Bluetooth: hci3 command 0x0406 tx timeout
Bluetooth: hci1 command 0x0406 tx timeout
Bluetooth: hci2 command 0x0406 tx timeout
Bluetooth: hci5 command 0x0406 tx timeout
Bluetooth: hci4 command 0x0406 tx timeout
BUG: workqueue lockup - pool cpus=1 node=0 flags=0x0 nice=0 stuck for 236s!
Showing busy workqueues and worker pools:
workqueue events: flags=0x0
  pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=20/256 refcnt=21
    in-flight: 4625:rtc_timer_do_work
    pending: nfc_urelease_event_work, defense_work_handler, macvlan_process_broadcast, macvlan_process_broadcast, macvlan_process_broadcast, defense_work_handler, cache_reap, macvlan_process_broadcast, macvlan_process_broadcast, macvlan_process_broadcast, nfc_urelease_event_work, nfc_urelease_event_work, macvlan_process_broadcast, macvlan_process_broadcast, nfc_urelease_event_work, bpf_prog_free_deferred, wait_rcu_exp_gp, free_obj_work, hci_cmd_timeout
  pwq 0: cpus=0 node=0 flags=0x0 nice=0 active=2/256 refcnt=3
    in-flight: 9155:key_garbage_collector key_garbage_collector
workqueue events_unbound: flags=0x2
  pwq 4: cpus=0-1 flags=0x4 nice=0 active=4/512 refcnt=7
    in-flight: 9005:fsnotify_mark_destroy_workfn fsnotify_mark_destroy_workfn, 34:fsnotify_connector_destroy_workfn fsnotify_connector_destroy_workfn
workqueue events_freezable: flags=0x4
  pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
    pending: update_balloon_stats_func
workqueue events_power_efficient: flags=0x80
  pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=3/256 refcnt=4
    pending: process_srcu, do_cache_clean, check_lifetime
workqueue mm_percpu_wq: flags=0x8
  pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
    pending: vmstat_update
workqueue netns: flags=0xe000a
  pwq 4: cpus=0-1 flags=0x4 nice=0 active=1/1 refcnt=4
    in-flight: 429:cleanup_net
workqueue dm_bufio_cache: flags=0x8
  pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
    pending: work_fn
workqueue ipv6_addrconf: flags=0x40008
  pwq 2: cpus=1 node=0 flags=0x0 nice=0 active=1/1 refcnt=41
    pending: addrconf_dad_work
    delayed: addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_dad_work, addrconf_verify_work
workqueue bat_events: flags=0xe000a
  pwq 4: cpus=0-1 flags=0x4 nice=0 active=1/1 refcnt=4
    pending: batadv_iv_send_outstanding_bat_ogm_packet
pool 0: cpus=0 node=0 flags=0x0 nice=0 hung=0s workers=5 idle: 3 3624 24 9174
pool 2: cpus=1 node=0 flags=0x0 nice=0 hung=236s workers=5 idle: 18 8984 9194 23
pool 4: cpus=0-1 flags=0x4 nice=0 hung=0s workers=6 idle: 22 5 321
INFO: task kworker/u4:2:34 blocked for more than 140 seconds.
      Not tainted 4.14.273-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u4:2    D28912    34      2 0x80000000
Workqueue: events_unbound fsnotify_connector_destroy_workfn
Call Trace:
 context_switch kernel/sched/core.c:2811 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3387
 schedule+0x8d/0x1b0 kernel/sched/core.c:3431
 schedule_timeout+0x80a/0xe90 kernel/time/timer.c:1724
 do_wait_for_common kernel/sched/completion.c:91 [inline]
 __wait_for_common kernel/sched/completion.c:112 [inline]
 wait_for_common+0x272/0x430 kernel/sched/completion.c:123
 __synchronize_srcu+0x10a/0x1d0 kernel/rcu/srcutree.c:898
 fsnotify_connector_destroy_workfn+0x49/0xa0 fs/notify/mark.c:156
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
INFO: task kworker/u4:4:429 blocked for more than 140 seconds.
      Not tainted 4.14.273-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u4:4    D26088   429      2 0x80000000
Workqueue: netns cleanup_net
Call Trace:
 context_switch kernel/sched/core.c:2811 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3387
 schedule+0x8d/0x1b0 kernel/sched/core.c:3431
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3489
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0x669/0x1310 kernel/locking/mutex.c:893
 netdev_wait_allrefs net/core/dev.c:7853 [inline]
 netdev_run_todo+0x79d/0xad0 net/core/dev.c:7947
 ip6gre_exit_net+0x423/0x570 net/ipv6/ip6_gre.c:1210
 ops_exit_list+0xad/0x160 net/core/net_namespace.c:142
 cleanup_net+0x3b3/0x840 net/core/net_namespace.c:487
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
INFO: task kworker/u4:5:9005 blocked for more than 140 seconds.
