EXT4-fs (loop1): mount failed
audit: type=1326 audit(1727631029.091:1848): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=5840 comm="syz-executor.1" exe="/syz-executor.1" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f546af59b19 code=0x7ffc0000
watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [syz-executor.3:5811]
Modules linked in:
irq event stamp: 10824335
hardirqs last  enabled at (10824334): [<ffffffff84000d02>] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
hardirqs last disabled at (10824335): [<ffffffff83e5e2fb>] sysvec_apic_timer_interrupt+0xb/0xa0 arch/x86/kernel/apic/apic.c:1094
softirqs last  enabled at (10803048): [<ffffffff84001092>] asm_call_irq_on_stack+0x12/0x20
softirqs last disabled at (10803053): [<ffffffff84001092>] asm_call_irq_on_stack+0x12/0x20
CPU: 0 PID: 5811 Comm: syz-executor.3 Not tainted 5.10.226 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:arch_stack_walk+0xa5/0xf0 arch/x86/kernel/stacktrace.c:30
Code: ff ff ff e8 5d 08 07 00 8b 85 78 ff ff ff 85 c0 74 14 48 8d bd 78 ff ff ff e8 17 05 07 00 48 89 c6 48 85 c0 75 ca 48 8b 45 d8 <65> 48 2b 04 25 28 00 00 00 75 33 48 83 c4 68 5b 41 5c 41 5d 41 5e
RSP: 0018:ffff88806ce09890 EFLAGS: 00000246
RAX: ae4c0b60450e6800 RBX: ffffffff813009f0 RCX: ffff88806ce097a8
RDX: 1ffff11001719aff RSI: 0000000000000000 RDI: ffff88800b8cd7f8
RBP: ffff88806ce09918 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88806ce09948
R13: 0000000000000000 R14: ffff88800b8ccec0 R15: ffff888047b79dc0
FS:  0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005565a7ab8678 CR3: 000000000e9c4000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:121
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x110/0x160 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1542 [inline]
 slab_free_freelist_hook+0xa9/0x180 mm/slub.c:1576
 slab_free mm/slub.c:3149 [inline]
 kmem_cache_free+0xa7/0x2d0 mm/slub.c:3165
 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:637
 __kfree_skb net/core/skbuff.c:694 [inline]
 consume_skb net/core/skbuff.c:849 [inline]
 consume_skb+0x11d/0x2b0 net/core/skbuff.c:843
 mac80211_hwsim_tx_frame+0x15a/0x1e0 drivers/net/wireless/mac80211_hwsim.c:1717
 mac80211_hwsim_beacon_tx+0x494/0x940 drivers/net/wireless/mac80211_hwsim.c:1770
 __iterate_interfaces+0x1f0/0x550 net/mac80211/util.c:792
 ieee80211_iterate_active_interfaces_atomic+0x71/0x1c0 net/mac80211/util.c:828
 mac80211_hwsim_beacon+0xd1/0x1d0 drivers/net/wireless/mac80211_hwsim.c:1793
 __run_hrtimer kernel/time/hrtimer.c:1586 [inline]
 __hrtimer_run_queues+0x632/0xb40 kernel/time/hrtimer.c:1650
 hrtimer_run_softirq+0x148/0x310 kernel/time/hrtimer.c:1667
 __do_softirq+0x1b8/0x7c9 kernel/softirq.c:298
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0x80/0xa0 arch/x86/kernel/irq_64.c:77
 invoke_softirq kernel/softirq.c:393 [inline]
 __irq_exit_rcu kernel/softirq.c:423 [inline]
 irq_exit_rcu+0x114/0x1b0 kernel/softirq.c:435
 sysvec_apic_timer_interrupt+0x43/0xa0 arch/x86/kernel/apic/apic.c:1094
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:instrument_atomic_read include/linux/instrumented.h:71 [inline]
RIP: 0010:atomic_read include/asm-generic/atomic-instrumented.h:27 [inline]
RIP: 0010:page_ref_count include/linux/page_ref.h:67 [inline]
RIP: 0010:put_page_testzero include/linux/mm.h:707 [inline]
RIP: 0010:__free_pages+0x3e/0x120 mm/page_alloc.c:5062
Code: 06 00 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 e1 00 00 00 4c 8d 65 34 be 04 00 00 00 48 8b 5d 00 <4c> 89 e7 e8 4a 19 06 00 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48
