RBP: 00007f80ca6201d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000ed9 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffd5dac57bf R14: 00007f80ca620300 R15: 0000000000022000
 </TASK>
watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [syz-executor.5:16948]
Modules linked in:
irq event stamp: 5560715
hardirqs last  enabled at (5560714): [<ffffffff8460144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (5560715): [<ffffffff8442487f>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (5521424): [<ffffffff8118247f>] irq_exit_rcu+0x11f/0x190
softirqs last disabled at (5521427): [<ffffffff8118247f>] irq_exit_rcu+0x11f/0x190
CPU: 0 PID: 16948 Comm: syz-executor.5 Not tainted 6.2.0-rc4-next-20230117 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:rcu_is_watching+0x10/0xb0
Code: e8 d5 aa 49 00 e9 50 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 53 48 83 ec 08 65 ff 05 d8 d5 cf 7e <e8> db b0 0e 03 48 c7 c3 80 4f 03 00 48 ba 00 00 00 00 00 fc ff df
RSP: 0018:ffff88806ce09768 EFLAGS: 00000202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff812b5d62
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffffff85d10490
RBP: ffffffff8560aee0 R08: 0000000000000000 R09: ffffffff85d10497
R10: fffffbfff0ba2092 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000002 R15: ffffffff8149ff14
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556b4f01b648 CR3: 00000000366ea000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 rcu_read_lock_sched_held+0x24/0x80
 trace_lock_acquire+0x16c/0x1c0
 lock_acquire+0x32/0xc0
 __is_insn_slot_addr+0x41/0x290
 kernel_text_address+0x5b/0xc0
 __kernel_text_address+0xd/0x40
 unwind_get_return_address+0x59/0xa0
 arch_stack_walk+0x9d/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2e/0x50
 __kasan_slab_free+0x10a/0x190
 __kmem_cache_free+0xd1/0x2f0
 skb_release_data+0x6d8/0x810
 consume_skb+0xcb/0x170
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xb10
 __iterate_interfaces+0x2d3/0x580
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xcb0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x274/0x8ff
 irq_exit_rcu+0x11f/0x190
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:kasan_check_range+0x179/0x1d0
Code: ff ff 41 bb 01 00 00 00 5b 5d 44 89 d8 41 5c e9 41 3b c7 02 48 85 d2 74 e9 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 db 80 38 00 <74> f2 e9 64 ff ff ff 41 bb 01 00 00 00 44 89 d8 e9 16 3b c7 02 48
RSP: 0018:ffff888038067568 EFLAGS: 00000246
RAX: fffff940001c5d86 RBX: fffff940001c5d87 RCX: ffffffff81633d22
RDX: fffff940001c5d87 RSI: 0000000000000004 RDI: ffffea0000e2ec34
RBP: fffff940001c5d86 R08: 0000000000000000 R09: ffffea0000e2ec37
R10: fffff940001c5d86 R11: 0000000000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000093 R15: ffffea0000e2ec00
 release_pages+0x242/0x1040
 tlb_batch_pages_flush+0xa8/0x1b0
 unmap_page_range+0x1a59/0x2d90
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x225/0x370
 exit_mmap+0x158/0x6a0
 mmput+0xd5/0x390
 do_exit+0x99b/0x2780
 do_group_exit+0xd4/0x2a0
 get_signal+0x2255/0x2390
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0xf5/0x190
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fd9bf8edb19
Code: Unable to access opcode bytes at 0x7fd9bf8edaef.