      Not tainted 4.14.273-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u4:5    D28880  9005      2 0x80000000
Workqueue: events_unbound fsnotify_mark_destroy_workfn
Call Trace:
 context_switch kernel/sched/core.c:2811 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3387
 schedule+0x8d/0x1b0 kernel/sched/core.c:3431
 schedule_timeout+0x80a/0xe90 kernel/time/timer.c:1724
 do_wait_for_common kernel/sched/completion.c:91 [inline]
 __wait_for_common kernel/sched/completion.c:112 [inline]
 wait_for_common+0x272/0x430 kernel/sched/completion.c:123
 __synchronize_srcu+0x10a/0x1d0 kernel/rcu/srcutree.c:898
 fsnotify_mark_destroy_workfn+0xed/0x2e0 fs/notify/mark.c:757
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
INFO: task kworker/0:3:9155 blocked for more than 140 seconds.
      Not tainted 4.14.273-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/0:3     D26720  9155      2 0x80000000
Workqueue: events key_garbage_collector
Call Trace:
 context_switch kernel/sched/core.c:2811 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3387
 schedule+0x8d/0x1b0 kernel/sched/core.c:3431
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:3489
 __mutex_lock_common kernel/locking/mutex.c:833 [inline]
 __mutex_lock+0x669/0x1310 kernel/locking/mutex.c:893
 exp_funnel_lock kernel/rcu/tree_exp.h:305 [inline]
 _synchronize_rcu_expedited+0x32d/0x770 kernel/rcu/tree_exp.h:596
 synchronize_rcu+0x98/0x130 kernel/rcu/tree_plugin.h:762
 key_garbage_collector+0x2af/0x7c0 security/keys/gc.c:292
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2117
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2251
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
INFO: task syz-executor.2:9699 blocked for more than 140 seconds.
      Not tainted 4.14.273-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.2  D28912  9699   7987 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2811 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3387
 schedule+0x8d/0x1b0 kernel/sched/core.c:3431
 _synchronize_rcu_expedited+0x522/0x770 kernel/rcu/tree_exp.h:615
 synchronize_net+0x2b/0x40 net/core/dev.c:8248
 __tun_detach+0x2b3/0xf60 drivers/net/tun.c:568
 tun_detach drivers/net/tun.c:594 [inline]
 tun_chr_close+0x41/0x60 drivers/net/tun.c:2732
 __fput+0x25f/0x7a0 fs/file_table.c:210
 task_work_run+0x11f/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1ad/0x200 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f89675a8c8b
RSP: 002b:00007ffd879ad2c0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f89675a8c8b
RDX: 00007f896770d2e0 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 00007f896770a960 R08: 0000000000000000 R09: 00007f896770d2e8
R10: 00007ffd879ad3c0 R11: 0000000000000293 R12: 000000000002fccc
R13: 00007ffd879ad3c0 R14: 00007f8967708f60 R15: 0000000000000032
INFO: task syz-executor.0:9716 blocked for more than 140 seconds.
      Not tainted 4.14.273-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.0  D29800  9716   7991 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2811 [inline]
 __schedule+0x88b/0x1de0 kernel/sched/core.c:3387
 schedule+0x8d/0x1b0 kernel/sched/core.c:3431
 exp_funnel_lock kernel/rcu/tree_exp.h:295 [inline]
 _synchronize_rcu_expedited+0x5f6/0x770 kernel/rcu/tree_exp.h:596
 synchronize_net+0x2b/0x40 net/core/dev.c:8248
 packet_release+0x740/0xa80 net/packet/af_packet.c:3112
 __sock_release+0x1fc/0x2b0 net/socket.c:602
 sock_release net/socket.c:623 [inline]
 SYSC_socketpair net/socket.c:1460 [inline]
 SyS_socketpair+0x360/0x480 net/socket.c:1366
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7fca24d7a049
RSP: 002b:00007fca236ef168 EFLAGS: 00000246 ORIG_RAX: 0000000000000035
RAX: ffffffffffffffda RBX: 00007fca24e8cf60 RCX: 00007fca24d7a049
RDX: 0000000000000cd4 RSI: 000000000000000a RDI: 0000000000000011
RBP: 00007fca24dd408d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000740 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fffd19a370f R14: 00007fca236ef300 R15: 0000000000022000

Showing all locks held in the system:
2 locks held by kworker/u4:2/34:
 #0:  ("events_unbound"){+.+.}, at: [<ffffffff81364ee0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
 #1:  (connector_reaper_work){+.+.}, at: [<ffffffff81364f16>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
4 locks held by kworker/u4:4/429:
 #0:  ("%s""netns"){+.+.}, at: [<ffffffff81364ee0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
 #1:  (net_cleanup_work){+.+.}, at: [<ffffffff81364f16>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
