Bluetooth: hci2: command 0x0406 tx timeout
Bluetooth: hci3: command 0x0406 tx timeout
Bluetooth: hci4: command 0x0406 tx timeout
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor.4:9681]
Modules linked in:
irq event stamp: 4614873
hardirqs last  enabled at (4614872): [<ffffffff8460144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (4614873): [<ffffffff844232ff>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (4605484): [<ffffffff81181dbb>] __irq_exit_rcu+0x11b/0x180
softirqs last disabled at (4605487): [<ffffffff81181dbb>] __irq_exit_rcu+0x11b/0x180
CPU: 0 PID: 9681 Comm: syz-executor.4 Not tainted 6.2.0-rc3-next-20230109 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:preempt_count_add+0x43/0x150
Code: 53 83 e0 07 89 fb 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 08 84 d2 0f 85 e9 00 00 00 8b 15 64 be 7b 06 65 01 1d e5 8f e1 7e <85> d2 75 11 65 8b 05 da 8f e1 7e 0f b6 c0 3d f4 00 00 00 7f 6c 65
RSP: 0018:ffff88806ce097c8 EFLAGS: 00000202
RAX: 0000000000000003 RBX: 0000000000000001 RCX: 1ffffffff0f3b700
RDX: 0000000000000000 RSI: ffffffff8411c583 RDI: 0000000000000001
RBP: ffff88806ce098b8 R08: ffffffff86432800 R09: ffffffff86432804
R10: ffffed100d9c1319 R11: ffff88806ce098a0 R12: ffff88806ce09928
R13: 0000000000000000 R14: ffff88806ce09860 R15: ffff888046400e30
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f613b113010 CR3: 000000000e87e000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 unwind_next_frame+0xb0/0x2130
 arch_stack_walk+0x87/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 __kasan_record_aux_stack+0x95/0xb0
 __call_rcu_common.constprop.0+0x6a/0xa00
 __kmem_cache_free+0x8b/0x2f0
 skb_release_data+0x6d8/0x810
 consume_skb+0xcb/0x170
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xb10
 __iterate_interfaces+0x2d3/0x580
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xcb0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x913
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0xb/0x70
Code: c0 e9 ed 0c fb 02 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 8b 05 0d 17 ba 7e <89> c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 80 89 03 00 a9
RSP: 0018:ffff88803f16f678 EFLAGS: 00000206
RAX: 0000000000000000 RBX: ffff888038b43820 RCX: ffffffff8177550a
RDX: ffff88801f421ac0 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 0000000000000102 R08: 0000000000000004 R09: 00000000000001fe
R10: 0000000000000102 R11: 0000000000000001 R12: 00000000000001fe
R13: dffffc0000000000 R14: ffff888038b43010 R15: 00000000000001fe
 free_pages_and_swap_cache+0x3f/0xa0
 tlb_batch_pages_flush+0xa8/0x1b0
 unmap_page_range+0x164b/0x2c90
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x6a0
 mmput+0xd5/0x390
 do_exit+0x99b/0x2780
 do_group_exit+0xd4/0x2a0
 get_signal+0x2255/0x2390
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0xf5/0x190
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7efc2780ab19
Code: Unable to access opcode bytes at 0x7efc2780aaef.
RSP: 002b:00007efc24d80218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007efc2791df68 RCX: 00007efc2780ab19
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007efc2791df68
RBP: 00007efc2791df60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007efc2791df6c
R13: 00007ffd0027466f R14: 00007efc24d80300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 9674 Comm: syz-executor.3 Not tainted 6.2.0-rc3-next-20230109 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__x86_indirect_thunk_rbp+0x6/0x20
Code: 1f 44 00 00 e8 01 00 00 00 cc 48 89 24 24 e9 b5 05 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 0f 1f 44 00 00 e8 01 00 00 00 cc <48> 89 2c 24 e9 95 05 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 0f
RSP: 0018:ffff88806cf09868 EFLAGS: 00000046
RAX: 0000000000000000 RBX: ffff888008de3060 RCX: 0000000000000100
RDX: ffff888018ccd040 RSI: ffffffff81398b37 RDI: ffff888008de3060
RBP: ffffffff8159bbd0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88806cf2b988
R13: ffff88806cf2b8c0 R14: ffff88806cf2b940 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6139ba7220 CR3: 000000000e65e000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 </IRQ>
 <TASK>
 </TASK>
Bluetooth: hci6: command 0x0406 tx timeout
----------------
Code disassembly (best guess):
   0:	53                   	push   %rbx
   1:	83 e0 07             	and    $0x7,%eax
   4:	89 fb                	mov    %edi,%ebx
   6:	48 c1 e9 03          	shr    $0x3,%rcx
   a:	83 c0 03             	add    $0x3,%eax
   d:	0f b6 14 11          	movzbl (%rcx,%rdx,1),%edx
  11:	38 d0                	cmp    %dl,%al
  13:	7c 08                	jl     0x1d
  15:	84 d2                	test   %dl,%dl
  17:	0f 85 e9 00 00 00    	jne    0x106
  1d:	8b 15 64 be 7b 06    	mov    0x67bbe64(%rip),%edx        # 0x67bbe87
  23:	65 01 1d e5 8f e1 7e 	add    %ebx,%gs:0x7ee18fe5(%rip)        # 0x7ee1900f
* 2a:	85 d2                	test   %edx,%edx <-- trapping instruction
  2c:	75 11                	jne    0x3f
  2e:	65 8b 05 da 8f e1 7e 	mov    %gs:0x7ee18fda(%rip),%eax        # 0x7ee1900f
  35:	0f b6 c0             	movzbl %al,%eax
  38:	3d f4 00 00 00       	cmp    $0xf4,%eax
  3d:	7f 6c                	jg     0xab
  3f:	65                   	gs