program:
r0 = socket$kcm(0x23, 0x5, 0x0)
listen(r0, 0x800)
r1 = socket$kcm(0x10, 0x2, 0x0)
sendmsg$inet(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4)
r2 = socket$phonet_pipe(0x23, 0x5, 0x2)
connect$phonet_pipe(r2, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10)
r3 = syz_open_dev$ttys(0xc, 0x2, 0x0)
close_range(r1, r3, 0x2)
accept4(r0, 0x0, 0x0, 0x80000)
r4 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0xe, 0x7fff0000}]})
close_range(r4, 0xffffffffffffffff, 0x0)
r5 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000}, 0x48)
perf_event_open(&(0x7f0000001480)={0x2, 0x80, 0x83, 0x1, 0x0, 0x0, 0x0, 0x1, 0x4000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0x0, @perf_bp={0x0, 0x4}, 0x20, 0x0, 0x0, 0x8, 0x6d, 0xd}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r6 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0x5, &(0x7f00000004c0)=ANY=[@ANYBLOB="180000000000000000000000000000008500000023000000850000000800000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffff2d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
r7 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$KVM_CREATE_VM(r7, 0xae01, 0x0)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x0, 0x200000005c832, 0xffffffffffffffff, 0x0)
mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x7)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000180)='kfree\x00', r6}, 0x10)
bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0xc, 0x11, &(0x7f0000001000)=@ringbuf={{}, {{0x18, 0x1, 0x1, 0x0, r5}}, {}, [@func={0x85, 0x0, 0x1, 0x0, 0x1}, @exit]}, &(0x7f0000000080)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)

[  103.418521][ T5292] Bluetooth: hci0: command tx timeout
[  103.532130][ T5332] netlink: 'syz.0.0': attribute type 2 has an invalid length.
[  103.597852][    C0] 
[  103.599019][    C0] ================================
[  103.601316][    C0] WARNING: inconsistent lock state
[  103.603515][    C0] syzkaller #0 Not tainted
[  103.605460][    C0] --------------------------------
[  103.607677][    C0] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
[  103.610679][    C0] syz.0.0/5332 [HC0[0]:SC1[1]:HE1:SE0] takes:
[  103.613385][    C0] ffff8880126d3c68 (slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1bf/0x9e0
[  103.617415][    C0] {SOFTIRQ-ON-W} state was registered at:
[  103.619807][    C0]   lock_acquire+0x106/0x350
[  103.621824][    C0]   _raw_spin_lock_nested+0x32/0x50
[  103.624168][    C0]   __sk_receive_skb+0x1bf/0x9e0
[  103.626269][    C0]   pep_do_rcv+0x685/0xaa0
[  103.628189][    C0]   __release_sock+0x297/0x3a0
[  103.630322][    C0]   release_sock+0x190/0x260
[  103.632253][    C0]   pep_sock_accept+0xdf5/0x12b0
[  103.634321][    C0]   pn_socket_accept+0xc9/0x2e0
[  103.636506][    C0]   do_accept+0x521/0x760
[  103.638259][    C0]   __sys_accept4+0x139/0x230
[  103.640162][    C0]   __x64_sys_accept4+0x9a/0xb0
[  103.642110][    C0]   do_syscall_64+0x15f/0xf80
[  103.644108][    C0]   entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  103.646522][    C0] irq event stamp: 798
[  103.648287][    C0] hardirqs last  enabled at (798): [<ffffffff8badd083>] _raw_spin_unlock_irq+0x23/0x50
[  103.652226][    C0] hardirqs last disabled at (797): [<ffffffff8badcec7>] _raw_spin_lock_irq+0x17/0x50
[  103.656820][    C0] softirqs last  enabled at (792): [<ffffffff897f15e9>] netif_rx+0x79/0x90
[  103.660456][    C0] softirqs last disabled at (793): [<ffffffff8187df26>] do_softirq+0x76/0xd0
[  103.664213][    C0] 
[  103.664213][    C0] other info that might help us debug this:
[  103.668210][    C0]  Possible unsafe locking scenario:
[  103.668210][    C0] 
[  103.672378][    C0]        CPU0
[  103.674144][    C0]        ----
[  103.675643][    C0]   lock(slock-AF_PHONET/1);
[  103.678308][    C0]   <Interrupt>
[  103.680256][    C0]     lock(slock-AF_PHONET/1);
[  103.682945][    C0] 
[  103.682945][    C0]  *** DEADLOCK ***
[  103.682945][    C0] 
[  103.687083][    C0] 5 locks held by syz.0.0/5332:
[  103.689193][    C0]  #0: ffff88801f054840 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: sock_close+0x9b/0x240
[  103.693676][    C0]  #1: ffff8880126d4360 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: pep_sock_close+0x86/0x5b0
