watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [syz-executor.7:5336] Modules linked in: irq event stamp: 4660573 hardirqs last enabled at (4660572): [] asm_sysvec_apic_timer_interrupt+0x1a/0x20 hardirqs last disabled at (4660573): [] sysvec_apic_timer_interrupt+0xf/0xc0 softirqs last enabled at (4650260): [] __irq_exit_rcu+0x11b/0x180 softirqs last disabled at (4650263): [] __irq_exit_rcu+0x11b/0x180 CPU: 1 PID: 5336 Comm: syz-executor.7 Not tainted 6.1.0-rc4-next-20221111 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ieee80211_beacon_get_finish+0x2ce/0x610 Code: 4c 89 f7 e8 d4 90 74 fd 49 8d 7d 40 8b 4c 24 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 4c 89 6c 24 40 48 c1 ea 03 80 3c 02 00 <0f> 85 0e 03 00 00 48 ba 00 00 00 00 00 fc ff df 49 8b 45 40 41 89 RSP: 0018:ffff88806d109ae8 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: ffff888018762c80 RCX: 0000000000000000 RDX: 1ffff11003f0b1c4 RSI: 0000000000000000 RDI: ffff88801f858e20 RBP: ffff88800f35a2e8 R08: 0000000000000001 R09: ffff88806d109b28 R10: ffffed100da2136c R11: 0000000000000001 R12: ffff88800f359e88 R13: ffff88801f858de0 R14: ffff88806d109b28 R15: ffff88800f358b40 FS: 00007f6104de2700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9366e78718 CR3: 0000000018716000 CR4: 0000000000350ee0 Call Trace: __ieee80211_beacon_get+0x53b/0x1380 ieee80211_beacon_get_tim+0x99/0x4f0 mac80211_hwsim_beacon_tx+0x1d2/0xab0 __iterate_interfaces+0x2d3/0x560 ieee80211_iterate_active_interfaces_atomic+0x74/0x180 mac80211_hwsim_beacon+0x105/0x200 __hrtimer_run_queues+0x541/0xb50 hrtimer_run_softirq+0x176/0x350 __do_softirq+0x1c7/0x8f9 __irq_exit_rcu+0x11b/0x180 irq_exit_rcu+0x9/0x30 sysvec_apic_timer_interrupt+0x92/0xc0 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:__create_object+0x62/0xc00 Code: e8 73 34 fc ff 49 89 c7 48 85 c0 0f 84 49 06 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8d 67 48 4c 89 e2 48 c1 ea 03 80 3c 02 00 <0f> 85 ce 09 00 00 49 8d 47 50 4d 89 67 48 48 89 c2 48 89 04 24 48 RSP: 0018:ffff888043b0fb68 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: 0000000000000010 RCX: 0000000000000001 RDX: 1ffff11002be4ced RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888013bce9c0 R08: 00000000ffffffff R09: ffff888042b3b690 R10: ffff88806cb2e190 R11: 0000000000000001 R12: ffff888015f26768 R13: 0000000000000000 R14: 0000000000000001 R15: ffff888015f26720 kmem_cache_alloc+0x23d/0x3e0 security_file_alloc+0x38/0x170 __alloc_file+0xb6/0x240 alloc_empty_file+0x71/0x170 alloc_file+0x59/0x800 alloc_file_pseudo+0x16e/0x260 anon_inode_getfile+0xb4/0x1e0 __do_sys_perf_event_open+0x163f/0x2880 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f610786cb19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6104de2188 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007f610797ff60 RCX: 00007f610786cb19 RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000020000280 RBP: 00007f61078c6f6d R08: 0000000000000000 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd571ad32f R14: 00007f6104de2300 R15: 0000000000022000 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 5331 Comm: syz-executor.5 Not tainted 6.1.0-rc4-next-20221111 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__lock_acquire+0x2d9/0x5e70 Code: 18 4d 89 75 10 48 89 c2 48 89 44 24 48 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 88 3f 00 00 48 8b 44 24 20 <49> 8d b4 24 44 09 00 00 48 ba 00 00 00 00 00 fc ff df 48 89 f1 48 RSP: 0018:ffff88806d0097d8 EFLAGS: 00000046 RAX: 0000000000000000 RBX: ffff88804185bee0 RCX: 0000000000000042 RDX: 1ffff1100830b7ee RSI: 1ffff1100830b7ea RDI: ffff88804185bf68 RBP: 0000000000000000 R08: 000000000000000f R09: 0000000000000001 R10: fffffbfff0b61dd2 R11: 0000000000000001 R12: