watchdog: BUG: soft lockup - CPU#0 stuck for 24s! [syz-executor.5:19127]
Modules linked in:
irq event stamp: 8059105
hardirqs last  enabled at (8059104): [<ffffffff8440144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (8059105): [<ffffffff843bd71f>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (8058712): [<ffffffff8117fe6b>] __irq_exit_rcu+0x11b/0x180
softirqs last disabled at (8058715): [<ffffffff8117fe6b>] __irq_exit_rcu+0x11b/0x180
CPU: 0 PID: 19127 Comm: syz-executor.5 Not tainted 6.1.0-rc4-next-20221108 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:ieee80211_prepare_and_rx_handle+0x8fc/0x5d10
Code: 70 85 c0 0f 84 00 0f 00 00 e8 90 c2 41 fd 48 8d bd ba 0b 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 <48> 89 f8 83 e0 07 83 c0 03 38 d0 7c 09 84 d2 74 05 e8 1e 96 75 fd
RSP: 0018:ffff88806d009a88 EFLAGS: 00000212
RAX: dffffc0000000000 RBX: ffff888035f96050 RCX: 0000000000000100
RDX: 0000000000000000 RSI: ffffffff8406cd60 RDI: ffff88801eb256fa
RBP: ffff88801eb24b40 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000001 R14: ffff88806d009d70 R15: ffff88801e959780
FS:  0000000000000000(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000558c2c199648 CR3: 000000000ea9e000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 ieee80211_rx_for_interface+0x141/0x3b0
 ieee80211_rx_list+0x18b1/0x2e90
 ieee80211_rx_napi+0xdf/0x380
 ieee80211_tasklet_handler+0xd8/0x140
 tasklet_action_common.constprop.0+0x208/0x2f0
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:kasan_check_range+0x179/0x1d0
Code: ff ff 41 bb 01 00 00 00 5b 5d 44 89 d8 41 5c e9 e1 c7 c1 02 48 85 d2 74 e9 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 db 80 38 00 <74> f2 e9 64 ff ff ff 41 bb 01 00 00 00 44 89 d8 e9 b6 c7 c1 02 48
RSP: 0018:ffff8880169af610 EFLAGS: 00000246
RAX: fffff940001a5500 RBX: fffff940001a5501 RCX: ffffffff817835df
RDX: fffff940001a5501 RSI: 0000000000000008 RDI: ffffea0000d2a800
RBP: fffff940001a5500 R08: 0000000000000000 R09: ffffea0000d2a807
R10: fffff940001a5500 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88801e655410 R14: dffffc0000000000 R15: dffffc0000000000
 PageHuge+0x1f/0x230
 page_remove_rmap+0x8f/0x780
 unmap_page_range+0x1c8c/0x2c20
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2720
 do_group_exit+0xd4/0x2a0
 get_signal+0x21a5/0x22e0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fc6164a1c27
Code: Unable to access opcode bytes at 0x7fc6164a1bfd.
