Bluetooth: hci7: unexpected cc 0x0c38 length: 249 > 2
Bluetooth: hci7: command 0x0409 tx timeout
Bluetooth: hci7: command 0x041b tx timeout
Bluetooth: hci7: command 0x040f tx timeout
Bluetooth: hci7: command 0x0419 tx timeout
watchdog: BUG: soft lockup - CPU#1 stuck for 21s! [syz-executor.7:9112]
Modules linked in:
irq event stamp: 19686425
hardirqs last  enabled at (19686424): [<ffffffff8460144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (19686425): [<ffffffff843f20bf>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (19658574): [<ffffffff811824cb>] __irq_exit_rcu+0x11b/0x180
softirqs last disabled at (19658577): [<ffffffff811824cb>] __irq_exit_rcu+0x11b/0x180
CPU: 1 PID: 9112 Comm: syz-executor.7 Not tainted 6.1.0-rc6-next-20221123 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:unwind_next_frame+0x1fd/0x2130
Code: 48 89 54 24 28 48 89 74 24 20 44 89 5c 24 18 e8 29 4e 6a 00 48 8b 54 24 28 48 8b 74 24 20 44 8b 5c 24 18 8b 0c 95 94 84 49 86 <8d> 56 01 48 b8 00 00 00 00 00 fc ff df 48 8d 3c 95 94 84 49 86 49
RSP: 0018:ffff88806cf09648 EFLAGS: 00000246
RAX: 0000000000000003 RBX: 0000000000000002 RCX: 0000000000003b05
RDX: 0000000000000b95 RSI: 0000000000000b95 RDI: ffffffff8649b2e8
RBP: ffff88806cf09770 R08: ffffffff86058040 R09: ffffffff86058044
R10: ffffed100d9e12f0 R11: 0000000000038001 R12: ffff88806cf09759
R13: ffff88806cf09778 R14: ffff88806cf09718 R15: ffffffff810b9572
FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056354d85ff8c CR3: 0000000019166000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 __unwind_start+0x513/0x7c0
 arch_stack_walk+0x63/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 __kasan_slab_alloc+0x5c/0x70
 kmem_cache_alloc_node+0x1f4/0x420
 __alloc_skb+0x21a/0x310
 skb_copy+0x13d/0x3d0
 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb6d/0x1360
 mac80211_hwsim_tx_frame+0x1ee/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xab0
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x74/0x180
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xba0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:folio_memcg_lock+0x4/0x4a0
Code: aa fd ff ff e8 cd c7 fd ff e9 ca fd ff ff 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 <55> 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 7d d0 e8
RSP: 0018:ffff888018c176c8 EFLAGS: 00000246
RAX: ffffea00007eb488 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 1ffffd40000fd699 RSI: ffffffff8172594f RDI: ffffea00007eb4c0
RBP: ffffea00007eb4c0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800ce780d0
R13: ffffea00007eb4c0 R14: ffffea00007eb4f0 R15: ffff888018c17ad8
 page_remove_rmap+0x57/0x620
 unmap_page_range+0x1fdf/0x2c10
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2720
 do_group_exit+0xd4/0x2a0
 get_signal+0x21a5/0x22e0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fb85f4c8b19
Code: Unable to access opcode bytes at 0x7fb85f4c8aef.
