Bluetooth: hci6: command 0x0406 tx timeout
Bluetooth: hci5: command 0x0406 tx timeout
Bluetooth: hci1: command 0x0406 tx timeout
Bluetooth: hci3: command 0x0406 tx timeout
Bluetooth: hci4: command 0x0406 tx timeout
watchdog: BUG: soft lockup - CPU#0 stuck for 21s! [syz-executor.5:16060]
Modules linked in:
irq event stamp: 17817175
hardirqs last  enabled at (17817174): [<ffffffff8440144a>] asm_sysvec_apic_timer_interrupt+0x1a/0x20
hardirqs last disabled at (17817175): [<ffffffff843bf4df>] sysvec_apic_timer_interrupt+0xf/0xc0
softirqs last  enabled at (17767576): [<ffffffff8117fc0b>] __irq_exit_rcu+0x11b/0x180
softirqs last disabled at (17767579): [<ffffffff8117fc0b>] __irq_exit_rcu+0x11b/0x180
CPU: 0 PID: 16060 Comm: syz-executor.5 Not tainted 6.1.0-rc4-next-20221111 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:check_preemption_disabled+0x33/0x180
Code: 55 48 89 fd 53 0f 1f 44 00 00 65 44 8b 25 b1 77 c7 7b 65 8b 1d a6 77 c7 7b 81 e3 ff ff ff 7f 31 ff 89 de 0f 1f 44 00 00 85 db <74> 15 0f 1f 44 00 00 44 89 e0 5b 5d 41 5c 41 5d 41 5e e9 3a 35 02
RSP: 0018:ffff88806d0096b8 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 0000000000000103 RCX: ffffffff812bd453
RDX: dffffc0000000000 RSI: 0000000000000103 RDI: 0000000000000000
RBP: ffffffff847ee140 R08: 0000000000000000 R09: ffffffff85b0ee97
R10: fffffbfff0b61dd2 R11: 0000000000000001 R12: 0000000000000000
R13: ffffffff847ee100 R14: ffffffff85407e60 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88806d000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005565a848d648 CR3: 0000000018cc0000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 rcu_is_watching+0x15/0xb0
 rcu_read_lock_sched_held+0x24/0x80
 lock_acquire+0x462/0x530
 __is_insn_slot_addr+0x41/0x250
 kernel_text_address+0x48/0xc0
 __kernel_text_address+0xd/0x40
 unwind_get_return_address+0x59/0xa0
 arch_stack_walk+0x9d/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2e/0x50
 __kasan_slab_free+0x10a/0x190
 __kmem_cache_free+0xcf/0x410
 skb_release_data+0x6d8/0x810
 consume_skb+0xcb/0x170
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xab0
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x74/0x180
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x541/0xb50
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__tlb_remove_page_size+0xaa/0x470
Code: 28 48 8d 7d 08 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 36 03 00 00 48 b8 00 00 00 00 00 fc ff df 44 8b 65 08 <4a> 8d 7c e5 10 45 8d 7c 24 01 48 89 fa 44 89 7d 08 48 c1 ea 03 80
RSP: 0018:ffff8880439076c8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff888043907ad8 RCX: 0000000000000000
RDX: 1ffff1100864f601 RSI: ffffffff81700714 RDI: ffff88804327b008
RBP: ffff88804327b000 R08: 0000000000000007 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000001 R12: 000000000000019c
R13: ffffea000055c640 R14: ffff888043907b00 R15: ffff888043907ad8
 unmap_page_range+0x1c61/0x2c30
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2720
 do_group_exit+0xd4/0x2a0
 get_signal+0x21a5/0x22e0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f6877f3fb19
Code: Unable to access opcode bytes at 0x7f6877f3faef.
