Bluetooth: hci7: command 0x0406 tx timeout watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [syz-executor.1:4998] Modules linked in: irq event stamp: 4061215 hardirqs last enabled at (4061214): [] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 hardirqs last disabled at (4061215): [] sysvec_apic_timer_interrupt+0xb/0xa0 arch/x86/kernel/apic/apic.c:1094 softirqs last enabled at (4033016): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (4033019): [] asm_call_irq_on_stack+0x12/0x20 CPU: 0 PID: 4998 Comm: syz-executor.1 Not tainted 5.10.227 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ieee80211_beacon_get_tim+0x19f/0x9f0 net/mac80211/tx.c:5004 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 fc 06 00 00 8b 9d 64 06 00 00 <31> ff 89 de e8 28 05 7f fd 85 db 75 41 e8 cf 0b 7f fd 48 b8 00 00 RSP: 0018:ffff88806ce09c88 EFLAGS: 00000246 RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffff83c1b18f RDX: 0000000000000000 RSI: ffffffff83c1b198 RDI: ffff8880474f9364 RBP: ffff8880474f8d00 R08: 0000000000000000 R09: ffff8880474f8d5f R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880474f8d58 R13: ffff888017feb500 R14: 1ffff1100d9c1394 R15: ffff8880479a1d98 FS: 00007f962ab45700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5693d63018 CR3: 000000001af02000 CR4: 0000000000350ef0 Call Trace: ieee80211_beacon_get include/net/mac80211.h:4912 [inline] mac80211_hwsim_beacon_tx+0x111/0x940 drivers/net/wireless/mac80211_hwsim.c:1740 __iterate_interfaces+0x1f0/0x550 net/mac80211/util.c:792 ieee80211_iterate_active_interfaces_atomic+0x71/0x1c0 net/mac80211/util.c:828 mac80211_hwsim_beacon+0xd1/0x1d0 drivers/net/wireless/mac80211_hwsim.c:1793 __run_hrtimer kernel/time/hrtimer.c:1586 [inline] __hrtimer_run_queues+0x632/0xb40 kernel/time/hrtimer.c:1650 hrtimer_run_softirq+0x148/0x310 kernel/time/hrtimer.c:1667 __do_softirq+0x1b8/0x7c9 kernel/softirq.c:298 asm_call_irq_on_stack+0x12/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x80/0xa0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x114/0x1b0 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x43/0xa0 arch/x86/kernel/apic/apic.c:1094 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:slab_free_hook mm/slub.c:1542 [inline] RIP: 0010:slab_free_freelist_hook+0x99/0x180 mm/slub.c:1576 Code: a9 00 00 80 00 0f 84 bc 00 00 00 9c 41 5e fa 41 f7 c6 00 02 00 00 0f 85 b8 00 00 00 8b 73 1c 4c 89 ff e8 4a 92 ba ff 41 56 9d <48> 8b 54 24 40 4c 89 fe 48 89 df e8 c7 95 00 00 84 c0 74 8d 48 8b RSP: 0018:ffff888047e777b0 EFLAGS: 00000286 RAX: 000000000038fe7f RBX: ffff88800c6a9b40 RCX: 1ffffffff0d1383a RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff816bff18 RBP: 0000000000000008 R08: 0000000000000001 R09: ffffffff8686a767 R10: fffffbfff0d0d4ec R11: 0000000000000001 R12: ffff888047e77800 R13: ffff88801ab65b58 R14: 0000000000000286 R15: ffff88801ab65b58 slab_free mm/slub.c:3149 [inline] kmem_cache_free+0xa7/0x2d0 mm/slub.c:3165 jbd2_free_handle include/linux/jbd2.h:1559 [inline] jbd2_journal_stop+0x61f/0xdc0 fs/jbd2/transaction.c:1938 __ext4_journal_stop+0xde/0x1f0 fs/ext4/ext4_jbd2.c:127 move_extent_per_page fs/ext4/move_extent.c:401 [inline] ext4_move_extents+0x15c3/0x3050 fs/ext4/move_extent.c:673 __ext4_ioctl+0x302e/0x4190 fs/ext4/ioctl.c:999 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 RIP: 0033:0x7f962d5f0b19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f962ab45188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f962d704020 RCX: 00007f962d5f0b19 RDX: 0000000020000040 RSI: 00000000c028660f RDI: 0000000000000003 RBP: 00007f962d64af6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc6b7aafcf R14: 00007f962ab45300 R15: 0000000000022000 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline] NMI backtrace for cpu 1 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline] NMI backtrace for cpu 1 skipped: idling at default_idle+0xe/0x20 arch/x86/kernel/process.c:706 ---------------- Code disassembly (best guess), 3 bytes skipped: 0: df 48 89 fisttps -0x77(%rax) 3: fa cli 4: 48 c1 ea 03 shr $0x3,%rdx 8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx c: 48 89 f8 mov %rdi,%rax f: 83 e0 07 and $0x7,%eax 12: 83 c0 03 add $0x3,%eax 15: 38 d0 cmp %dl,%al 17: 7c 08 jl 0x21 19: 84 d2 test %dl,%dl 1b: 0f 85 fc 06 00 00 jne 0x71d 21: 8b 9d 64 06 00 00 mov 0x664(%rbp),%ebx * 27: 31 ff xor %edi,%edi <-- trapping instruction 29: 89 de mov %ebx,%esi 2b: e8 28 05 7f fd callq 0xfd7f0558 30: 85 db test %ebx,%ebx 32: 75 41 jne 0x75 34: e8 cf 0b 7f fd callq 0xfd7f0c08 39: 48 rex.W 3a: b8 .byte 0xb8