[  103.698378][    C0]  #2: ffffffff8e95cca0 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x3eb/0x1950
[  103.702790][    C0]  #3: ffff8880126d4968 (slock-AF_PHONET){+.-.}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0
[  103.707113][    C0]  #4: ffff8880126d49e0 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: phonet_rcv+0x781/0xc40
[  103.711295][    C0] 
[  103.711295][    C0] stack backtrace:
[  103.713991][    C0] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  103.714007][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  103.714014][    C0] Call Trace:
[  103.714021][    C0]  <IRQ>
[  103.714027][    C0]  dump_stack_lvl+0xe8/0x150
[  103.714042][    C0]  print_usage_bug+0x28b/0x2e0
[  103.714056][    C0]  mark_lock_irq+0x410/0x420
[  103.714068][    C0]  ? pep_sock_accept+0xdf5/0x12b0
[  103.714082][    C0]  ? pn_socket_accept+0xc9/0x2e0
[  103.714092][    C0]  ? __sys_accept4+0x139/0x230
[  103.714103][    C0]  ? __x64_sys_accept4+0x9a/0xb0
[  103.714113][    C0]  ? do_syscall_64+0x15f/0xf80
[  103.714129][    C0]  mark_lock+0x115/0x190
[  103.714140][    C0]  __lock_acquire+0x689/0x2cf0
[  103.714152][    C0]  ? sk_filter_trim_cap+0x1a7/0xe70
[  103.714169][    C0]  ? sk_filter_trim_cap+0x91e/0xe70
[  103.714183][    C0]  ? __sk_receive_skb+0x1bf/0x9e0
[  103.714194][    C0]  lock_acquire+0x106/0x350
[  103.714204][    C0]  ? __sk_receive_skb+0x1bf/0x9e0
[  103.714216][    C0]  _raw_spin_lock_nested+0x32/0x50
[  103.714230][    C0]  ? __sk_receive_skb+0x1bf/0x9e0
[  103.714239][    C0]  __sk_receive_skb+0x1bf/0x9e0
[  103.714251][    C0]  pep_do_rcv+0x685/0xaa0
[  103.714264][    C0]  ? __pfx_pep_do_rcv+0x10/0x10
[  103.714278][    C0]  ? __pfx_pep_do_rcv+0x10/0x10
[  103.714290][    C0]  ? phonet_rcv+0x781/0xc40
[  103.714302][    C0]  __sk_receive_skb+0x962/0x9e0
[  103.714314][    C0]  phonet_rcv+0x781/0xc40
[  103.714330][    C0]  ? __pfx_phonet_rcv+0x10/0x10
[  103.714342][    C0]  ? process_backlog+0x3eb/0x1950
[  103.714353][    C0]  ? process_backlog+0x3eb/0x1950
[  103.714363][    C0]  ? __pfx_phonet_rcv+0x10/0x10
[  103.714375][    C0]  ? process_backlog+0x3eb/0x1950
[  103.714384][    C0]  process_backlog+0xc66/0x1950
[  103.714400][    C0]  __napi_poll+0xae/0x340
[  103.714409][    C0]  ? skb_defer_free_flush+0x233/0x260
[  103.714420][    C0]  net_rx_action+0x627/0xf70
[  103.714430][    C0]  ? lock_acquire+0x106/0x350
[  103.714445][    C0]  ? __pfx_net_rx_action+0x10/0x10
[  103.714460][    C0]  handle_softirqs+0x22a/0x840
[  103.714472][    C0]  ? do_softirq+0x76/0xd0
[  103.714482][    C0]  ? netif_rx+0x79/0x90
[  103.714496][    C0]  do_softirq+0x76/0xd0
[  103.714514][    C0]  </IRQ>
[  103.714517][    C0]  <TASK>
[  103.714521][    C0]  __local_bh_enable_ip+0xf8/0x130
[  103.714532][    C0]  netif_rx+0x83/0x90
[  103.714544][    C0]  pn_send+0x62a/0x8e0
[  103.714559][    C0]  pn_skb_send+0x218/0x510
[  103.714572][    C0]  pep_sock_close+0x2c1/0x5b0
[  103.714587][    C0]  pn_socket_release+0x9b/0xc0
[  103.714598][    C0]  sock_close+0xc3/0x240
[  103.714614][    C0]  ? __pfx_sock_close+0x10/0x10
[  103.714628][    C0]  __fput+0x44f/0xa60
[  103.714641][    C0]  task_work_run+0x1d9/0x270
[  103.714657][    C0]  ? __pfx_task_work_run+0x10/0x10
[  103.714673][    C0]  exit_to_user_mode_loop+0xf3/0x4d0
[  103.714684][    C0]  ? rcu_is_watching+0x15/0xb0
[  103.714698][    C0]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  103.714709][    C0]  do_syscall_64+0x33e/0xf80
[  103.714721][    C0]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  103.714732][    C0]  ? clear_bhb_loop+0x40/0x90
[  103.714743][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  103.714754][    C0] RIP: 0033:0x7f351d99ce59
[  103.714765][    C0] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  103.714774][    C0] RSP: 002b:00007f351e851fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[  103.714787][    C0] RAX: 0000000000000000 RBX: 00007f351dc15fa0 RCX: 00007f351d99ce59
[  103.714795][    C0] RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000000
[  103.714801][    C0] RBP: 00007f351da32d6f R08: 0000000000000000 R09: 0000000000000000
[  103.714807][    C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  103.714813][    C0] R13: 00007f351dc16038 R14: 00007f351dc15fa0 R15: 00007ffcabedb918
[  103.714824][    C0]  </TASK>