watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor.5:9926] Modules linked in: irq event stamp: 6939217 hardirqs last enabled at (6939216): [] asm_sysvec_apic_timer_interrupt+0x16/0x20 hardirqs last disabled at (6939217): [] sysvec_apic_timer_interrupt+0xb/0xc0 softirqs last enabled at (6916056): [] __irq_exit_rcu+0x11b/0x180 softirqs last disabled at (6916059): [] __irq_exit_rcu+0x11b/0x180 CPU: 0 PID: 9926 Comm: syz-executor.5 Not tainted 5.19.0-rc6-next-20220713 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:unwind_next_frame+0x1c5/0x20b0 Code: 8d 43 ff 39 c6 0f 83 18 15 00 00 48 b8 00 00 00 00 00 fc ff df 89 f2 48 8d 3c 95 50 ff 03 86 48 89 f9 48 c1 e9 03 0f b6 0c 01 <48> 89 f8 83 e0 07 83 c0 03 38 c8 7c 27 84 c9 74 23 48 89 54 24 28 RSP: 0018:ffff88806ce09870 EFLAGS: 00000216 RAX: dffffc0000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000031c20 RSI: 0000000000031c20 RDI: ffffffff86106fd0 RBP: ffff88806ce09948 R08: ffffffff850c3ac0 R09: ffffffff85c24c10 R10: ffffed100d9c132b R11: 000000000003403c R12: ffff88806ce09931 R13: ffff88806ce09950 R14: ffff88806ce098f0 R15: ffffffff841c201d FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8b58f09bf0 CR3: 000000000f6bc000 CR4: 0000000000350ef0 Call Trace: arch_stack_walk+0x83/0xf0 stack_trace_save+0x8c/0xc0 __create_object.isra.0+0x389/0xc10 __kmalloc_node_track_caller+0x284/0x480 __alloc_skb+0xdd/0x300 skb_copy+0x139/0x3c0 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb6d/0x1440 mac80211_hwsim_tx_frame+0x1ee/0x2a0 mac80211_hwsim_beacon_tx+0x53b/0xa10 __iterate_interfaces+0x2d3/0x560 ieee80211_iterate_active_interfaces_atomic+0x70/0x180 mac80211_hwsim_beacon+0x101/0x200 __hrtimer_run_queues+0x5de/0xbd0 hrtimer_run_softirq+0x172/0x340 __do_softirq+0x1c8/0x8d0 __irq_exit_rcu+0x11b/0x180 irq_exit_rcu+0x5/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:folio_memcg_lock+0x1/0x4a0 Code: e8 64 da fd ff e9 9e fc ff ff e8 5a da fd ff e9 02 fd ff ff e8 50 da fd ff e9 c8 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 55 <48> 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 7d d0 e8 e6 RSP: 0018:ffff88801b8e7628 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 1ffffd40001d1219 RSI: ffffffff816d35e6 RDI: ffffea0000e890c0 RBP: ffffea0000e890c0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffff88800ddf91a0 R14: ffff888009dd9820 R15: dffffc0000000000 page_remove_rmap+0x1e/0x490 unmap_page_range+0xe8f/0x2720 unmap_single_vma+0x190/0x350 unmap_vmas+0x21e/0x370 exit_mmap+0x154/0x680 mmput+0xd1/0x390 do_exit+0x9e0/0x27a0 do_group_exit+0xd2/0x2f0 get_signal+0x2205/0x24b0 arch_do_signal_or_restart+0x89/0x1be0 exit_to_user_mode_prepare+0x131/0x1a0 syscall_exit_to_user_mode+0x19/0x40 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f69712b8b19 Code: Unable to access opcode bytes at RIP 0x7f69712b8aef. RSP: 002b:00007f696e82e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: 0000000000002000 RBX: 00007f69713cbf60 RCX: 00007f69712b8b19 RDX: 0000000000041030 RSI: 0000000020000080 RDI: 0000000000000004 RBP: 00007f6971312f6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe34851b6f R14: 00007f696e82e300 R15: 0000000000022000 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 9918 Comm: syz-executor.4 Not tainted 5.19.0-rc6-next-20220713 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:lock_is_held_type+0x8e/0x130 Code: 31 db e8 15 0d 00 00 41 8b 84 24 70 09 00 00 65 ff 05 7e 4c e6 7b 85 c0 7f 12 e9 87 00 00 00 83 c3 01 41 3b 9c 24 70 09 00 00 <7d> 7a 48 63 c3 48 89 ee 48 8d 04 80 4d 8d 7c c5 00 4c 89 ff e8 89 RSP: 0018:ffff88806cf096f8 EFLAGS: 00000093 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff85204fe0 RDI: ffff88803806bf20 RBP: ffffffff85204fe0 R08: 0000000000000000 R09: ffffffff858ebf57 R10: fffffbfff0b1d7ea R11: 0000000000000001 R12: ffff88803806b580 R13: ffff88803806bef8 R14: 00000000ffffffff R15: