INFO: task kworker/1:1:43 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc1-syzkaller-00101-g27605c8c0f69 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:1     state:D stack:24296 pid:43    tgid:43    ppid:2      task_flags:0x4208060 flags:0x00004000
Workqueue: events reg_todo
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5396 [inline]
 __schedule+0x16a2/0x4cb0 kernel/sched/core.c:6785
 __schedule_loop kernel/sched/core.c:6863 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6878
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6935
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:747
 class_wiphy_constructor include/net/cfg80211.h:6062 [inline]
 reg_process_self_managed_hints+0xad/0x1b0 net/wireless/reg.c:3209
 reg_todo+0x78d/0x890 net/wireless/reg.c:3222
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
INFO: task syz.3.57:6151 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc1-syzkaller-00101-g27605c8c0f69 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.57        state:D stack:23968 pid:6151  tgid:6150  ppid:5819   task_flags:0x400140 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5396 [inline]
 __schedule+0x16a2/0x4cb0 kernel/sched/core.c:6785
 __schedule_loop kernel/sched/core.c:6863 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6878
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 ___down_common kernel/locking/semaphore.c:268 [inline]
 __down_common+0x319/0x6a0 kernel/locking/semaphore.c:293
 down+0x80/0xd0 kernel/locking/semaphore.c:100
 console_lock+0x145/0x1b0 kernel/printk/printk.c:2849
 do_con_write+0x102/0x5200 drivers/tty/vt/vt.c:3138
 con_put_char+0x82/0xc0 drivers/tty/vt/vt.c:3524
 tty_put_char+0xce/0x160 drivers/tty/tty_io.c:3153
 do_output_char+0x6ac/0x970 drivers/tty/n_tty.c:463
 __process_echoes+0x2e1/0xa20 drivers/tty/n_tty.c:701
 flush_echoes drivers/tty/n_tty.c:791 [inline]
 __receive_buf drivers/tty/n_tty.c:1626 [inline]
 n_tty_receive_buf_common+0xc29/0x12f0 drivers/tty/n_tty.c:1723
 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290
 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9eb678e929
RSP: 002b:00007f9eb763f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f9eb69b5fa0 RCX: 00007f9eb678e929
RDX: 0000200000000040 RSI: 0000000000005412 RDI: 0000000000000004
RBP: 00007f9eb6810b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9eb69b5fa0 R15: 00007ffc21ef22d8
 </TASK>

Showing all locks held in the system:
1 lock held by kthreadd/2:
4 locks held by kworker/0:0/9:
 #0: ffff888058b52948 ((wq_completion)wg-kex-wg0#10){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff888058b52948 ((wq_completion)wg-kex-wg0#10){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc900000e7bc0 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc900000e7bc0 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffff88807d28d308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x150/0x900 drivers/net/wireguard/noise.c:598
 #3: ffff888077e24890 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x4de/0x900 drivers/net/wireguard/noise.c:632
5 locks held by kworker/u8:0/12:
3 locks held by kworker/u8:1/13:
1 lock held by kworker/R-mm_pe/14:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
3 locks held by kworker/1:0/24:
 #0: ffff88801a481d48 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801a481d48 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc900001e7bc0 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc900001e7bc0 ((reg_check_chans).work){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffffffff8f4fde08 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0x95/0xf00 net/wireless/reg.c:2483
1 lock held by khungtaskd/31:
 #0: ffffffff8e13eda0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e13eda0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8e13eda0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6770
1 lock held by kworker/R-write/33:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x2e/0x3a0 kernel/workqueue.c:2678
3 locks held by kworker/u8:2/36:
4 locks held by kworker/1:1/43:
 #0: ffff88801a480d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801a480d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc90000b37bc0 (reg_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90000b37bc0 (reg_work){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffffffff8f4fde08 (rtnl_mutex){+.+.}-{4:4}, at: reg_todo+0x1c/0x890 net/wireless/reg.c:3219
 #3: ffff888029b88768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: class_wiphy_constructor include/net/cfg80211.h:6062 [inline]
 #3: ffff888029b88768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: reg_process_self_managed_hints+0xad/0x1b0 net/wireless/reg.c:3209
3 locks held by kworker/u8:3/49:
3 locks held by kworker/u8:4/68:
3 locks held by kworker/u8:5/195:
