watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [syz-executor.6:9517] Modules linked in: irq event stamp: 3482583 hardirqs last enabled at (3482582): [] irqentry_exit+0x3b/0x90 hardirqs last disabled at (3482583): [] sysvec_apic_timer_interrupt+0xf/0x80 softirqs last enabled at (3470240): [] handle_softirqs+0x50c/0x770 softirqs last disabled at (3470243): [] irq_exit_rcu+0x94/0xc0 CPU: 1 UID: 0 PID: 9517 Comm: syz-executor.6 Not tainted 6.12.0-rc3-next-20241016 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ieee80211_scan_rx+0x166/0xac0 Code: 41 5f e9 1d 31 03 fd e8 18 31 03 fd 4c 8d bd 30 1b 00 00 be 08 00 00 00 4c 89 ff e8 54 f4 3c fd f0 48 0f ba b5 30 1b 00 00 06 <41> 0f 92 c5 31 ff 44 89 ee e8 bc 33 03 fd 48 8d 45 40 48 89 04 24 RSP: 0018:ffff88806cf09c38 EFLAGS: 00000246 RAX: 0000000000000001 RBX: ffff888013bdcc80 RCX: ffffffff844e4b1c RDX: ffffed10075fe52b RSI: 0000000000000008 RDI: ffff88803aff2950 RBP: ffff88803aff0e20 R08: 0000000000000001 R09: ffffed10075fe52a R10: ffff88803aff2957 R11: ffffffff81518787 R12: ffff888041633050 R13: 0000000000000024 R14: ffff888013bdccf0 R15: ffff88803aff2950 FS: 00007f776f4ef700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7771fc79a8 CR3: 000000003ff7e000 CR4: 0000000000350ef0 Call Trace: ieee80211_rx_list+0x21ec/0x2cf0 ieee80211_rx_napi+0xdc/0x3b0 ieee80211_handle_queued_frames+0xd9/0x130 tasklet_action_common+0x235/0x3b0 handle_softirqs+0x1b1/0x770 irq_exit_rcu+0x94/0xc0 sysvec_apic_timer_interrupt+0x70/0x80 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:__slab_free+0x91/0x310 Code: 66 85 db 74 05 45 84 d2 74 05 45 84 f6 74 42 41 8b 7f 08 4c 8b 4c 24 58 4c 89 ea 4c 89 e6 4c 8b 44 24 20 e8 c1 a0 ff ff 84 c0 <74> 9d 4c 89 e8 45 89 f5 49 89 c6 45 84 ed 0f 84 ed 00 00 00 48 8d RSP: 0018:ffff888040ec7b30 EFLAGS: 00000202 RAX: 0000000000000001 RBX: 00000000000d000c RCX: 00000000000d000c RDX: 00000000000d000d RSI: ffffea000026e540 RDI: 0000000000080000 RBP: ffff888040ec7bd0 R08: ffff888009b95818 R09: 00000000000d000c R10: ffffea000026e501 R11: 0000000000000000 R12: ffffea000026e540 R13: 0000000000000000 R14: 0000000000000000 R15: ffff888008c4f780 qlist_free_all+0x50/0x160 kasan_quarantine_reduce+0x19c/0x230 __kasan_slab_alloc+0x49/0x70 kmem_cache_alloc_noprof+0x13d/0x3d0 __alloc_object+0x2f/0x270 __create_object+0x1d/0x80 kmem_cache_alloc_lru_noprof+0x303/0x3c0 sock_alloc_inode+0x27/0x1d0 alloc_inode+0x63/0x240 sock_alloc+0x40/0x270 __sock_create+0xc1/0x840 __sys_socket+0x147/0x260 __x64_sys_socket+0x73/0xb0 do_syscall_64+0xbf/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7771f79b19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f776f4ef188 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: ffffffffffffffda RBX: 00007f777208cf60 RCX: 00007f7771f79b19 RDX: 0000000000000001 RSI: 0000000000000003 RDI: 0000000000000002 RBP: 00007f7771fd3f6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff093bc27f R14: 00007f776f4ef300 R15: 0000000000022000 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 skipped: idling at default_idle+0x1e/0x30 9p: Unknown access argument Ày: -22 perf: interrupt took too long (4054 > 4031), lowering kernel.perf_event_max_sample_rate to 49000 perf: interrupt took too long (6360 > 6355), lowering kernel.perf_event_max_sample_rate to 31000 perf: interrupt took too long (7976 > 7950), lowering kernel.perf_event_max_sample_rate to 25000 perf: interrupt took too long (10000 > 9970), lowering kernel.perf_event_max_sample_rate to 20000 perf: interrupt took too long (12511 > 12500), lowering kernel.perf_event_max_sample_rate to 15000 loop2: detected capacity change from 0 to 10 Option ' ®bÊ' to dns_resolver key: bad/missing value Option ' ®bÊ' to dns_resolver key: bad/missing value Option ' ®bÊ' to dns_resolver key: bad/missing value netlink: 16 bytes leftover after parsing attributes in process `syz-executor.7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor.7'. Option ' ®bÊ' to dns_resolver key: bad/missing value loop4: detected capacity change from 0 to 128 netlink: 16 bytes leftover after parsing attributes in process `syz-executor.7'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor.7'. loop6: detected capacity change from 0 to 4 EXT4-fs (loop6): Can't read superblock on 2nd try loop6: detected capacity change from 0 to 4 EXT4-fs (loop6): Can't read superblock on 2nd try netlink: 16 bytes leftover after parsing attributes in process `syz-executor.7'. mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium loop6: detected capacity change from 0 to 4 EXT4-fs (loop6): Can't read superblock on 2nd try mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium loop6: detected capacity change from 0 to 4 EXT4-fs (loop6): Can't read superblock on 2nd try loop6: detected capacity change from 0 to 4 EXT4-fs (loop6): Can't read superblock on 2nd try mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 ---------------- Code disassembly (best guess): 0: 41 5f pop %r15 2: e9 1d 31 03 fd jmpq 0xfd033124 7: e8 18 31 03 fd callq 0xfd033124 c: 4c 8d bd 30 1b 00 00 lea 0x1b30(%rbp),%r15 13: be 08 00 00 00 mov $0x8,%esi 18: 4c 89 ff mov %r15,%rdi 1b: e8 54 f4 3c fd callq 0xfd3cf474 20: f0 48 0f ba b5 30 1b lock btrq $0x6,0x1b30(%rbp) 27: 00 00 06 * 2a: 41 0f 92 c5 setb %r13b <-- trapping instruction 2e: 31 ff xor %edi,%edi 30: 44 89 ee mov %r13d,%esi 33: e8 bc 33 03 fd callq 0xfd0333f4 38: 48 8d 45 40 lea 0x40(%rbp),%rax 3c: 48 89 04 24 mov %rax,(%rsp)