ffff88804185b580 R13: ffff88804185bf58 R14: ffffffff85427908 R15: 0000000000000002 FS: 0000000000000000(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f51e1b82360 CR3: 000000000e45a000 CR4: 0000000000350ef0 Call Trace: lock_acquire+0x1a6/0x530 ktime_get+0x80/0x1f0 clockevents_program_event+0x14f/0x360 tick_program_event+0xb0/0x150 hrtimer_interrupt+0x36a/0x770 __sysvec_apic_timer_interrupt+0x148/0x500 sysvec_apic_timer_interrupt+0x3f/0xc0 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:skb_release_data+0x5a9/0x810 Code: 85 15 02 00 00 0f b6 5d 7e 31 ff 83 e3 20 89 de e8 ec 93 ff fd 84 db 0f 84 2f 01 00 00 e8 0f 98 ff fd 4c 89 e7 e8 d7 82 2b fe 02 98 ff fd 48 8b 4c 24 18 48 b8 00 00 00 00 00 fc ff df 48 89 RSP: 0018:ffff88806d009c50 EFLAGS: 00000202 RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff812b2e3f RDX: 0000000000000000 RSI: 0000000000000102 RDI: 0000000000000000 RBP: ffff8880157fa500 R08: 0000000000000001 R09: ffffffff87424847 R10: fffffbfff0e84908 R11: 0000000000000001 R12: ffff8880187f5000 R13: 0000000000000000 R14: 0000000000000002 R15: ffff888041808e30 consume_skb+0xcb/0x170 mac80211_hwsim_tx_frame+0x1f6/0x2a0 mac80211_hwsim_beacon_tx+0x566/0xab0 __iterate_interfaces+0x2d3/0x560 ieee80211_iterate_active_interfaces_atomic+0x74/0x180 mac80211_hwsim_beacon+0x105/0x200 __hrtimer_run_queues+0x541/0xb50 hrtimer_run_softirq+0x176/0x350 __do_softirq+0x1c7/0x8f9 __irq_exit_rcu+0x11b/0x180 irq_exit_rcu+0x9/0x30 sysvec_apic_timer_interrupt+0x92/0xc0 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:percpu_counter_add_batch+0x5e/0x180 Code: 1d 02 48 8d 45 58 48 89 c2 48 89 44 24 08 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 f7 00 00 00 4c 8b 7d 58 <48> 89 df 65 45 8b 37 4d 63 e6 4d 01 ec 4c 89 e2 48 c1 fa 3f 48 89 RSP: 0018:ffff88800e5c76b8 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: 0000000000000020 RCX: 1ffffffff0ef62e8 RDX: 1ffff110018c808f RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffff88800c640420 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000fffffffd R11: 0000000000000001 R12: ffffffff85b0ffd0 R13: fffffffffffffffd R14: ffff88800c640420 R15: 0000607f92c00f08 unmap_page_range+0xdff/0x2c30 unmap_single_vma+0x190/0x2a0 unmap_vmas+0x226/0x380 exit_mmap+0x158/0x680 mmput+0xd5/0x390 do_exit+0x99b/0x2720 do_group_exit+0xd4/0x2a0 get_signal+0x21a5/0x22e0 arch_do_signal_or_restart+0x79/0x5a0 exit_to_user_mode_prepare+0x131/0x1a0 syscall_exit_to_user_mode+0x1d/0x50 do_syscall_64+0x4c/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7fb5da793b19 Code: Unable to access opcode bytes at 0x7fb5da793aef. RSP: 002b:00007fb5d7d09188 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: 0000000000000008 RBX: 00007fb5da8a6f60 RCX: 00007fb5da793b19 RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000010 RBP: 00007fb5da7edf6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffc71796ff R14: 00007fb5d7d09300 R15: 0000000000022000 Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 Bluetooth: hci1: HCI_REQ-0x0c1a Bluetooth: hci1: command 0x0409 tx timeout Bluetooth: hci1: command 0x041b tx timeout Bluetooth: hci1: command 0x040f tx timeout ---------------- Code disassembly (best guess): 0: 4c 89 f7 mov %r14,%rdi 3: e8 d4 90 74 fd callq 0xfd7490dc 8: 49 8d 7d 40 lea 0x40(%r13),%rdi c: 8b 4c 24 08 mov 0x8(%rsp),%ecx 10: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 17: fc ff df 1a: 48 89 fa mov %rdi,%rdx 1d: 4c 89 6c 24 40 mov %r13,0x40(%rsp) 22: 48 c1 ea 03 shr $0x3,%rdx 26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) * 2a: 0f 85 0e 03 00 00 jne 0x33e <-- trapping instruction 30: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx 37: fc ff df 3a: 49 8b 45 40 mov 0x40(%r13),%rax 3e: 41 rex.B 3f: 89 .byte 0x89