm+0x439/0xae0
[   58.176484][ T5298]  ? hci_cb_lookup+0x1b3/0x3c0
[   58.178264][ T5298]  ? __pfx_sco_connect_cfm+0x10/0x10
[   58.180206][ T5298]  ? hci_cb_lookup+0x3a0/0x3c0
[   58.181934][ T5298]  ? __pfx_sco_connect_cfm+0x10/0x10
[   58.183880][ T5298]  hci_sync_conn_complete_evt+0x6f1/0xb50
[   58.185979][ T5298]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   58.188446][ T5298]  ? skb_pull_data+0x112/0x230
[   58.190039][ T5298]  hci_event_packet+0xac2/0x1540
[   58.191567][ T5298]  ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[   58.193486][ T5298]  ? __pfx_hci_event_packet+0x10/0x10
[   58.195315][ T5298]  ? do_raw_spin_unlock+0x58/0x8b0
[   58.197087][ T5298]  ? hci_send_to_monitor+0xd8/0x7f0
[   58.199000][ T5298]  ? kcov_remote_start+0x97/0x7d0
[   58.200775][ T5298]  hci_rx_work+0x3f3/0xdb0
[   58.202252][ T5298]  ? process_scheduled_works+0x976/0x1840
[   58.204130][ T5298]  process_scheduled_works+0xa66/0x1840
[   58.206101][ T5298]  ? __pfx_process_scheduled_works+0x10/0x10
[   58.208692][ T5298]  ? assign_work+0x364/0x3d0
[   58.210247][ T5298]  worker_thread+0x870/0xd30
[   58.211891][ T5298]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   58.214120][ T5298]  ? __kthread_parkme+0x169/0x1d0
[   58.216090][ T5298]  ? __pfx_worker_thread+0x10/0x10
[   58.218073][ T5298]  kthread+0x2f0/0x390
[   58.219624][ T5298]  ? __pfx_worker_thread+0x10/0x10
[   58.221256][ T5298]  ? __pfx_kthread+0x10/0x10
[   58.222789][ T5298]  ret_from_fork+0x4b/0x80
[   58.224467][ T5298]  ? __pfx_kthread+0x10/0x10
[   58.226173][ T5298]  ret_from_fork_asm+0x1a/0x30
[   58.227989][ T5298]  </TASK>
[   58.246603][ T5312] 
[   58.247605][ T5312] ======================================================
[   58.250222][ T5312] WARNING: possible circular locking dependency detected
[   58.252772][ T5312] 6.13.0-rc6-syzkaller-00262-gb62cef9a5c67 #0 Tainted: G        W         
[   58.255387][ T5312] ------------------------------------------------------
[   58.257953][ T5312] syz.0.0/5312 is trying to acquire lock:
[   58.260024][ T5312] ffff888034597a20 (&conn->lock#2){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[   58.262850][ T5312] 
[   58.262850][ T5312] but task is already holding lock:
[   58.265251][ T5312] ffff8880529f7258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   58.268730][ T5312] 
[   58.268730][ T5312] which lock already depends on the new lock.
