INFO: task syz-executor.5:5128 blocked for more than 143 seconds.
      Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.5  state:D stack:28408 pid: 5128 ppid:  3646 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5116 [inline]
 __schedule+0xa00/0x4b30 kernel/sched/core.c:6431
 schedule+0xd2/0x1f0 kernel/sched/core.c:6503
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6562
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xa70/0x1350 kernel/locking/mutex.c:747
 misc_open+0x55/0x4a0 drivers/char/misc.c:107
 chrdev_open+0x266/0x770 fs/char_dev.c:414
 do_dentry_open+0x4a1/0x11f0 fs/open.c:824
 do_open fs/namei.c:3477 [inline]
 path_openat+0x1c71/0x2910 fs/namei.c:3610
 do_filp_open+0x1aa/0x400 fs/namei.c:3637
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1254
 do_sys_open fs/open.c:1270 [inline]
 __do_sys_openat fs/open.c:1286 [inline]
 __se_sys_openat fs/open.c:1281 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1281
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f4f1643c024
RSP: 002b:00007f4f1755f020 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f4f1659bf60 RCX: 00007f4f1643c024
RDX: 0000000000000002 RSI: 00007f4f164e1ee8 RDI: 00000000ffffff9c
RBP: 00007f4f164e1ee8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000002
R13: 0000000000000000 R14: 00000000200001c0 R15: 0000000000022000
 </TASK>
INFO: task syz-executor.3:5132 blocked for more than 143 seconds.
      Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.3  state:D stack:28376 pid: 5132 ppid:  3648 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5116 [inline]
 __schedule+0xa00/0x4b30 kernel/sched/core.c:6431
 schedule+0xd2/0x1f0 kernel/sched/core.c:6503
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6562
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0xa70/0x1350 kernel/locking/mutex.c:747
 misc_open+0x55/0x4a0 drivers/char/misc.c:107
 chrdev_open+0x266/0x770 fs/char_dev.c:414
 do_dentry_open+0x4a1/0x11f0 fs/open.c:824
 do_open fs/namei.c:3477 [inline]
 path_openat+0x1c71/0x2910 fs/namei.c:3610
 do_filp_open+0x1aa/0x400 fs/namei.c:3637
 do_sys_openat2+0x16d/0x4c0 fs/open.c:1254
 do_sys_open fs/open.c:1270 [inline]
 __do_sys_openat fs/open.c:1286 [inline]
 __se_sys_openat fs/open.c:1281 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1281
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f636fe3c024
RSP: 002b:00007f6371026020 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f636ff9bf60 RCX: 00007f636fe3c024
RDX: 0000000000000002 RSI: 00007f636fee1ee8 RDI: 00000000ffffff9c
RBP: 00007f636fee1ee8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000020000100 R15: 0000000000022000
 </TASK>

Showing all locks held in the system:
2 locks held by kworker/u4:1/11:
 #0: ffff8880b9d3a018 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x120 kernel/sched/core.c:544
 #1: ffff8880b9d27848 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x176/0x4e0 kernel/sched/psi.c:880
1 lock held by khungtaskd/29:
 #0: ffffffff8bd868a0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6491
5 locks held by kworker/u4:2/51:
2 locks held by getty/3287:
 #0: ffff88814c045098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:244
 #1: ffffc90002cd62e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xcea/0x1230 drivers/tty/n_tty.c:2075
5 locks held by kworker/1:3/3669:
 #0: ffff88814557d138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff88814557d138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]
 #0: ffff88814557d138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1280 [inline]
 #0: ffff88814557d138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:636 [inline]
 #0: ffff88814557d138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:663 [inline]
 #0: ffff88814557d138 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x87a/0x1610 kernel/workqueue.c:2260
 #1: ffffc9000444fda8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x8ae/0x1610 kernel/workqueue.c:2264
 #2: ffff888148e48220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:767 [inline]
 #2: ffff888148e48220 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4680 drivers/usb/core/hub.c:5693
 #3: ffff888047c88220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:767 [inline]
 #3: ffff888047c88220 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7a/0x4a0 drivers/base/dd.c:945
 #4: ffff8880471621a8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:767 [inline]
