Bluetooth: hci2: command 0x0406 tx timeout
Bluetooth: hci6: command 0x0406 tx timeout
Bluetooth: hci0: command 0x0406 tx timeout
Bluetooth: hci7: command 0x0406 tx timeout
watchdog: BUG: soft lockup - CPU#1 stuck for 24s! [syz-executor.1:9304]
Modules linked in:
irq event stamp: 4222409
hardirqs last  enabled at (4222408): [<ffffffff8460144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (4222409): [<ffffffff844258ff>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (4158894): [<ffffffff8118247f>] irq_exit_rcu+0x11f/0x190
softirqs last disabled at (4158897): [<ffffffff8118247f>] irq_exit_rcu+0x11f/0x190
CPU: 1 PID: 9304 Comm: syz-executor.1 Not tainted 6.2.0-rc4-next-20230118 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__call_rcu_common.constprop.0+0x6b/0xa00
Code: 63 08 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 1a 08 00 00 48 c7 03 00 00 00 00 48 89 df e8 26 97 48 00 9c <41> 5d fa 41 81 e5 00 02 00 00 0f 85 22 05 00 00 e8 d0 ae 0d 03 48
RSP: 0018:ffff88806cf09c28 EFLAGS: 00000282
RAX: 0000000004e801c2 RBX: ffff88804292cd90 RCX: 0000000000000000
RDX: 000000000009d296 RSI: ffff88806cf09a64 RDI: 0000000000000000
RBP: ffff888008795dc0 R08: 000000000000000e R09: ffff88803ab40e80
R10: ffff88806c8e94b0 R11: 0000000000000001 R12: ffffffff8180ced0
R13: ffffffff834d4b7f R14: 0000000000010e68 R15: ffff888014758e30
FS:  00007f429fdc2700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f03727c2000 CR3: 0000000017bba000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 kmem_cache_free+0xb9/0x510
 kfree_skbmem+0xef/0x1b0
 consume_skb+0xd8/0x170
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xb10
 __iterate_interfaces+0x2d3/0x580
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xcb0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x274/0x8ff
 irq_exit_rcu+0x11f/0x190
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:in_lock_functions+0x4/0x20
Code: 90 90 90 90 90 90 f3 0f 1e fa e9 fb 1d 18 03 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <31> c0 48 81 ff 10 77 44 84 72 0c 31 c0 48 81 ff e5 95 44 84 0f 92
RSP: 0018:ffff88804428f598 EFLAGS: 00000246
RAX: 0000000000000001 RBX: ffffffff8112b9b0 RCX: 1ffffffff0f3c9f8
RDX: 0000000000000000 RSI: ffffffff817d5dce RDI: ffffffff8112b9b0
RBP: ffff88804428f690 R08: ffffffff860fc07c R09: ffffffff860fc080
R10: fffffbfff0ecb32d R11: ffff88804428f678 R12: ffff88804428f700
R13: 0000000000000000 R14: ffff88804428f638 R15: ffffea000116b480
 preempt_count_add+0x7c/0x150
 unwind_next_frame+0xb0/0x2130
 arch_stack_walk+0x87/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2e/0x50
 __kasan_slab_free+0x10a/0x190
 __kmem_cache_free+0xd1/0x2f0
 __free_slab+0x73/0x100
 __unfreeze_partials+0x130/0x150
 qlist_free_all+0x6d/0x1a0
 kasan_quarantine_reduce+0x199/0x230
 __kasan_slab_alloc+0x49/0x70
 kmem_cache_alloc+0x172/0x300
 key_alloc+0x3d5/0x1280
 keyring_alloc+0x46/0xc0
 lookup_user_key+0xbf3/0x12a0
 __do_sys_add_key+0x1d3/0x430
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f42a284cb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f429fdc2188 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
RAX: ffffffffffffffda RBX: 00007f42a295ff60 RCX: 00007f42a284cb19
RDX: 0000000020000c00 RSI: 0000000020000bc0 RDI: 0000000020000b80
RBP: 00007f42a28a6f6d R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000048 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc6bc4e00f R14: 00007f429fdc2300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 9291 Comm: syz-executor.3 Not tainted 6.2.0-rc4-next-20230118 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__lock_acquire+0xbfb/0x5e90
Code: 00 00 48 8d 1c 5b 48 c1 e3 06 48 81 c3 60 9d 65 87 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 <0f> 85 39 49 00 00 48 83 7b 40 00 0f 84 54 0e 00 00 0f b7 44 24 10
RSP: 0018:ffff88806ce09130 EFLAGS: 00000046
RAX: dffffc0000000000 RBX: ffffffff8765d1e0 RCX: ffffffff812bc1e5
RDX: 1ffffffff0ecba44 RSI: 0000000000000008 RDI: ffffffff8765d220
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8765994f
R10: fffffbfff0ecb329 R11: 0000000000000001 R12: ffff88803678d040
R13: ffff88803678da40 R14: 0000000000000000 R15: 0000000000000001