[   58.268730][ T5312] 
[   58.272565][ T5312] 
[   58.272565][ T5312] the existing dependency chain (in reverse order) is:
[   58.275905][ T5312] 
[   58.275905][ T5312] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[   58.278928][ T5312]        lock_acquire+0x1ed/0x550
[   58.280751][ T5312]        lock_sock_nested+0x48/0x100
[   58.282704][ T5312]        bt_accept_dequeue+0xfa/0x570
[   58.284607][ T5312]        __sco_sock_close+0xd2/0x310
[   58.286608][ T5312]        sco_sock_release+0xb3/0x320
[   58.288599][ T5312]        sock_close+0xbc/0x240
[   58.290469][ T5312]        __fput+0x23c/0xa50
[   58.292136][ T5312]        task_work_run+0x24f/0x310
[   58.293914][ T5312]        syscall_exit_to_user_mode+0x13f/0x340
[   58.296200][ T5312]        do_syscall_64+0x100/0x230
[   58.298144][ T5312]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.300699][ T5312] 
[   58.300699][ T5312] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[   58.304195][ T5312]        lock_acquire+0x1ed/0x550
[   58.306138][ T5312]        lock_sock_nested+0x48/0x100
[   58.308213][ T5312]        sco_connect_cfm+0x439/0xae0
[   58.310045][ T5312]        hci_sync_conn_complete_evt+0x6f1/0xb50
[   58.312406][ T5312]        hci_event_packet+0xac2/0x1540
[   58.314420][ T5312]        hci_rx_work+0x3f3/0xdb0
[   58.316435][ T5312]        process_scheduled_works+0xa66/0x1840
[   58.318636][ T5312]        worker_thread+0x870/0xd30
[   58.320577][ T5312]        kthread+0x2f0/0x390
[   58.322427][ T5312]        ret_from_fork+0x4b/0x80
[   58.324535][ T5312]        ret_from_fork_asm+0x1a/0x30
[   58.326505][ T5312] 
[   58.326505][ T5312] -> #0 (&conn->lock#2){+.+.}-{3:3}:
[   58.329244][ T5312]        validate_chain+0x18ef/0x5920
[   58.331041][ T5312]        __lock_acquire+0x1397/0x2100
[   58.332900][ T5312]        lock_acquire+0x1ed/0x550
[   58.334596][ T5312]        _raw_spin_lock+0x2e/0x40
[   58.336490][ T5312]        sco_chan_del+0x74/0x180
[   58.338301][ T5312]        __sco_sock_close+0x152/0x310
[   58.340393][ T5312]        sco_sock_release+0xb3/0x320
[   58.342493][ T5312]        sock_close+0xbc/0x240
[   58.344378][ T5312]        __fput+0x23c/0xa50
[   58.346134][ T5312]        task_work_run+0x24f/0x310
[   58.348179][ T5312]        syscall_exit_to_user_mode+0x13f/0x340
[   58.350548][ T5312]        do_syscall_64+0x100/0x230
[   58.352559][ T5312]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.354956][ T5312] 
[   58.354956][ T5312] other info that might help us debug this:
[   58.354956][ T5312] 
[   58.358934][ T5312] Chain exists of:
[   58.358934][ T5312]   &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[   58.358934][ T5312] 
[   58.363879][ T5312]  Possible unsafe locking scenario:
[   58.363879][ T5312] 
[   58.366679][ T5312]        CPU0                    CPU1
[   58.368940][ T5312]        ----                    ----
[   58.371420][ T5312]   lock(sk_lock-AF_BLUETOOTH);
[   58.373821][ T5312]                                lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[   58.377483][ T5312]                                lock(sk_lock-AF_BLUETOOTH);
[   58.380367][ T5312]   lock(&conn->lock#2);
[   58.382063][ T5312] 
[   58.382063][ T5312]  *** DEADLOCK ***
[   58.382063][ T5312] 
[   58.385261][ T5312] 3 locks held by syz.0.0/5312:
[   58.387197][ T5312]  #0: ffff88801a854208 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[   58.390666][ T5312]  #1: ffff8880529f1258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[   58.395030][ T5312]  #2: ffff8880529f7258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[   58.398726][ T5312] 