RSP: 002b:00007fc613a17fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000053
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fc6164a1c27
RDX: 0000000000000000 RSI: 00000000000001ff RDI: 0000000020000100
RBP: 00007fc613a18040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000020000100 R14: 00007fc613a18000 R15: 0000000000000000
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 19129 Comm: syz-executor.3 Not tainted 6.1.0-rc4-next-20221108 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:lapic_next_deadline+0x25/0x50
Code: 90 90 90 90 90 f3 0f 1e fa 0f ae f0 0f ae e8 0f 31 48 c1 e2 20 b9 e0 06 00 00 48 09 c2 48 8d 04 fa 48 89 c2 48 c1 ea 20 0f 30 <66> 90 31 c0 e9 b6 35 2e 03 48 89 c6 31 d2 bf e0 06 00 00 e8 a3 22
RSP: 0018:ffff88806d1098c0 EFLAGS: 00000012
RAX: 000002022432084c RBX: 0000000000000000 RCX: 00000000000006e0
RDX: 0000000000000202 RSI: ffff88806d128100 RDI: 00000000000004db
RBP: ffff88806d128100 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000de7 R11: 0000000000000001 R12: 00000000000004db
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88806d12b600
FS:  0000000000000000(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f97059fa9a0 CR3: 000000000ea9e000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 clockevents_program_event+0x248/0x360
 tick_program_event+0xb0/0x150
 hrtimer_interrupt+0x36a/0x770
 __sysvec_apic_timer_interrupt+0x148/0x500
 sysvec_apic_timer_interrupt+0x3f/0xc0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:lock_release+0x3e1/0x750
Code: ff ff ff ff 65 0f c1 05 6d b4 d6 7e 83 f8 01 0f 85 b1 01 00 00 48 f7 04 24 00 02 00 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c5 48 c7 45 00 00 00 00 00 c7 45 08 00 00 00 00 48 8b 84 24
RSP: 0018:ffff88806d109aa8 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 220d1fc2aa28ec11 RCX: ffff88806d109af8
RDX: 1ffff11003d3cb32 RSI: 0000000000000102 RDI: 0000000000000000
RBP: 1ffff1100da21357 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000003 R14: ffff88801e9e5998 R15: ffff88801e9e5040
 _raw_spin_unlock+0x16/0x50
 mac80211_hwsim_tx_frame_no_nl.isra.0+0xc0b/0x1360
 mac80211_hwsim_tx_frame+0x1ee/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xab0
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x74/0x180
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x541/0xb50
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:finish_task_switch.isra.0+0x237/0x8a0
Code: 89 ff 48 c7 03 00 00 00 00 e8 e5 2b 1c 03 4d 85 e4 75 ba 4c 89 ff e8 58 07 1c 03 e8 33 ab 2d 00 fb 65 48 8b 1c 25 c0 86 03 00 <48> 8d bb e8 13 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffff8880377e7560 EFLAGS: 00000202
RAX: 00000000002dd9b9 RBX: ffff88801e9e5040 RCX: ffffffff812b312f
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff8880377e75a0 R08: 0000000000000001 R09: ffffffff8742382f
R10: fffffbfff0e84705 R11: 0000000000000001 R12: ffff88806d139058
R13: ffff888008979ac0 R14: ffff888019c20880 R15: ffff88806d139040
 __schedule+0x92e/0x25d0
 preempt_schedule_common+0x45/0xc0
 __cond_resched+0x1b/0x30
 unmap_page_range+0xd80/0x2c20
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2720
 do_group_exit+0xd4/0x2a0
 get_signal+0x21a5/0x22e0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f6c2a571a04
Code: Unable to access opcode bytes at 0x7f6c2a5719da.
RSP: 002b:00007f6c27b34060 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: fffffffffffffffe RBX: 00007f6c2a6d1f60 RCX: 00007f6c2a571a04
RDX: 0000000000000002 RSI: 00007f6c27b340f0 RDI: 00000000ffffff9c
RBP: 00007f6c27b340f0 R08: 0000000000000000 R09: 00007f6c27b33f70
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000002
R13: 00007ffc0d6a9b1f R14: 00007f6c27b34300 R15: 0000000000022000
 </TASK>
Bluetooth: hci4: command 0x0406 tx timeout
----------------
Code disassembly (best guess):
   0:	70 85                	jo     0xffffff87
   2:	c0 0f 84             	rorb   $0x84,(%rdi)
   5:	00 0f                	add    %cl,(%rdi)
   7:	00 00                	add    %al,(%rax)
   9:	e8 90 c2 41 fd       	callq  0xfd41c29e
   e:	48 8d bd ba 0b 00 00 	lea    0xbba(%rbp),%rdi
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	48 89 fa             	mov    %rdi,%rdx
  22:	48 c1 ea 03          	shr    $0x3,%rdx
  26:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
* 2a:	48 89 f8             	mov    %rdi,%rax <-- trapping instruction
  2d:	83 e0 07             	and    $0x7,%eax
  30:	83 c0 03             	add    $0x3,%eax
  33:	38 d0                	cmp    %dl,%al
  35:	7c 09                	jl     0x40
  37:	84 d2                	test   %dl,%dl
  39:	74 05                	je     0x40
  3b:	e8 1e 96 75 fd       	callq  0xfd75965e