watchdog: BUG: soft lockup - CPU#1 stuck for 142s! [syz-executor.0:13547] Modules linked in: irq event stamp: 33172593 hardirqs last enabled at (33172592): [] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 hardirqs last disabled at (33172593): [] sysvec_apic_timer_interrupt+0xb/0xc0 arch/x86/kernel/apic/apic.c:1097 softirqs last enabled at (33172244): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (33172244): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 softirqs last disabled at (33172251): [] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (33172251): [] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 CPU: 1 PID: 13547 Comm: syz-executor.0 Not tainted 5.15.0-next-20211105-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5605 Code: 96 a5 7e 83 f8 01 0f 85 b4 02 00 00 9c 58 f6 c4 02 0f 85 9f 02 00 00 48 83 7c 24 08 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24 RSP: 0018:ffffc90000dc0c48 EFLAGS: 00000206 RAX: dffffc0000000000 RBX: 1ffff920001b818b RCX: ffffffff815c915f RDX: 1ffff1102c88c4f4 RSI: 0000000000000100 RDI: 0000000000000000 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff8ff72adf R10: fffffbfff1fee55b R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffffc90000dc0d70 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8fccd93000 CR3: 000000000b88e000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: call_timer_fn+0x12b/0x6b0 kernel/time/timer.c:1418 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:put_cpu_partial+0x134/0x210 mm/slub.c:2602 Code: 00 00 48 c7 c6 f4 03 be 81 48 89 df e8 85 d7 9e ff 4d 85 e4 75 4c 9c 58 f6 c4 02 0f 85 ae 00 00 00 4d 85 e4 74 01 fb 4d 85 ed <74> 21 5b 4c 89 ee 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 75 f7 ff RSP: 0018:ffffc90005f475f8 EFLAGS: 00000246 RAX: 0000000000000002 RBX: ffff8880b9d3d510 RCX: 1ffffffff1fefde6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff888010c41780 R08: 0000000000000001 R09: ffffffff8ff72a27 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000200 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000002 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:259 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:3234 [inline] __kmalloc_node_track_caller+0x238/0x360 mm/slub.c:4956 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0xde/0x340 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] alloc_uevent_skb+0x7b/0x210 lib/kobject_uevent.c:290 uevent_net_broadcast_untagged lib/kobject_uevent.c:326 [inline] kobject_uevent_net_broadcast lib/kobject_uevent.c:409 [inline] kobject_uevent_env+0xb09/0x1650 lib/kobject_uevent.c:593 device_del+0x809/0xd60 drivers/base/core.c:3591 hci_conn_del_sysfs+0xdc/0x180 net/bluetooth/hci_sysfs.c:78 hci_conn_cleanup+0x2e7/0x6c0 net/bluetooth/hci_conn.c:138 hci_conn_del+0x2a0/0x790 net/bluetooth/hci_conn.c:806 hci_conn_hash_flush+0x19c/0x260 net/bluetooth/hci_conn.c:1733 hci_dev_close_sync+0x567/0x10b0 net/bluetooth/hci_sync.c:4027 hci_dev_do_close+0x32/0x70 net/bluetooth/hci_core.c:553 hci_unregister_dev+0x1d0/0x550 net/bluetooth/hci_core.c:2680 vhci_release+0x7c/0xf0 drivers/bluetooth/hci_vhci.c:566 __fput+0x286/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xc14/0x2b40 kernel/exit.c:832 do_group_exit+0x125/0x310 kernel/exit.c:929 get_signal+0x47d/0x2220 kernel/signal.c:2830 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7efe27d5bae9 Code: Unable to access opcode bytes at RIP 0x7efe27d5babf. RSP: 002b:00007efe252d1188 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: 0000000000000070 RBX: 00007efe27e6ef60 RCX: 00007efe27d5bae9 RDX: 0400000000000070 RSI: 0000000020007fc0 RDI: 0000000000000004 RBP: 00007efe27db5f25 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff5acd945f R14: 00007efe252d1300 R15: 0000000000022000 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.0-next-20211105-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy172 ieee80211_iface_work RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:981 [inline] RIP: 0010:debug_check_no_obj_freed+0x1d8/0x420 lib/debugobjects.c:1023 Code: 02 00 00 48 89 45 08 4d 89 30 4c 89 c7 4d 89 68 08 e8 7c d0 ff ff 48 85 ed 74 2c 49 89 e8 4c 89 c0 48 c1 e8 03 42 80 3c 38 00 <0f> 84 2e ff ff ff 4c 89 c7 4c 89 44 24 38 e8 b5 13 e3 fd 4c 8b 44 RSP: 0018:ffffc90000cd7888 EFLAGS: 00000046 RAX: 1ffff1102ab17bab RBX: ffff88817b304800 RCX: ffffffff815d4ed0 RDX: 1ffffffff20da992 RSI: 0000000000000004 RDI: ffff888159613c20 RBP: ffff8881558bdd58 R08: ffff8881558bdd58 R09: ffff888160395890 R10: fffff5200019aeff R11: 000000000000003f R12: 0000000000000005 R13: dead000000000122 R14: dead000000000100 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c010e489a0 CR3: 000000006f59f000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: slab_free_hook mm/slub.c:1698 [inline] slab_free_freelist_hook+0xeb/0x1c0 mm/slub.c:1749 slab_free mm/slub.c:3513 [inline] kfree+0xf6/0x560 mm/slub.c:4561 ieee80211_bss_info_update+0x536/0xb30 net/mac80211/scan.c:232 ieee80211_rx_bss_info net/mac80211/ibss.c:1119 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1610 [inline] ieee80211_ibss_rx_queued_mgmt+0x19cf/0x3130 net/mac80211/ibss.c:1639 ieee80211_iface_process_skb net/mac80211/iface.c:1466 [inline] ieee80211_iface_work+0xa65/0xd00 net/mac80211/iface.c:1520 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ---------------- Code disassembly (best guess): 0: 96 xchg %eax,%esi 1: a5 movsl %ds:(%rsi),%es:(%rdi) 2: 7e 83 jle 0xffffff87 4: f8 clc 5: 01 0f add %ecx,(%rdi) 7: 85 b4 02 00 00 9c 58 test %esi,0x589c0000(%rdx,%rax,1) e: f6 c4 02 test $0x2,%ah 11: 0f 85 9f 02 00 00 jne 0x2b6 17: 48 83 7c 24 08 00 cmpq $0x0,0x8(%rsp) 1d: 74 01 je 0x20 1f: fb sti 20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 27: fc ff df * 2a: 48 01 c3 add %rax,%rbx <-- trapping instruction 2d: 48 c7 03 00 00 00 00 movq $0x0,(%rbx) 34: 48 c7 43 08 00 00 00 movq $0x0,0x8(%rbx) 3b: 00 3c: 48 rex.W 3d: 8b .byte 0x8b 3e: 84 .byte 0x84 3f: 24 .byte 0x24