RSP: 0018:ffff888046d5f9b8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: 0100000000000002 RCX: ffffffff81665226
RDX: 1ffffd40001d7c58 RSI: 0000000000000004 RDI: ffffea0000ebe2c0
RBP: ffffea0000ebe2c0 R08: 0000000000000000 R09: ffffea0000ebe2c7
R10: fffff940001d7c58 R11: 0000000000000001 R12: ffffea0000ebe2f4
R13: 0000000000000000 R14: ffffed1001d17845 R15: ffffea0000ebe2c0
 __vunmap+0x705/0xa80 mm/vmalloc.c:2270
 __vfree mm/vmalloc.c:2318 [inline]
 vfree+0x90/0x150 mm/vmalloc.c:2349
 kcov_put kernel/kcov.c:408 [inline]
 kcov_put+0x2a/0x40 kernel/kcov.c:404
 kcov_close+0xc/0x20 kernel/kcov.c:510
 __fput+0x285/0x9f0 fs/file_table.c:281
 task_work_run+0xe2/0x1a0 kernel/task_work.c:185
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0xb6f/0x2600 kernel/exit.c:860
 do_group_exit+0x125/0x310 kernel/exit.c:982
 get_signal+0x4bc/0x2350 kernel/signal.c:2759
 arch_do_signal_or_restart+0x2b7/0x1990 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x10f/0x190 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x38/0x1d0 kernel/entry/common.c:274
 entry_SYSCALL_64_after_hwframe+0x67/0xd1
RIP: 0033:0x7f01c2bb68d7
Code: Unable to access opcode bytes at RIP 0x7f01c2bb68ad.
RSP: 002b:00007f01c012bf48 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f01c2c00970 RCX: 00007f01c2bb68d7
RDX: 0000000000000005 RSI: 0000000000004c00 RDI: 0000000000000006
RBP: 0000000000000006 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005
R13: 0000000000000005 R14: 00000000200004b8 R15: 0000000000000005
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5826 Comm: syz-executor.0 Not tainted 5.10.226 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:__sysvec_apic_timer_interrupt+0x7/0x310 arch/x86/kernel/apic/apic.c:1095
Code: ff ff ff 48 c7 c7 00 2d 65 85 e8 c4 71 5e 00 eb a0 e8 bd 71 5e 00 eb c0 66 66 2e 0f 1f 84 00 00 00 00 00 48 c7 c0 80 0b c9 84 <55> 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 53 65 48 8b 1d 71 71
RSP: 0018:ffff88806cf09ff0 EFLAGS: 00000056
RAX: ffffffff84c90b80 RBX: 0000000000000000 RCX: ffffffff814715b4
RDX: ffff88804a597348 RSI: ffffffff810e2000 RDI: ffff88804a597348
RBP: ffff88804a597320 R08: 0000000000000000 R09: ffffffff85675ecf
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005565a7ab8678 CR3: 000000000e9c4000 CR4: 0000000000350ee0
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 asm_call_irq_on_stack+0x12/0x20
 </IRQ>
 __run_sysvec_on_irqstack arch/x86/include/asm/irq_stack.h:37 [inline]
 run_sysvec_on_irqstack_cond arch/x86/include/asm/irq_stack.h:89 [inline]
 sysvec_apic_timer_interrupt+0x7f/0xa0 arch/x86/kernel/apic/apic.c:1094
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635
RIP: 0010:lock_acquire+0x1b9/0x470 kernel/locking/lockdep.c:5534
Code: 44 db 7e e8 39 91 ff ff b8 ff ff ff ff 48 83 c4 20 65 0f c1 05 e8 44 db 7e 83 f8 01 4c 8b 54 24 08 0f 85 48 02 00 00 41 52 9d <48> b8 00 00 00 00 00 fc ff df 48 01 c3 48 c7 03 00 00 00 00 48 c7
RSP: 0018:ffff88804a5973f0 EFLAGS: 00000246
RAX: 0000000000000001 RBX: 1ffff110094b2e80 RCX: 000000000cd5f2c5
RDX: 1ffff1100137e128 RSI: a44cd7c11d49c3b2 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff868686e7
R10: 0000000000000246 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000000 R14: ffffffff84ff8c20 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:303 [inline]
 rcu_read_lock include/linux/rcupdate.h:717 [inline]