[   58.398726][ T5312] stack backtrace:
[   58.401021][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: syz.0.0 Tainted: G        W          6.13.0-rc6-syzkaller-00262-gb62cef9a5c67 #0
[   58.405445][ T5312] Tainted: [W]=WARN
[   58.407085][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.411401][ T5312] Call Trace:
[   58.412727][ T5312]  <TASK>
[   58.413860][ T5312]  dump_stack_lvl+0x241/0x360
[   58.415541][ T5312]  ? __pfx_dump_stack_lvl+0x10/0x10
[   58.417393][ T5312]  ? __pfx__printk+0x10/0x10
[   58.418997][ T5312]  print_circular_bug+0x13a/0x1b0
[   58.420828][ T5312]  check_noncircular+0x36a/0x4a0
[   58.422553][ T5312]  ? __pfx_check_noncircular+0x10/0x10
[   58.424554][ T5312]  ? lockdep_lock+0x123/0x2b0
[   58.426348][ T5312]  validate_chain+0x18ef/0x5920
[   58.428427][ T5312]  ? debug_object_assert_init+0x2dd/0x4b0
[   58.430448][ T5312]  ? do_raw_spin_unlock+0x58/0x8b0
[   58.432196][ T5312]  ? __pfx_validate_chain+0x10/0x10
[   58.434255][ T5312]  ? __pfx_stack_trace_save+0x10/0x10
[   58.436325][ T5312]  ? debug_object_assert_init+0x2dd/0x4b0
[   58.438497][ T5312]  ? __pfx_debug_object_assert_init+0x10/0x10
[   58.441311][ T5312]  ? mark_lock+0x9a/0x360
[   58.443049][ T5312]  __lock_acquire+0x1397/0x2100
[   58.444888][ T5312]  lock_acquire+0x1ed/0x550
[   58.446638][ T5312]  ? sco_chan_del+0x74/0x180
[   58.448276][ T5312]  ? __pfx_lock_acquire+0x10/0x10
[   58.450074][ T5312]  ? lockdep_hardirqs_on+0x99/0x150
[   58.451827][ T5312]  ? __cancel_work+0x2ee/0x390
[   58.453600][ T5312]  ? __pfx___cancel_work+0x10/0x10
[   58.455551][ T5312]  ? __sco_sock_close+0xe8/0x310
[   58.457417][ T5312]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   58.459505][ T5312]  ? __sco_sock_close+0xe8/0x310
[   58.461366][ T5312]  _raw_spin_lock+0x2e/0x40
[   58.463060][ T5312]  ? sco_chan_del+0x74/0x180
[   58.464796][ T5312]  sco_chan_del+0x74/0x180
[   58.466587][ T5312]  __sco_sock_close+0x152/0x310
[   58.468590][ T5312]  sco_sock_release+0xb3/0x320
[   58.470537][ T5312]  sock_close+0xbc/0x240
[   58.472244][ T5312]  ? __pfx_sock_close+0x10/0x10
[   58.474223][ T5312]  __fput+0x23c/0xa50
[   58.475836][ T5312]  task_work_run+0x24f/0x310
[   58.477592][ T5312]  ? _raw_spin_unlock+0x28/0x50
[   58.479451][ T5312]  ? __pfx_task_work_run+0x10/0x10
[   58.481412][ T5312]  ? syscall_exit_to_user_mode+0xa3/0x340
[   58.483592][ T5312]  syscall_exit_to_user_mode+0x13f/0x340
[   58.485761][ T5312]  do_syscall_64+0x100/0x230
[   58.487576][ T5312]  ? clear_bhb_loop+0x35/0x90
[   58.489364][ T5312]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.491595][ T5312] RIP: 0033:0x7f6496f85d29
[   58.493218][ T5312] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   58.500147][ T5312] RSP: 002b:00007fff7d380bd8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   58.503259][ T5312] RAX: 0000000000000000 RBX: 00007f6497177ba0 RCX: 00007f6496f85d29
[   58.506357][ T5312] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[   58.509295][ T5312] RBP: 00007f6497177ba0 R08: 00000000000143fc R09: 00007fff7d380ecf
[   58.512189][ T5312] R10: 0000000000deb9d0 R11: 0000000000000246 R12: 000000000000e5ae
[   58.514954][ T5312] R13: 00007fff7d380ce0 R14: 0000000000000032 R15: ffffffffffffffff
[   58.517763][ T5312]  </TASK>
[   58.520180][ T5298] Bluetooth: hci0: command tx timeout