loop6: detected capacity change from 0 to 16383
watchdog: BUG: soft lockup - CPU#0 stuck for 21s! [syz-executor.5:11388]
Modules linked in:
irq event stamp: 6231085
hardirqs last  enabled at (6231084): [<ffffffff84200d06>] asm_sysvec_apic_timer_interrupt+0x16/0x20
hardirqs last disabled at (6231085): [<ffffffff841c1f9b>] sysvec_apic_timer_interrupt+0xb/0xc0
softirqs last  enabled at (6213324): [<ffffffff81168e7b>] __irq_exit_rcu+0x11b/0x180
softirqs last disabled at (6213327): [<ffffffff81168e7b>] __irq_exit_rcu+0x11b/0x180
CPU: 0 PID: 11388 Comm: syz-executor.5 Not tainted 5.19.0-rc6-next-20220713 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:__orc_find+0x83/0xf0
Code: 01 d0 48 d1 f8 48 8d 5c 85 00 48 89 d8 48 c1 e8 03 42 0f b6 14 38 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 50 48 63 03 <48> 01 d8 48 39 c1 73 b0 4c 8d 63 fc 49 39 ec 73 b3 4d 29 ee 49 c1
RSP: 0018:ffff88806ce09790 EFLAGS: 00000246
RAX: fffffffffbdd80e6 RBX: ffffffff8599fa88 RCX: ffffffff81777bbf
RDX: 0000000000000000 RSI: ffffffff85cb9ee0 RDI: ffffffff8599fa58
RBP: ffffffff8599fa58 R08: ffffffff85cb9ee0 R09: ffffffff85cb981e
R10: ffffed100d9c1318 R11: 000000000003403c R12: ffffffff8599fab8
R13: ffffffff8599fa58 R14: ffffffff8599fa58 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c50c808ebc CR3: 000000001890a000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 unwind_next_frame+0x2b4/0x20b0
 arch_stack_walk+0x83/0xf0
 stack_trace_save+0x8c/0xc0
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x40
 __kasan_slab_free+0x108/0x190
 kfree+0xf5/0x5e0
 skb_release_data+0x68a/0x7c0
 consume_skb+0xc2/0x160
 mac80211_hwsim_tx_frame+0x1f6/0x2a0
 mac80211_hwsim_beacon_tx+0x53b/0xa10
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x70/0x180
 mac80211_hwsim_beacon+0x101/0x200
 __hrtimer_run_queues+0x5de/0xbd0
 hrtimer_run_softirq+0x172/0x340
 __do_softirq+0x1c8/0x8d0
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x5/0x20
 sysvec_apic_timer_interrupt+0x8e/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20
RIP: 0010:__kasan_check_read+0x4/0x10
Code: 0f 0b 48 83 c4 60 5b 5d 41 5c e9 c7 ba c8 02 48 05 00 80 00 00 48 89 fb 48 39 c7 0f 82 e3 cc 96 02 eb dd cc cc cc 48 8b 0c 24 <89> f6 31 d2 e9 b3 f9 ff ff 0f 1f 00 48 8b 0c 24 89 f6 ba 01 00 00
RSP: 0018:ffff8880450af520 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 000000000da70010 RCX: ffffffff815dd9e7
RDX: ffff8880455c9ac0 RSI: 0000000000000004 RDI: ffffea000101f574
RBP: ffffea000101f540 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffea000101f574
R13: 0000000000000115 R14: dffffc0000000000 R15: ffff88800da708b8
 release_pages+0x1d7/0x10d0
 tlb_batch_pages_flush+0xa8/0x1b0
 unmap_page_range+0x1576/0x2720
 unmap_single_vma+0x190/0x350
 unmap_vmas+0x21e/0x370
 exit_mmap+0x154/0x680
 mmput+0xd1/0x390
 do_exit+0x9e0/0x27a0
 do_group_exit+0xd2/0x2f0
 get_signal+0x2205/0x24b0
 arch_do_signal_or_restart+0x89/0x1be0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x19/0x40
 do_syscall_64+0x48/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f47ba310b19
Code: Unable to access opcode bytes at RIP 0x7f47ba310aef.