RSP: 002b:00007fd9bce62e98 EFLAGS: 00000246 ORIG_RAX: 000000000000013f
RAX: 0000000000000005 RBX: 0000000000000000 RCX: 00007fd9bf8edb19
RDX: 00007fd9bce62f40 RSI: 0000000000000000 RDI: 00007fd9bf9470fb
RBP: 0000000000000000 R08: 00007fd9bce62f38 R09: 0000000000000000
R10: 00007fd9bce62f3c R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd239e578f R14: 0000000000000000 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 16949 Comm: syz-executor.7 Not tainted 6.2.0-rc4-next-20230117 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:set_track_prepare+0x49/0xd0
Code: 44 24 08 13 11 25 85 48 c1 eb 03 48 c7 44 24 10 f0 d1 80 81 48 01 d8 c7 00 f1 f1 f1 f1 c7 40 14 f3 f3 f3 f3 8b 15 c7 59 1f 06 <65> 48 8b 04 25 28 00 00 00 48 89 84 24 d8 00 00 00 31 c0 85 d2 74
RSP: 0018:ffff88806cf099a8 EFLAGS: 00000286
RAX: ffffed100d9e1335 RBX: 1ffff1100d9e1335 RCX: 1ffff11001dadc2e
RDX: 0000000000000001 RSI: ffffffff848ff867 RDI: ffff88800ed6e20c
RBP: ffff88804462d000 R08: 0000000000000001 R09: ffff88800ed6e1c3
R10: ffffed1001dadc38 R11: 0000000000000001 R12: ffff88800ed6e178
R13: 0000000000000000 R14: ffff88800ed6e20c R15: ffff88800ed6e130
FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000556b4f028ec0 CR3: 000000000edce000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 __create_object+0x3b4/0xc40
 __kmem_cache_alloc_node+0x1ed/0x2f0
 __kmalloc_node_track_caller+0x43/0xb0
 __alloc_skb+0xe9/0x310
 __netdev_alloc_skb+0x76/0x3e0
 __ieee80211_beacon_get+0x3d9/0x13c0
 ieee80211_beacon_get_tim+0x99/0x540
 mac80211_hwsim_beacon_tx+0x1d2/0xb10
 __iterate_interfaces+0x2d3/0x580
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xcb0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x274/0x8ff
 irq_exit_rcu+0x11f/0x190
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:unmap_page_range+0xfbd/0x2d90
Code: 03 42 80 3c 30 00 0f 85 7a 15 00 00 4d 8b 7c 24 18 31 ff 41 bc 01 00 00 00 41 83 e7 01 44 89 fe e8 88 fe db ff 45 84 ff 75 7e <e8> ae 02 dc ff 4c 8b 63 08 31 ff 4d 89 e7 41 83 e7 01 4c 89 fe e8
RSP: 0018:ffff8880460b7700 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffea0000e2aac0 RCX: ffffffff816d7fb8
RDX: ffff888045580000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffff8880460b7ad8 R14: dffffc0000000000 R15: 0000000000000000
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x225/0x370
 exit_mmap+0x158/0x6a0
 mmput+0xd5/0x390
 do_exit+0x99b/0x2780
 do_group_exit+0xd4/0x2a0
 get_signal+0x2255/0x2390
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0xf5/0x190
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f9220c48b19
Code: Unable to access opcode bytes at 0x7f9220c48aef.
RSP: 002b:00007f921e1be188 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffed RBX: 00007f9220d5bf60 RCX: 00007f9220c48b19
RDX: 0000000020000280 RSI: 0000000020000ac0 RDI: 0000000020000a80
RBP: 00007f9220ca2f6d R08: fffffffffffffffb R09: 0000000000000000
R10: 0000000000000048 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd9d00fbef R14: 00007f921e1be300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	e8 d5 aa 49 00       	callq  0x49aada
   5:	e9 50 ff ff ff       	jmpq   0xffffff5a
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	f3 0f 1e fa          	endbr64
  1e:	53                   	push   %rbx
  1f:	48 83 ec 08          	sub    $0x8,%rsp
  23:	65 ff 05 d8 d5 cf 7e 	incl   %gs:0x7ecfd5d8(%rip)        # 0x7ecfd602
* 2a:	e8 db b0 0e 03       	callq  0x30eb10a <-- trapping instruction
  2f:	48 c7 c3 80 4f 03 00 	mov    $0x34f80,%rbx
  36:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  3d:	fc ff df