RSP: 002b:00007f68754b5188 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000000000ee0 RBX: 00007f6878052f60 RCX: 00007f6877f3fb19
RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000004
RBP: 00007f6877f99f6d R08: 0000000000000000 R09: 0000000000000000
R10: 00000000fffffdef R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff0b56dd0f R14: 00007f68754b5300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 16083 Comm: syz-executor.1 Not tainted 6.1.0-rc4-next-20221111 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:rcu_is_watching+0x45/0xb0
Code: 00 48 ba 00 00 00 00 00 fc ff df 89 c0 48 8d 3c c5 c0 88 01 85 48 89 f9 48 c1 e9 03 80 3c 11 00 75 62 48 03 1c c5 c0 88 01 85 <48> b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 0f b6 14 02 48
RSP: 0018:ffff88806d1096f8 EFLAGS: 00000086
RAX: 0000000000000001 RBX: ffff88806d134cc0 RCX: 1ffffffff0a03119
RDX: dffffc0000000000 RSI: 0000000000010105 RDI: ffffffff850188c8
RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff85b0ee97
R10: fffffbfff0b61dd2 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdf394acf40 CR3: 0000000018cc0000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 rcu_read_lock_sched_held+0x24/0x80
 __sysvec_apic_timer_interrupt+0x31f/0x500
 sysvec_apic_timer_interrupt+0x3f/0xc0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__orc_find+0x83/0xf0
Code: 01 d0 48 d1 f8 48 8d 5c 85 00 48 89 d8 48 c1 e8 03 42 0f b6 14 38 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 50 48 63 03 <48> 01 d8 48 39 c1 73 b0 4c 8d 63 fc 49 39 ec 73 b3 4d 29 ee 49 c1
RSP: 0018:ffff88806d109800 EFLAGS: 00000246
RAX: fffffffffbc21c1c RBX: ffffffff85bc7b44 RCX: ffffffff817e979d
RDX: 0000000000000000 RSI: ffffffff85ef643c RDI: ffffffff85bc7b3c
RBP: ffffffff85bc7b3c R08: ffffffff85ef643c R09: ffffffff85e7be54
R10: ffff88806d109ff8 R11: 0000000000036001 R12: ffffffff85bc7b4c
R13: ffffffff85bc7b3c R14: ffffffff85bc7b3c R15: dffffc0000000000
 unwind_next_frame+0x2b1/0x2130
 arch_stack_walk+0x87/0xf0
 stack_trace_save+0x90/0xd0
 kasan_save_stack+0x22/0x50
 kasan_set_track+0x25/0x30
 kasan_save_free_info+0x2e/0x50
 __kasan_slab_free+0x10a/0x190
 kmem_cache_free+0xfb/0x610
 kfree_skbmem+0xef/0x1b0
 consume_skb+0xd8/0x170
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x566/0xab0
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x74/0x180
 mac80211_hwsim_beacon+0x105/0x200
 __hrtimer_run_queues+0x541/0xb50
 hrtimer_run_softirq+0x176/0x350
 __do_softirq+0x1c7/0x8f9
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0x92/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:lock_is_held_type+0x58/0x130
Code: c0 0f 85 c3 00 00 00 65 4c 8b 24 25 c0 86 03 00 41 8b 94 24 5c 09 00 00 85 d2 0f 85 aa 00 00 00 48 89 fd 41 89 f6 9c 8f 04 24 <fa> 48 c7 c7 00 fc 66 84 4d 8d ac 24 60 09 00 00 31 db e8 21 0f 00
RSP: 0018:ffff888043f074c0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 1ffff110087e0ea4 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffffffff85407da0
RBP: ffffffff85407da0 R08: 0000000000000000 R09: ffffffff85b0ee97
R10: fffffbfff0b61dd2 R11: 0000000000000001 R12: ffff888041b01ac0
R13: 00000000ffffffff R14: 00000000ffffffff R15: 0000000000000000
 rcu_read_lock_sched_held+0x42/0x80
 lock_acquire+0x462/0x530
 folio_memcg_lock+0x3e/0x4a0
 page_remove_rmap+0x102/0x780
 unmap_page_range+0x2002/0x2c30
 unmap_single_vma+0x190/0x2a0
 unmap_vmas+0x226/0x380
 exit_mmap+0x158/0x680
 mmput+0xd5/0x390
 do_exit+0x99b/0x2720
 do_group_exit+0xd4/0x2a0
 get_signal+0x21a5/0x22e0
 arch_do_signal_or_restart+0x79/0x5a0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x1d/0x50
 do_syscall_64+0x4c/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fa456fd9a04
Code: Unable to access opcode bytes at 0x7fa456fd99da.
RSP: 002b:00007fa45459c060 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: fffffffffffffff3 RBX: 00007fa457139f60 RCX: 00007fa456fd9a04
RDX: 0000000000000002 RSI: 00007fa45459c0f0 RDI: 00000000ffffff9c
RBP: 00007fa45459c0f0 R08: 0000000000000000 R09: 00007fa45459bf70
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000002
R13: 00007ffda92862bf R14: 00007fa45459c300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	55                   	push   %rbp
   1:	48 89 fd             	mov    %rdi,%rbp
   4:	53                   	push   %rbx
   5:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   a:	65 44 8b 25 b1 77 c7 	mov    %gs:0x7bc777b1(%rip),%r12d        # 0x7bc777c3
  11:	7b
  12:	65 8b 1d a6 77 c7 7b 	mov    %gs:0x7bc777a6(%rip),%ebx        # 0x7bc777bf
  19:	81 e3 ff ff ff 7f    	and    $0x7fffffff,%ebx
  1f:	31 ff                	xor    %edi,%edi
  21:	89 de                	mov    %ebx,%esi
  23:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  28:	85 db                	test   %ebx,%ebx
* 2a:	74 15                	je     0x41 <-- trapping instruction
  2c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  31:	44 89 e0             	mov    %r12d,%eax
  34:	5b                   	pop    %rbx
  35:	5d                   	pop    %rbp
  36:	41 5c                	pop    %r12
  38:	41 5d                	pop    %r13
  3a:	41 5e                	pop    %r14
  3c:	e9                   	.byte 0xe9
  3d:	3a                   	.byte 0x3a
  3e:	35                   	.byte 0x35
  3f:	02                   	.byte 0x2