watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [syz-executor.2:58769]
Modules linked in:
irq event stamp: 4317439
hardirqs last  enabled at (4317438): [<ffffffff8460144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (4317439): [<ffffffff844024af>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (4312526): [<ffffffff81182e7b>] __irq_exit_rcu+0x11b/0x180
softirqs last disabled at (4312529): [<ffffffff81182e7b>] __irq_exit_rcu+0x11b/0x180
CPU: 1 PID: 58769 Comm: syz-executor.2 Not tainted 6.1.0-next-20221214 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:unwind_next_frame+0x348/0x2130
Code: 8e c7 15 00 00 41 c6 46 40 01 49 c7 c0 80 4b 4c 85 48 b8 00 00 00 00 00 fc ff df 4d 8d 48 04 4c 89 ca 48 c1 ea 03 0f b6 04 02 <4c> 89 ca 83 e2 07 38 d0 7f 08 84 c0 0f 85 e4 14 00 00 41 0f b6 40
RSP: 0018:ffff88806cf096d0 EFLAGS: 00000213
RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffffffff810ba4c2
RDX: 1ffffffff0c0878a RSI: ffffffff86043c38 RDI: ffffffff85d4cbcc
RBP: ffff88806cf097f8 R08: ffffffff86043c50 R09: ffffffff86043c54
R10: ffffed100d9e1301 R11: 0000000000038001 R12: ffff88806cf097e1
R13: ffff88806cf09800 R14: ffff88806cf097a0 R15: ffffffff810ba4c2
FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffede75e910 CR3: 000000000ff90000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 __unwind_start+0x513/0x7c0
 arch_stack_walk+0x63/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 __kasan_slab_alloc+0x5c/0x70
 kmem_cache_alloc_node+0x1f5/0x420
 __alloc_skb+0x21a/0x310
 __netdev_alloc_skb+0x76/0x3e0
 __ieee80211_beacon_get+0x3d9/0x1310
 ieee80211_beacon_get_tim+0x99/0x4f0
 mac80211_hwsim_beacon_tx+0x1d2/0xab0
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x74/0x180
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xc70
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:finish_task_switch.isra.0+0x237/0x8a0
Code: 89 ff 48 c7 03 00 00 00 00 e8 65 33 20 03 4d 85 e4 75 ba 4c 89 ff e8 d8 0e 20 03 e8 33 10 2e 00 fb 65 48 8b 1c 25 00 89 03 00 <48> 8d bb e8 13 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffff88804c92f560 EFLAGS: 00000202
RAX: 000000000000b6d5 RBX: ffff88804f54b580 RCX: ffffffff812b740f
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff88804c92f5a0 R08: 0000000000000001 R09: ffffffff876348ef
R10: fffffbfff0ec691d R11: 0000000000000001 R12: ffff88806cf39298
R13: ffff88801c433580 R14: ffff8880167bdd80 R15: ffff88806cf39280
 __schedule+0x92e/0x25d0
 preempt_schedule_common+0x45/0xc0
 __cond_resched+0x1b/0x30
 unmap_page_range+0xd7d/0x2c10
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2760
 do_group_exit+0xd4/0x2a0
 get_signal+0x21b7/0x22f0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fc0114e9b19
Code: Unable to access opcode bytes at 0x7fc0114e9aef.
RSP: 002b:00007fc00ea5f218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fc0115fcf68 RCX: 00007fc0114e9b19
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc0115fcf68
RBP: 00007fc0115fcf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc0115fcf6c
R13: 00007fff36d9d57f R14: 00007fc00ea5f300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 59784 Comm: syz-executor.4 Not tainted 6.1.0-next-20221214 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__ieee80211_beacon_get+0x2a6/0x1310
Code: 48 8d 7b 20 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 01 0f 8e e2 0b 00 00 44 0f b7 73 20 <31> ff 44 89 f6 e8 c0 ab 3b fd 66 45 85 f6 74 7b e8 b5 af 3b fd 31
RSP: 0018:ffff88806ce09bf8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff88800d25c200 RCX: 0000000000000100
RDX: 1ffff11001a4b844 RSI: ffffffff840d79dc RDI: ffff88800d25c220
RBP: ffff88801e2aa2e8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88801e2a9e88
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888009560de0
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564dae67a628 CR3: 000000000dbce000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 ieee80211_beacon_get_tim+0x99/0x4f0
 mac80211_hwsim_beacon_tx+0x1d2/0xab0
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x74/0x180
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xc70
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x8/0x20
Code: 00 00 00 e9 2a fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <48> 89 f2 48 89 fe bf 07 00 00 00 e9 f8 fd ff ff 0f 1f 84 00 00 00
RSP: 0018:ffff888035bd76f8 EFLAGS: 00000246
RAX: 1ffffd4000214f91 RBX: 0000000000000000 RCX: ffffffff816d1689
RDX: ffff888049759ac0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff888048bd3ab8
R13: ffffea00010a7c80 R14: 0000000000000000 R15: ffff888035bd7ad8
 unmap_page_range+0x19f9/0x2c10
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2760
 do_group_exit+0xd4/0x2a0
 get_signal+0x21b7/0x22f0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f1b60f71b19
Code: Unable to access opcode bytes at 0x7f1b60f71aef.
RSP: 002b:00007f1b5e4e7188 EFLAGS: 00000246 ORIG_RAX: 000000000000001d
RAX: 000000000000007f RBX: 00007f1b61084f60 RCX: 00007f1b60f71b19
RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000000
RBP: 00007f1b60fcbf6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020ffc000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd81456fef R14: 00007f1b5e4e7300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	00 00                	add    %al,(%rax)
   2:	41 c6 46 40 01       	movb   $0x1,0x40(%r14)
   7:	49 c7 c0 80 4b 4c 85 	mov    $0xffffffff854c4b80,%r8
   e:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  15:	fc ff df
  18:	4d 8d 48 04          	lea    0x4(%r8),%r9
  1c:	4c 89 ca             	mov    %r9,%rdx
  1f:	48 c1 ea 03          	shr    $0x3,%rdx
  23:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax
* 27:	4c 89 ca             	mov    %r9,%rdx <-- trapping instruction
  2a:	83 e2 07             	and    $0x7,%edx
  2d:	38 d0                	cmp    %dl,%al
  2f:	7f 08                	jg     0x39
  31:	84 c0                	test   %al,%al
  33:	0f 85 e4 14 00 00    	jne    0x151d
  39:	41                   	rex.B
  3a:	0f                   	.byte 0xf
  3b:	b6 40                	mov    $0x40,%dh