ffff88803806bf20 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8b58f0a5a0 CR3: 0000000017a9a000 CR4: 0000000000350ee0 Call Trace: rcu_read_lock_sched_held+0x3e/0x80 lock_release+0x547/0x750 ktime_get_update_offsets_now+0xa8/0x360 hrtimer_interrupt+0x3a1/0x770 __sysvec_apic_timer_interrupt+0x144/0x500 sysvec_apic_timer_interrupt+0x3b/0xc0 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:__kasan_check_read+0x4/0x10 Code: 0f 0b 48 83 c4 60 5b 5d 41 5c e9 c7 ba c8 02 48 05 00 80 00 00 48 89 fb 48 39 c7 0f 82 e3 cc 96 02 eb dd cc cc cc 48 8b 0c 24 <89> f6 31 d2 e9 b3 f9 ff ff 0f 1f 00 48 8b 0c 24 89 f6 ba 01 00 00 RSP: 0018:ffff88806cf09a00 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff8129dec7 RDX: fffffbfff0ac7669 RSI: 0000000000000004 RDI: ffffffff8563b340 RBP: ffffffff8563b340 R08: 0000000000000000 R09: ffffffff8563b343 R10: fffffbfff0ac7668 R11: 0000000000000001 R12: 0000000000000003 R13: fffffbfff0ac7668 R14: 0000000000000001 R15: 1ffff1100d9e1342 queued_spin_lock_slowpath+0xa7/0xc80 do_raw_spin_lock+0x1dc/0x260 mac80211_hwsim_tx_frame_no_nl.isra.0+0x6f1/0x1440 mac80211_hwsim_tx_frame+0x1ee/0x2a0 mac80211_hwsim_beacon_tx+0x53b/0xa10 __iterate_interfaces+0x2d3/0x560 ieee80211_iterate_active_interfaces_atomic+0x70/0x180 mac80211_hwsim_beacon+0x101/0x200 __hrtimer_run_queues+0x5de/0xbd0 hrtimer_run_softirq+0x172/0x340 __do_softirq+0x1c8/0x8d0 __irq_exit_rcu+0x11b/0x180 irq_exit_rcu+0x5/0x20 sysvec_apic_timer_interrupt+0x8e/0xc0 asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:folio_memcg_lock+0x6e/0x4a0 Code: 4f 02 00 00 0f 1f 44 00 00 48 8b 45 d0 48 83 c0 38 48 89 c2 48 89 45 c0 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 <0f> 85 18 03 00 00 48 8b 45 d0 48 8b 58 38 f6 c3 01 0f 85 8f 01 00 RSP: 0018:ffff88801b8375e0 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 1ffffffff09e7715 RDX: 1ffffd40001b3f57 RSI: 0000000000000002 RDI: ffffffff84f3b8a8 RBP: ffff88801b837628 R08: 0000000000000000 R09: ffffffff86a937c7 R10: fffffbfff0d526f8 R11: 0000000000000001 R12: 0000000000000000 R13: ffff88800d1f7750 R14: ffff88803ff45370 R15: dffffc0000000000 page_remove_rmap+0x1e/0x490 unmap_page_range+0xe8f/0x2720 unmap_single_vma+0x190/0x350 unmap_vmas+0x21e/0x370 exit_mmap+0x154/0x680 mmput+0xd1/0x390 do_exit+0x9e0/0x27a0 do_group_exit+0xd2/0x2f0 get_signal+0x2205/0x24b0 arch_do_signal_or_restart+0x89/0x1be0 exit_to_user_mode_prepare+0x131/0x1a0 syscall_exit_to_user_mode+0x19/0x40 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fe1e8104b19 Code: Unable to access opcode bytes at RIP 0x7fe1e8104aef. RSP: 002b:00007fe1e567a188 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: 0000000000000005 RBX: 00007fe1e8217f60 RCX: 00007fe1e8104b19 RDX: 0000000000000042 RSI: 0000000020000100 RDI: ffffffffffffff9c RBP: 00007fe1e815ef6d R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000001ff R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffceb3c83ef R14: 00007fe1e567a300 R15: 0000000000022000 Bluetooth: hci3: command 0x0406 tx timeout Bluetooth: hci2: command 0x0406 tx timeout Bluetooth: hci7: command 0x0406 tx timeout Bluetooth: hci5: command 0x0406 tx timeout Bluetooth: hci0: command 0x0406 tx timeout Bluetooth: hci6: command 0x0406 tx timeout Bluetooth: hci4: command 0x0406 tx timeout ---------------- Code disassembly (best guess): 0: 8d 43 ff lea -0x1(%rbx),%eax 3: 39 c6 cmp %eax,%esi 5: 0f 83 18 15 00 00 jae 0x1523 b: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 12: fc ff df 15: 89 f2 mov %esi,%edx 17: 48 8d 3c 95 50 ff 03 lea -0x79fc00b0(,%rdx,4),%rdi 1e: 86 1f: 48 89 f9 mov %rdi,%rcx 22: 48 c1 e9 03 shr $0x3,%rcx 26: 0f b6 0c 01 movzbl (%rcx,%rax,1),%ecx * 2a: 48 89 f8 mov %rdi,%rax <-- trapping instruction 2d: 83 e0 07 and $0x7,%eax 30: 83 c0 03 add $0x3,%eax 33: 38 c8 cmp %cl,%al 35: 7c 27 jl 0x5e 37: 84 c9 test %cl,%cl 39: 74 23 je 0x5e 3b: 48 89 54 24 28 mov %rdx,0x28(%rsp)