 percpu_ref_put_many.constprop.0+0x2b/0x110 include/linux/percpu-refcount.h:317
 percpu_ref_put include/linux/percpu-refcount.h:338 [inline]
 obj_cgroup_put include/linux/memcontrol.h:518 [inline]
 memcg_slab_free_hook mm/slab.h:385 [inline]
 memcg_slab_free_hook mm/slab.h:351 [inline]
 do_slab_free mm/slub.c:3105 [inline]
 ___cache_free+0x1de/0x360 mm/slub.c:3156
 qlink_free mm/kasan/quarantine.c:151 [inline]
 qlist_free_all+0x59/0xe0 mm/kasan/quarantine.c:170
 quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:267
 __kasan_kmalloc.constprop.0+0xa2/0xd0 mm/kasan/common.c:442
 slab_post_alloc_hook mm/slab.h:532 [inline]
 slab_alloc_node mm/slub.c:2896 [inline]
 slab_alloc mm/slub.c:2904 [inline]
 kmem_cache_alloc+0x13b/0x310 mm/slub.c:2909
 skb_clone+0x14f/0x3d0 net/core/skbuff.c:1457
 do_one_broadcast net/netlink/af_netlink.c:1455 [inline]
 netlink_broadcast_filtered+0xa08/0xdc0 net/netlink/af_netlink.c:1530
 netlink_broadcast+0x35/0x50 net/netlink/af_netlink.c:1554
 uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline]
 kobject_uevent_net_broadcast lib/kobject_uevent.c:409 [inline]
 kobject_uevent_env+0x93d/0xfd0 lib/kobject_uevent.c:608
 device_del+0xa8f/0x1180 drivers/base/core.c:3203
 device_unregister+0x11/0x30 drivers/base/core.c:3226
 hci_conn_del_sysfs+0xa7/0xd0 net/bluetooth/hci_sysfs.c:84
 hci_conn_cleanup+0x2c6/0x5d0 net/bluetooth/hci_conn.c:140
 hci_conn_del+0x23e/0x650 net/bluetooth/hci_conn.c:645
 hci_conn_hash_flush+0x191/0x230 net/bluetooth/hci_conn.c:1572
 hci_dev_do_close+0x719/0x1240 net/bluetooth/hci_core.c:1784
 hci_unregister_dev+0x179/0x460 net/bluetooth/hci_core.c:3854
 vhci_release+0x70/0xf0 drivers/bluetooth/hci_vhci.c:345
 __fput+0x285/0x9f0 fs/file_table.c:281
 task_work_run+0xe2/0x1a0 kernel/task_work.c:185
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0xb6f/0x2600 kernel/exit.c:860
 do_group_exit+0x125/0x310 kernel/exit.c:982
 get_signal+0x4bc/0x2350 kernel/signal.c:2759
 arch_do_signal_or_restart+0x2b7/0x1990 arch/x86/kernel/signal.c:805
 handle_signal_work kernel/entry/common.c:145 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x10f/0x190 kernel/entry/common.c:199
 syscall_exit_to_user_mode+0x38/0x1d0 kernel/entry/common.c:274
 entry_SYSCALL_64_after_hwframe+0x67/0xd1
RIP: 0033:0x7f197772bb19
Code: Unable to access opcode bytes at RIP 0x7f197772baef.
RSP: 002b:00007f1974ca1218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffff5 RBX: 00007f197783ef68 RCX: 00007f197772bb19
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f197783ef68
RBP: 00007f197783ef60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f197783ef6c
R13: 00007ffedb49025f R14: 00007f1974ca1300 R15: 0000000000022000
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	e8 5d 08 07 00       	callq  0x70862
   5:	8b 85 78 ff ff ff    	mov    -0x88(%rbp),%eax
   b:	85 c0                	test   %eax,%eax
   d:	74 14                	je     0x23
   f:	48 8d bd 78 ff ff ff 	lea    -0x88(%rbp),%rdi
  16:	e8 17 05 07 00       	callq  0x70532
  1b:	48 89 c6             	mov    %rax,%rsi
  1e:	48 85 c0             	test   %rax,%rax
  21:	75 ca                	jne    0xffffffed
  23:	48 8b 45 d8          	mov    -0x28(%rbp),%rax
* 27:	65 48 2b 04 25 28 00 	sub    %gs:0x28,%rax <-- trapping instruction
  2e:	00 00
  30:	75 33                	jne    0x65
  32:	48 83 c4 68          	add    $0x68,%rsp
  36:	5b                   	pop    %rbx
  37:	41 5c                	pop    %r12
  39:	41 5d                	pop    %r13
  3b:	41 5e                	pop    %r14