Bluetooth: hci5: command 0x0406 tx timeout
watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [syz-executor.0:10529]
Modules linked in:
irq event stamp: 5416675
hardirqs last  enabled at (5416674): [<ffffffff8460144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (5416675): [<ffffffff8442b35f>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (5405338): [<ffffffff8118303f>] irq_exit_rcu+0x11f/0x190
softirqs last disabled at (5405341): [<ffffffff8118303f>] irq_exit_rcu+0x11f/0x190
CPU: 1 PID: 10529 Comm: syz-executor.0 Not tainted 6.2.0-rc5-next-20230123 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__rcu_read_unlock+0x31/0x520
Code: 55 41 54 55 65 48 8b 2c 25 80 89 03 00 53 48 8d bd f4 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 <48> 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 0d 02 00 00 65
RSP: 0018:ffff88806cf097c8 EFLAGS: 00000217
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: 0000000000000100
RDX: 0000000000000000 RSI: ffffffff8149f6da RDI: ffff88800fa23974
RBP: ffff88800fa23580 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff85651e08 R15: ffff888042730e30
FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5498aaded0 CR3: 0000000033526000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 __is_insn_slot_addr+0x12f/0x290
 kernel_text_address+0x48/0xc0
 __kernel_text_address+0xd/0x40
 unwind_get_return_address+0x59/0xa0
 arch_stack_walk+0x9d/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 __kasan_record_aux_stack+0x95/0xb0
 __call_rcu_common.constprop.0+0x6a/0xa00
 __kmem_cache_free+0x8b/0x2f0
 skb_release_data+0x6ab/0x7e0
 consume_skb+0xcb/0x170
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x567/0xb10
 __iterate_interfaces+0x2d3/0x580
 ieee80211_iterate_active_interfaces_atomic+0x73/0x1c0
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x54b/0xcb0
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x274/0x8ff
 irq_exit_rcu+0x11f/0x190
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:put_cpu_partial+0x115/0x1c0
Code: 39 43 28 75 61 48 c7 43 28 00 00 00 00 48 c7 c6 10 d6 7c 81 48 89 df e8 b9 54 af ff 48 85 ed 74 06 e8 af b6 d3 ff fb 4d 85 ed <74> 21 5b 4c 89 ee 5d 4c 89 e7 41 5c 41 5d 41 5e 41 5f e9 54 fa ff
RSP: 0018:ffff88800fb8f5d0 EFLAGS: 00000246
RAX: 00000000004dcdc3 RBX: ffff88806cf41af0 RCX: ffffffff812b8cbf
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000200 R08: 0000000000000001 R09: ffffffff8765b967
R10: fffffbfff0ecb72c R11: 0000000000000001 R12: ffff888008795dc0
R13: 0000000000000000 R14: ffffea00010fca80 R15: 0000000000000002
 qlist_free_all+0x6d/0x1a0
 kasan_quarantine_reduce+0x199/0x230
 __kasan_slab_alloc+0x49/0x70
 kmem_cache_alloc_node+0x187/0x310
 __alloc_skb+0x21a/0x310
 alloc_uevent_skb+0x7b/0x210
 kobject_uevent_env+0xaa1/0xfa0
 device_del+0x91a/0xed0
 hci_conn_del_sysfs+0xdc/0x110
 hci_conn_cleanup+0x34e/0x780
 hci_conn_del+0x28f/0x8e0
 hci_conn_hash_flush+0x195/0x230
 hci_dev_close_sync+0x57f/0xff0
 hci_unregister_dev+0x15e/0x410
 vhci_release+0x80/0x100
 __fput+0x263/0xa40
 task_work_run+0x174/0x280
 do_exit+0xada/0x2780
 do_group_exit+0xd4/0x2a0
 get_signal+0x2255/0x2390
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0xf5/0x190
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f9f48f54b19
Code: Unable to access opcode bytes at 0x7f9f48f54aef.
RSP: 002b:00007f9f464a9218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f9f49068028 RCX: 00007f9f48f54b19
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f9f49068028
RBP: 00007f9f49068020 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9f4906802c
R13: 00007ffdcf22eeef R14: 00007f9f464a9300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 114 Comm: systemd-timesyn Not tainted 6.2.0-rc5-next-20230123 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:lock_release+0x42/0x760
Code: fc 55 53 48 81 ec 90 00 00 00 48 8d 6c 24 10 48 89 74 24 08 48 c7 44 24 10 b3 8a b5 41 48 c1 ed 03 48 c7 44 24 18 b8 73 1d 85 <48> 01 e8 48 c7 44 24 20 e0 2a 2c 81 c7 00 f1 f1 f1 f1 c7 40 04 f1
RSP: 0018:ffff888009e9fc38 EFLAGS: 00000212
RAX: dffffc0000000000 RBX: ffff88801985d318 RCX: 1ffffffff0a56718
RDX: 0000000000000000 RSI: ffffffff817cae4c RDI: ffffffff8560b060
RBP: 1ffff110013d3f89 R08: 0000000000000000 R09: ffffffff8765b947
R10: fffffbfff0ecb728 R11: 0000000000000001 R12: ffffffff8560b060
R13: ffffffff8188c53e R14: ffff88800d0a3280 R15: 0000000000000000
FS:  00007f695cd1c900(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe6c29632e0 CR3: 000000000e30a000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 kmem_cache_free+0x4b6/0x510
 dentry_free+0xde/0x160
 __dentry_kill+0x47d/0x5c0
 dput+0x880/0xe60
 __fput+0x3a6/0xa40
 task_work_run+0x174/0x280
 exit_to_user_mode_prepare+0x187/0x190
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f695d6026eb
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 a3 56 f9 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 e1 56 f9 ff 8b 44
RSP: 002b:00007fffa5e60570 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 00007f695cd1c7b8 RCX: 00007f695d6026eb
RDX: 0000000000004000 RSI: 00007fffa5e605e0 RDI: 000000000000000f
RBP: 000000000000000f R08: 0000000000000000 R09: 000000000000000f
R10: 00007fffa5e60574 R11: 0000000000000293 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
 </TASK>
----------------
Code disassembly (best guess):
   0:	55                   	push   %rbp
   1:	41 54                	push   %r12
   3:	55                   	push   %rbp
   4:	65 48 8b 2c 25 80 89 	mov    %gs:0x38980,%rbp
   b:	03 00
   d:	53                   	push   %rbx
   e:	48 8d bd f4 03 00 00 	lea    0x3f4(%rbp),%rdi
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	48 89 fa             	mov    %rdi,%rdx
  22:	48 c1 ea 03          	shr    $0x3,%rdx
  26:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
* 2a:	48 89 f8             	mov    %rdi,%rax <-- trapping instruction
  2d:	83 e0 07             	and    $0x7,%eax
  30:	83 c0 03             	add    $0x3,%eax
  33:	38 d0                	cmp    %dl,%al
  35:	7c 08                	jl     0x3f
  37:	84 d2                	test   %dl,%dl
  39:	0f 85 0d 02 00 00    	jne    0x24c
  3f:	65                   	gs