 #4: ffff8880471621a8 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7a/0x4a0 drivers/base/dd.c:945
3 locks held by udevd/3975:
 #0: ffff88801ed6ac88 (&of->mutex){+.+.}-{3:3}, at: kernfs_file_read_iter fs/kernfs/file.c:198 [inline]
 #0: ffff88801ed6ac88 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_read_iter+0x189/0x6f0 fs/kernfs/file.c:237
 #1: ffff8880466abda0 (kn->active#86){++++}-{0:0}, at: kernfs_file_read_iter fs/kernfs/file.c:199 [inline]
 #1: ffff8880466abda0 (kn->active#86){++++}-{0:0}, at: kernfs_fop_read_iter+0x1ac/0x6f0 fs/kernfs/file.c:237
 #2: ffff888047c88220 (&dev->mutex){....}-{3:3}, at: device_lock_interruptible include/linux/device.h:772 [inline]
 #2: ffff888047c88220 (&dev->mutex){....}-{3:3}, at: read_descriptors+0x3c/0x2c0 drivers/usb/core/sysfs.c:873
2 locks held by syz-executor.2/5108:
 #0: ffffffff8c82d588 (misc_mtx){+.+.}-{3:3}, at: misc_open+0x55/0x4a0 drivers/char/misc.c:107
 #1: ffffffff8bc53928 (system_transition_mutex){+.+.}-{3:3}, at: snapshot_open+0x3b/0x2a0 kernel/power/user.c:54
1 lock held by syz-executor.5/5128:
 #0: ffffffff8c82d588 (misc_mtx){+.+.}-{3:3}, at: misc_open+0x55/0x4a0 drivers/char/misc.c:107
1 lock held by syz-executor.3/5132:
 #0: ffffffff8c82d588 (misc_mtx){+.+.}-{3:3}, at: misc_open+0x55/0x4a0 drivers/char/misc.c:107

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x1e6/0x230 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:220 [inline]
 watchdog+0xc22/0xf90 kernel/hung_task.c:378
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 1208 Comm: kworker/u4:5 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: phy3 ieee80211_iface_work
RIP: 0010:orc_ip arch/x86/kernel/unwind_orc.c:30 [inline]
RIP: 0010:__orc_find+0x6f/0xf0 arch/x86/kernel/unwind_orc.c:52
Code: 72 4d 4c 89 e0 48 29 e8 48 89 c2 48 c1 e8 3f 48 c1 fa 02 48 01 d0 48 d1 f8 48 8d 5c 85 00 48 89 d8 48 c1 e8 03 42 0f b6 14 38 <48> 89 d8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 48 48 63 03 48 01
RSP: 0018:ffffc900057ff440 EFLAGS: 00000a07
RAX: 1ffffffff1ba147b RBX: ffffffff8dd0a3dc RCX: ffffffff81c70f80
RDX: 0000000000000000 RSI: ffffffff8e44c390 RDI: ffffffff8dd0a3b0
RBP: ffffffff8dd0a3dc R08: ffffffff8bbff9a0 R09: ffffc900057ff52c
R10: fffff52000affeaa R11: 000000000008a07a R12: ffffffff8dd0a3e0
R13: ffffffff8dd0a3b0 R14: ffffffff8dd0a3d8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005622b4fd0008 CR3: 000000000ba8e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 orc_find arch/x86/kernel/unwind_orc.c:173 [inline]
 unwind_next_frame+0x2a3/0x1cc0 arch/x86/kernel/unwind_orc.c:443
 arch_stack_walk+0x7d/0xe0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8c/0xc0 kernel/stacktrace.c:122
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1727 [inline]
 slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1753
 slab_free mm/slub.c:3507 [inline]
 kfree+0xd6/0x4d0 mm/slub.c:4555
 ieee802_11_parse_elems_crc+0xb15/0x1050 net/mac80211/util.c:1548
 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2257 [inline]
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1605 [inline]
 ieee80211_ibss_rx_queued_mgmt+0xda5/0x33f0 net/mac80211/ibss.c:1639
 ieee80211_iface_process_skb net/mac80211/iface.c:1527 [inline]
 ieee80211_iface_work+0xa78/0xd10 net/mac80211/iface.c:1581
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>
----------------
Code disassembly (best guess):
   0:	72 4d                	jb     0x4f
   2:	4c 89 e0             	mov    %r12,%rax
   5:	48 29 e8             	sub    %rbp,%rax
   8:	48 89 c2             	mov    %rax,%rdx
   b:	48 c1 e8 3f          	shr    $0x3f,%rax
   f:	48 c1 fa 02          	sar    $0x2,%rdx
  13:	48 01 d0             	add    %rdx,%rax
  16:	48 d1 f8             	sar    %rax
  19:	48 8d 5c 85 00       	lea    0x0(%rbp,%rax,4),%rbx
  1e:	48 89 d8             	mov    %rbx,%rax
  21:	48 c1 e8 03          	shr    $0x3,%rax
  25:	42 0f b6 14 38       	movzbl (%rax,%r15,1),%edx
* 2a:	48 89 d8             	mov    %rbx,%rax <-- trapping instruction
  2d:	83 e0 07             	and    $0x7,%eax
  30:	83 c0 03             	add    $0x3,%eax
  33:	38 d0                	cmp    %dl,%al
  35:	7c 04                	jl     0x3b
  37:	84 d2                	test   %dl,%dl
  39:	75 48                	jne    0x83
  3b:	48 63 03             	movslq (%rbx),%rax
  3e:	48                   	rex.W
  3f:	01                   	.byte 0x1