Bluetooth: hci7: command 0x0406 tx timeout
EXT4-fs (loop7): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
EXT4-fs (loop7): unmounting filesystem 00000000-0000-0000-0000-000000000000.
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor.7:6791]
Modules linked in:
irq event stamp: 4075339
hardirqs last  enabled at (4075338): [<ffffffff811aa071>] __local_bh_enable_ip+0xa1/0x110
hardirqs last disabled at (4075339): [<ffffffff8484b14f>] sysvec_apic_timer_interrupt+0xf/0x80
softirqs last  enabled at (4071500): [<ffffffff811a97cc>] handle_softirqs+0x50c/0x770
softirqs last disabled at (4071507): [<ffffffff811a9b64>] __irq_exit_rcu+0xc4/0x100
CPU: 0 UID: 0 PID: 6791 Comm: syz-executor.7 Not tainted 6.12.0-next-20241122 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__rhashtable_lookup+0x2a6/0x7d0
Code: 24 58 4c 89 6c 24 18 48 c1 e8 03 4c 01 e0 48 89 44 24 20 49 8d 45 16 48 89 44 24 28 48 c1 e8 03 48 89 44 24 30 e8 da 09 04 fd <48> 8b 44 24 20 80 38 00 0f 85 c1 04 00 00 48 8b 44 24 08 4c 8b 30
RSP: 0018:ffff88806ce09a10 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff844df7fa
RDX: ffff888018c21b80 RSI: ffffffff844df846 RDI: 0000000000000005
RBP: 0000000000000001 R08: 000000004b90a625 R09: fffffbfff0fdddec
R10: 0000000000000000 R11: 00000000000c398f R12: dffffc0000000000
R13: ffff888040b11758 R14: ffff888040b11758 R15: ffff88800bd31300
FS:  00007fe4c0bc4700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007facab316b40 CR3: 00000000151f8000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 sta_info_get_bss+0x12d/0x450
 ieee80211_rx_for_interface+0x154/0x200
 ieee80211_rx_list+0x1bec/0x2840
 ieee80211_rx_napi+0xdc/0x3b0
 ieee80211_handle_queued_frames+0xd9/0x130
 tasklet_action_common+0x235/0x3b0
 handle_softirqs+0x1b1/0x770
 __irq_exit_rcu+0xc4/0x100
 irq_exit_rcu+0x9/0x20
 sysvec_apic_timer_interrupt+0x70/0x80
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:vmalloc_to_page+0x95/0x650
Code: 0d ac d5 fd 03 48 89 d8 48 d3 e8 25 ff 01 00 00 48 8d 6c c5 00 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 <0f> 85 27 05 00 00 48 8b 6d 00 eb 31 cc cc cc e8 87 15 d2 ff 48 89
RSP: 0018:ffff88804154f9f8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffe8ffffc0056c RCX: 0000000000000027
RDX: 1ffffffff0b50dd1 RSI: ffffffff817fec06 RDI: ffffe8ffffc0056c
RBP: ffffffff85a86e88 R08: 0000000000000001 R09: fffffbfff0fdddf9
R10: ffffffff87eeefcf R11: 00000000000000c0 R12: 0000607f92e0056c
R13: ffff88806ce3d000 R14: ffff88806dec6840 R15: 0000000000000003
 free_percpu+0x169/0x11a0
 percpu_counter_destroy_many+0x188/0x2b0
 ext4_percpu_param_destroy+0x2b/0x70
 ext4_put_super+0x2c1/0xdd0
 generic_shutdown_super+0x162/0x4f0
 kill_block_super+0x3b/0x90
 ext4_kill_sb+0x6c/0xb0
 deactivate_locked_super+0xbf/0x1a0
 deactivate_super+0xb1/0xd0
 cleanup_mnt+0x2df/0x430
 task_work_run+0x173/0x280
 get_signal+0x1cf/0x2320
 arch_do_signal_or_restart+0x81/0x780
 syscall_exit_to_user_mode+0x123/0x1e0
 do_syscall_64+0xcc/0x1d0
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe4c367104a
Code: 48 c7 c2 bc ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 b8 04 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe4c0bc3fa8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffec RBX: 0000000020000200 RCX: 00007fe4c367104a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fe4c0bc4000
RBP: 00007fe4c0bc4040 R08: 00007fe4c0bc4040 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000020000000
R13: 0000000020000100 R14: 00007fe4c0bc4000 R15: 0000000020012c00
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1 skipped: idling at default_idle+0x1e/0x30
----------------
Code disassembly (best guess):
   0:	24 58                	and    $0x58,%al
   2:	4c 89 6c 24 18       	mov    %r13,0x18(%rsp)
   7:	48 c1 e8 03          	shr    $0x3,%rax
   b:	4c 01 e0             	add    %r12,%rax
   e:	48 89 44 24 20       	mov    %rax,0x20(%rsp)
  13:	49 8d 45 16          	lea    0x16(%r13),%rax
  17:	48 89 44 24 28       	mov    %rax,0x28(%rsp)
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	48 89 44 24 30       	mov    %rax,0x30(%rsp)
  25:	e8 da 09 04 fd       	callq  0xfd040a04
* 2a:	48 8b 44 24 20       	mov    0x20(%rsp),%rax <-- trapping instruction
  2f:	80 38 00             	cmpb   $0x0,(%rax)
  32:	0f 85 c1 04 00 00    	jne    0x4f9
  38:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  3d:	4c 8b 30             	mov    (%rax),%r14