RSP: 002b:00007fb85ca3e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: 0000000000000005 RBX: 00007fb85f5dbf60 RCX: 00007fb85f4c8b19
RDX: 0000000000000000 RSI: 0000000020000640 RDI: ffffffffffffff9c
RBP: 00007fb85f522f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff8244df4f R14: 00007fb85ca3e300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 9122 Comm: syz-executor.1 Not tainted 6.1.0-rc6-next-20221123 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:kvm_guest_apic_eoi_write+0x4/0xe0
Code: 48 c1 e2 03 e9 9d d0 6a 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <53> 48 c7 c3 88 82 02 00 48 83 ec 08 e8 fb f9 2c 03 48 ba 00 00 00
RSP: 0018:ffff88806ce09938 EFLAGS: 00000046
RAX: ffffffff81124260 RBX: 0000000000000000 RCX: 1ffffffff0f382e8
RDX: 1ffffffff0a54790 RSI: 0000000000000000 RDI: 00000000000000b0
RBP: ffffffff852a3c80 R08: 0000000000000000 R09: ffffffff85d11e57
R10: fffffbfff0ba23ca R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8e81333158 CR3: 000000001912a000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 __sysvec_apic_timer_interrupt+0x86/0x500
 sysvec_apic_timer_interrupt+0x3f/0xc0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:queued_spin_lock_slowpath+0x128/0xc80
Code: 00 00 00 65 48 2b 04 25 28 00 00 00 0f 85 cd 0a 00 00 48 81 c4 88 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 de 1f 00 00 f3 90 <e9> 71 ff ff ff 44 8b 74 24 48 41 81 fe 00 01 00 00 0f 84 e5 00 00
RSP: 0018:ffff88806ce09a28 EFLAGS: 00000202
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff8441502b
RDX: fffffbfff0b48e8d RSI: 0000000000000004 RDI: ffffffff85a47460
RBP: ffffffff85a47460 R08: 0000000000000000 R09: ffffffff85a47463
R10: fffffbfff0b48e8c R11: 0000000000000001 R12: 0000000000000003
R13: fffffbfff0b48e8c R14: 0000000000000001 R15: 1ffff1100d9c1346
 do_raw_spin_lock+0x1e0/0x270
 mac80211_hwsim_tx_frame_no_nl.isra.0+0x6f1/0x1360
 mac80211_hwsim_tx_frame+0x1ee/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xab0
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x74/0x180
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xba0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:kmem_cache_free+0xe2/0x610
Code: 25 48 89 df e8 3f d9 c2 02 eb 1b 41 8b 47 08 89 c2 81 e2 00 00 80 00 49 83 7f 48 00 0f 84 1a 02 00 00 85 d2 74 db 41 8b 77 1c <48> 89 df e8 d6 96 ae ff 31 c9 48 8b 55 08 48 89 de 4c 89 ff e8 85
RSP: 0018:ffff88803df879f0 EFLAGS: 00000286
RAX: 0000000000e76e4d RBX: ffff88800eb32680 RCX: ffffffff812b6c4f
RDX: 0000000000000000 RSI: 0000000000000090 RDI: 0000000000000000
RBP: ffff88803df87a28 R08: 0000000000000001 R09: ffffffff8763486f
R10: fffffbfff0ec690d R11: 0000000000000001 R12: ffffea00003acc80
R13: ffffffff817089a3 R14: ffff8880438b9800 R15: ffff888008c8cc80
 exit_mmap+0x253/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2720
 do_group_exit+0xd4/0x2a0
 get_signal+0x21a5/0x22e0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f64dfe41b19
Code: Unable to access opcode bytes at 0x7f64dfe41aef.
RSP: 002b:00007f64dd3b7188 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: 0000000000000005 RBX: 00007f64dff54f60 RCX: 00007f64dfe41b19
RDX: 0000000000000000 RSI: 0000000020000640 RDI: ffffffffffffff9c
RBP: 00007f64dfe9bf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffec9489d7f R14: 00007f64dd3b7300 R15: 0000000000022000
 </TASK>
Bluetooth: hci0: command 0x0406 tx timeout
Bluetooth: hci3: command 0x0406 tx timeout
----------------
Code disassembly (best guess):
   0:	48 89 54 24 28       	mov    %rdx,0x28(%rsp)
   5:	48 89 74 24 20       	mov    %rsi,0x20(%rsp)
   a:	44 89 5c 24 18       	mov    %r11d,0x18(%rsp)
   f:	e8 29 4e 6a 00       	callq  0x6a4e3d
  14:	48 8b 54 24 28       	mov    0x28(%rsp),%rdx
  19:	48 8b 74 24 20       	mov    0x20(%rsp),%rsi
  1e:	44 8b 5c 24 18       	mov    0x18(%rsp),%r11d
  23:	8b 0c 95 94 84 49 86 	mov    -0x79b67b6c(,%rdx,4),%ecx
* 2a:	8d 56 01             	lea    0x1(%rsi),%edx <-- trapping instruction
  2d:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  34:	fc ff df
  37:	48 8d 3c 95 94 84 49 	lea    -0x79b67b6c(,%rdx,4),%rdi
  3e:	86
  3f:	49                   	rex.WB