 #2:  (net_mutex){+.+.}, at: [<ffffffff85c1ed80>] cleanup_net+0x110/0x840 net/core/net_namespace.c:453
 #3:  (rtnl_mutex){+.+.}, at: [<ffffffff85c54b7d>] netdev_wait_allrefs net/core/dev.c:7853 [inline]
 #3:  (rtnl_mutex){+.+.}, at: [<ffffffff85c54b7d>] netdev_run_todo+0x79d/0xad0 net/core/dev.c:7947
1 lock held by khungtaskd/1527:
 #0:  (tasklist_lock){.+.+}, at: [<ffffffff8702311c>] debug_show_all_locks+0x7c/0x21a kernel/locking/lockdep.c:4548
2 locks held by kworker/u4:5/9005:
 #0:  ("events_unbound"){+.+.}, at: [<ffffffff81364ee0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
 #1:  ((reaper_work).work){+.+.}, at: [<ffffffff81364f16>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
3 locks held by kworker/0:3/9155:
 #0:  ("events"){+.+.}, at: [<ffffffff81364ee0>] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088
 #1:  (key_gc_work){+.+.}, at: [<ffffffff81364f16>] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092
 #2:  (rcu_preempt_state.exp_mutex){+.+.}, at: [<ffffffff814701bd>] exp_funnel_lock kernel/rcu/tree_exp.h:305 [inline]
 #2:  (rcu_preempt_state.exp_mutex){+.+.}, at: [<ffffffff814701bd>] _synchronize_rcu_expedited+0x32d/0x770 kernel/rcu/tree_exp.h:596
2 locks held by syz-executor.2/9699:
 #0:  (rtnl_mutex){+.+.}, at: [<ffffffff83d559b4>] tun_detach drivers/net/tun.c:593 [inline]
 #0:  (rtnl_mutex){+.+.}, at: [<ffffffff83d559b4>] tun_chr_close+0x34/0x60 drivers/net/tun.c:2732
 #1:  (rcu_preempt_state.exp_mutex){+.+.}, at: [<ffffffff81470152>] exp_funnel_lock kernel/rcu/tree_exp.h:272 [inline]
 #1:  (rcu_preempt_state.exp_mutex){+.+.}, at: [<ffffffff81470152>] _synchronize_rcu_expedited+0x2c2/0x770 kernel/rcu/tree_exp.h:596

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1527 Comm: khungtaskd Not tainted 4.14.273-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 nmi_cpu_backtrace.cold+0x57/0x93 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x13a/0x180 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:140 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:195 [inline]
 watchdog+0x5b9/0xb40 kernel/hung_task.c:274
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 4624 Comm: systemd-journal Not tainted 4.14.273-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880a12a2140 task.stack: ffff8880a12a8000
RIP: 0010:radix_tree_lookup_slot+0x0/0xa0 lib/radix-tree.c:1076
RSP: 0000:ffff8880a12afa50 EFLAGS: 00000297
RAX: ffff8880a12a2140 RBX: ffff8880a135e848 RCX: 1ffffffff1198fad
RDX: 0000000000000000 RSI: 00000000000002a3 RDI: ffff8880a135e850
RBP: ffff8880a135e848 R08: 0000000000000000 R09: 0000000000020012
R10: ffff8880a12a29f0 R11: ffff8880a12a2140 R12: ffff8880a135e638
R13: 00000000000002a3 R14: dffffc0000000000 R15: 00000000000002a3
FS:  00007f11d29208c0(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f11cfd42010 CR3: 00000000a1557000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 find_get_entry+0x8b/0x630 mm/filemap.c:1355
 find_lock_entry+0x2e/0x3c0 mm/filemap.c:1419
 shmem_getpage_gfp+0x15d/0x2a40 mm/shmem.c:1636
 shmem_fault+0x1dd/0x5e0 mm/shmem.c:2017
 __do_fault+0xfa/0x380 mm/memory.c:3326
 do_shared_fault mm/memory.c:3791 [inline]
 do_fault mm/memory.c:3866 [inline]
 handle_pte_fault mm/memory.c:4092 [inline]
 __handle_mm_fault+0x2373/0x4620 mm/memory.c:4216
 handle_mm_fault+0x455/0x9c0 mm/memory.c:4253
 __do_page_fault+0x549/0xad0 arch/x86/mm/fault.c:1442
 page_fault+0x45/0x50 arch/x86/entry/entry_64.S:1123
RIP: 0000:0x7ffca5c07888
RSP: 48e85390:0000000000000061 EFLAGS: 55f448e7ae80
Code: 48 8b 7c 24 20 e8 41 51 80 fa e9 df fe ff ff 48 8b 7c 24 18 e8 32 51 80 fa e9 99 fe ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 <48> b8 00 00 00 00 00 fc ff df 41 54 49 89 fc 55 48 89 f5 53 48 
----------------
Code disassembly (best guess):
   0:	48 8b 7c 24 20       	mov    0x20(%rsp),%rdi
   5:	e8 41 51 80 fa       	callq  0xfa80514b
   a:	e9 df fe ff ff       	jmpq   0xfffffeee
   f:	48 8b 7c 24 18       	mov    0x18(%rsp),%rdi
  14:	e8 32 51 80 fa       	callq  0xfa80514b
  19:	e9 99 fe ff ff       	jmpq   0xfffffeb7
  1e:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
  25:	00 00 00 00
  29:	66 90                	xchg   %ax,%ax
* 2b:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax <-- trapping instruction
  32:	fc ff df
  35:	41 54                	push   %r12
  37:	49 89 fc             	mov    %rdi,%r12
  3a:	55                   	push   %rbp
  3b:	48 89 f5             	mov    %rsi,%rbp
  3e:	53                   	push   %rbx
  3f:	48                   	rex.W