RSP: 002b:00007f47b7886188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f47ba423f60 RCX: 00007f47ba310b19
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007f47ba36af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffff158971f R14: 00007f47b7886300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 11389 Comm: syz-executor.3 Not tainted 5.19.0-rc6-next-20220713 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:kasan_check_range+0x5d/0x1c0
Code: ff ff 5b 5d 83 f0 01 41 5c 41 89 c3 44 89 d8 e9 a9 c0 c8 02 48 ba ff ff ff ff ff 7f ff ff 48 39 d7 76 d7 4c 8d 48 ff 48 89 fd <48> b8 00 00 00 00 00 fc ff df 4d 89 ca 48 c1 ed 03 49 c1 ea 03 48
RSP: 0018:ffff88806cf08ef8 EFLAGS: 00000012
RAX: ffffffff858ebf58 RBX: 0000000000000001 RCX: ffffffff81297398
RDX: ffff7fffffffffff RSI: 0000000000000008 RDI: ffffffff858ebf50
RBP: ffffffff858ebf50 R08: 0000000000000000 R09: ffffffff858ebf57
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff852050a0
R13: ffff88800827bf98 R14: ffff88806cf09628 R15: 0000000000000008
FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f984172d998 CR3: 000000001890a000 CR4: 0000000000350ee0
Call Trace:
 <IRQ>
 lock_release+0x98/0x750
 perf_output_begin_forward+0x727/0xb00
 perf_event_output_forward+0xf2/0x280
 __perf_event_overflow+0x13f/0x3d0
 perf_swevent_hrtimer+0x38a/0x400
 __hrtimer_run_queues+0x1ca/0xbd0
 hrtimer_interrupt+0x315/0x770
 __sysvec_apic_timer_interrupt+0x144/0x500
 sysvec_apic_timer_interrupt+0x3b/0xc0
 asm_sysvec_apic_timer_interrupt+0x16/0x20
RIP: 0010:unwind_next_frame+0x200/0x20b0
Code: 48 89 54 24 28 48 89 74 24 20 44 89 5c 24 18 e8 56 19 66 00 48 8b 54 24 28 48 8b 74 24 20 44 8b 5c 24 18 8b 0c 95 50 ff 03 86 <8d> 56 01 48 b8 00 00 00 00 00 fc ff df 48 8d 3c 95 50 ff 03 86 49
RSP: 0018:ffff88806cf096d8 EFLAGS: 00000246
RAX: 0000000000000007 RBX: 0000000000000002 RCX: 0000000000005d4b
RDX: 0000000000001187 RSI: 0000000000001187 RDI: ffffffff8604456c
RBP: ffff88806cf09800 R08: ffffffff850c3ac0 R09: ffff88806cf097a8
R10: ffffed100d9e1302 R11: 000000000003403c R12: ffff88806cf097e9
R13: ffff88806cf09808 R14: ffff88806cf097a8 R15: ffffffff81118729
 __unwind_start+0x50f/0x7c0
 arch_stack_walk+0x5f/0xf0
 stack_trace_save+0x8c/0xc0
 kasan_save_stack+0x1e/0x40
 __kasan_slab_alloc+0x66/0x80
 kmem_cache_alloc_node+0x1bf/0x4b0
 __alloc_skb+0x210/0x300
 __netdev_alloc_skb+0x72/0x3e0
 __ieee80211_beacon_get+0x387/0x12d0
 ieee80211_beacon_get_tim+0x95/0x4e0
 mac80211_hwsim_beacon_tx+0x1a7/0xa10
 __iterate_interfaces+0x2d3/0x560
 ieee80211_iterate_active_interfaces_atomic+0x70/0x180
 mac80211_hwsim_beacon+0x101/0x200
 __hrtimer_run_queues+0x5de/0xbd0
 hrtimer_run_softirq+0x172/0x340
 __do_softirq+0x1c8/0x8d0
 __irq_exit_rcu+0x11b/0x180
 irq_exit_rcu+0x5/0x20
 sysvec_apic_timer_interrupt+0x8e/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20
RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x60
Code: 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 9a 44 0b fd 48 89 ef e8 82 c6 0b fd 80 e7 02 74 06 e8 88 a3 2d fd fb bf 01 00 00 00 <e8> 9d 93 01 fd 65 8b 05 f6 3f e4 7b 85 c0 74 07 5b 5d e9 ab 0b 22
RSP: 0018:ffff888044dff7a8 EFLAGS: 00000202
RAX: 00000000005de46b RBX: 0000000000000246 RCX: ffffffff8128d56f
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff852cb160 R08: 0000000000000001 R09: ffffffff86a937ef
R10: fffffbfff0d526fd R11: 0000000000000001 R12: ffff88800dcd0f30
R13: ffff888016d8aa68 R14: ffff88800f401b48 R15: ffff888008032280
 find_and_remove_object+0x123/0x170
 kmemleak_free+0x21/0x40
 kmem_cache_free+0xc1/0x610
 unlink_anon_vmas+0x3d0/0x6f0
 free_pgtables+0x24d/0x420
 exit_mmap+0x1b4/0x680
 mmput+0xd1/0x390
 do_exit+0x9e0/0x27a0
 do_group_exit+0xd2/0x2f0
 get_signal+0x2205/0x24b0
 arch_do_signal_or_restart+0x89/0x1be0
 exit_to_user_mode_prepare+0x131/0x1a0
 syscall_exit_to_user_mode+0x19/0x40
 do_syscall_64+0x48/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4862ae3b19
Code: Unable to access opcode bytes at RIP 0x7f4862ae3aef.
RSP: 002b:00007f4860059188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: fffffffffffffffe RBX: 00007f4862bf6f60 RCX: 00007f4862ae3b19
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000000
RBP: 00007f4862b3df6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe7c787def R14: 00007f4860059300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	01 d0                	add    %edx,%eax
   2:	48 d1 f8             	sar    %rax
   5:	48 8d 5c 85 00       	lea    0x0(%rbp,%rax,4),%rbx
   a:	48 89 d8             	mov    %rbx,%rax
   d:	48 c1 e8 03          	shr    $0x3,%rax
  11:	42 0f b6 14 38       	movzbl (%rax,%r15,1),%edx
  16:	48 89 d8             	mov    %rbx,%rax
  19:	83 e0 07             	and    $0x7,%eax
  1c:	83 c0 03             	add    $0x3,%eax
  1f:	38 d0                	cmp    %dl,%al
  21:	7c 04                	jl     0x27
  23:	84 d2                	test   %dl,%dl
  25:	75 50                	jne    0x77
  27:	48 63 03             	movslq (%rbx),%rax
* 2a:	48 01 d8             	add    %rbx,%rax <-- trapping instruction
  2d:	48 39 c1             	cmp    %rax,%rcx
  30:	73 b0                	jae    0xffffffe2
  32:	4c 8d 63 fc          	lea    -0x4(%rbx),%r12
  36:	49 39 ec             	cmp    %rbp,%r12
  39:	73 b3                	jae    0xffffffee
  3b:	4d 29 ee             	sub    %r13,%r14
  3e:	49                   	rex.WB
  3f:	c1                   	.byte 0xc1