FS:  00007f943f39e700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c68b3b4648 CR3: 00000000147b8000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 lock_acquire.part.0+0x120/0x340
 ktime_get+0x80/0x1f0
 clockevents_program_event+0x14f/0x360
 tick_program_event+0xb0/0x150
 hrtimer_interrupt+0x36a/0x770
 __sysvec_apic_timer_interrupt+0x148/0x510
 sysvec_apic_timer_interrupt+0x3f/0xc0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:unwind_next_frame+0x35f/0x2130
Code: 00 fc ff df 4d 8d 48 04 4c 89 ca 48 c1 ea 03 0f b6 04 02 4c 89 ca 83 e2 07 38 d0 7f 08 84 c0 0f 85 e4 14 00 00 41 0f b6 40 04 <a8> 0f 0f 85 a2 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 78 05
RSP: 0018:ffff88806ce095b8 EFLAGS: 00000246
RAX: 0000000000000015 RBX: 0000000000000002 RCX: ffffffff8139a2c5
RDX: 0000000000000002 RSI: ffffffff8609d906 RDI: ffffffff85d89e50
RBP: ffff88806ce09690 R08: ffffffff8609d906 R09: ffffffff8609d90a
R10: 0000000000000200 R11: 0000000000038001 R12: ffff88806ce09679
R13: ffff88806ce09698 R14: ffff88806ce09638 R15: ffffffff8139a2c5
 arch_stack_walk+0x87/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 __kasan_slab_alloc+0x59/0x70
 kmem_cache_alloc+0x172/0x300
 __create_object+0x3d/0xc40
 __kmem_cache_alloc_node+0x1ed/0x2f0
 __kmalloc_node_track_caller+0x43/0xb0
 __alloc_skb+0xe9/0x310
 skb_copy+0x13d/0x3d0
 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb6d/0x1360
 mac80211_hwsim_tx_frame+0x1ee/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xb10
 __iterate_interfaces+0x2d3/0x580
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xcb0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x274/0x8ff
 irq_exit_rcu+0x11f/0x190
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:should_fail_ex+0xe7/0x5b0
Code: 48 83 c4 08 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f e9 62 77 24 02 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 80 3c 02 00 <0f> 85 fe 03 00 00 48 83 3b 00 74 ca 48 b8 00 00 00 00 00 fc ff df
RSP: 0018:ffff8880457cf278 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffffff856cb720 RCX: 0000000000000000
RDX: 1ffffffff0ad96e4 RSI: 00000000000000a8 RDI: ffff88803678e3fc
RBP: 00000000000000a8 R08: 0000000000000001 R09: ffff8880197c7593
R10: ffffed10032f8eb2 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88803678d040 R14: 0000000000000dc0 R15: 00000000000000a8
 should_failslab+0x9/0x20
 kmem_cache_alloc+0x5a/0x300
 __kernfs_new_node+0xd4/0x8c0
 kernfs_new_node+0x97/0x120
 __kernfs_create_file+0x55/0x350
 sysfs_add_file_mode_ns+0x21c/0x440
 internal_create_group+0x322/0xb20
 internal_create_groups.part.0+0x90/0x140
 sysfs_create_groups+0x29/0x50
 device_add+0x711/0x1ef0
 netdev_register_kobject+0x17e/0x3b0
 register_netdevice+0xd60/0x1530
 register_netdev+0x31/0x60
 sit_init_net+0x268/0x560
 ops_init+0xbb/0x6c0
 setup_net+0x40c/0x9d0
 copy_net_ns+0x321/0x770
 create_new_namespaces+0x3f6/0xb30
 copy_namespaces+0x414/0x500
 copy_process+0x2a5e/0x7390
 kernel_clone+0xeb/0x8c0
 __do_sys_clone3+0x1d5/0x2e0
 do_syscall_64+0x3f/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f9441e28b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f943f39e188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007f9441f3bf60 RCX: 00007f9441e28b19
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 0000000020004c00
RBP: 00007f9441e82f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc41ec0edf R14: 00007f943f39e300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	63 08                	movslq (%rax),%ecx
   2:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
   9:	fc ff df
   c:	48 c1 ea 03          	shr    $0x3,%rdx
  10:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  14:	0f 85 1a 08 00 00    	jne    0x834
  1a:	48 c7 03 00 00 00 00 	movq   $0x0,(%rbx)
  21:	48 89 df             	mov    %rbx,%rdi
  24:	e8 26 97 48 00       	callq  0x48974f
  29:	9c                   	pushfq
* 2a:	41 5d                	pop    %r13 <-- trapping instruction
  2c:	fa                   	cli
  2d:	41 81 e5 00 02 00 00 	and    $0x200,%r13d
  34:	0f 85 22 05 00 00    	jne    0x55c
  3a:	e8 d0 ae 0d 03       	callq  0x30daf0f
  3f:	48                   	rex.W