4 locks held by kworker/1:2/978:
5 locks held by kworker/0:2/981:
3 locks held by kworker/u8:6/1157:
4 locks held by kworker/u8:7/2989:
3 locks held by kworker/R-ipv6_/3173:
 #0: ffff88814c689948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88814c689948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc9000b5b7ba0 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc9000b5b7ba0 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffffffff8f4fde08 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #2: ffffffff8f4fde08 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4738
1 lock held by kworker/R-bat_e/3403:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
7 locks held by kworker/u9:1/5143:
 #0: ffff88803496e948 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88803496e948 ((wq_completion)hci1){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc9000e97fbc0 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc9000e97fbc0 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffff8880330f4d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1d4/0x3a0 net/bluetooth/hci_sync.c:331
 #3: ffff8880330f4078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1eb/0xdf0 net/bluetooth/hci_sync.c:5626
 #4: ffffffff8f665e68 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2051 [inline]
 #4: ffffffff8f665e68 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310 net/bluetooth/hci_conn.c:1275
 #5: ffff888025bc6338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 net/bluetooth/l2cap_core.c:1762
 #6: ffffffff8e1448b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:336 [inline]
 #6: ffffffff8e1448b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x3b9/0x730 kernel/rcu/tree_exp.h:998
2 locks held by klogd/5182:
2 locks held by udevd/5193:
2 locks held by dhcpcd/5487:
2 locks held by dhcpcd/5488:
2 locks held by getty/5582:
 #0: ffff888030b910a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90002fee2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
1 lock held by syz-executor/5809:
2 locks held by syz-executor/5820:
3 locks held by syz-executor/5821:
2 locks held by kworker/1:3/5823:
5 locks held by syz-executor/5828:
5 locks held by kworker/u9:4/5832:
 #0: ffff888027aae948 ((wq_completion)hci0){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff888027aae948 ((wq_completion)hci0){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc9000488fbc0 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc9000488fbc0 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffff88807a268d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1d4/0x3a0 net/bluetooth/hci_sync.c:331
 #3: ffff88807a268078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1eb/0xdf0 net/bluetooth/hci_sync.c:5626
 #4: ffffffff8e1448b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:304 [inline]
 #4: ffffffff8e1448b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2f6/0x730 kernel/rcu/tree_exp.h:998
3 locks held by syz-executor/5835:
5 locks held by kworker/u9:6/5836:
 #0: ffff888025bc5948 ((wq_completion)hci4){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff888025bc5948 ((wq_completion)hci4){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc900048c7bc0 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc900048c7bc0 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffff88803461cd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1d4/0x3a0 net/bluetooth/hci_sync.c:331
 #3: ffff88803461c078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1eb/0xdf0 net/bluetooth/hci_sync.c:5626
 #4: ffffffff8f665e68 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2051 [inline]
 #4: ffffffff8f665e68 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310 net/bluetooth/hci_conn.c:1275
1 lock held by kworker/R-wg-cr/5856:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5857:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5858:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x2e/0x3a0 kernel/workqueue.c:2678
1 lock held by kworker/R-wg-cr/5860:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5861:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5862:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5863:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x2e/0x3a0 kernel/workqueue.c:2678
1 lock held by kworker/R-wg-cr/5864:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5865:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5866:
1 lock held by kworker/R-wg-cr/5867:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5868:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5869:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5870:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
1 lock held by kworker/R-wg-cr/5871:
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2736 [inline]
 #0: ffffffff8dfe5948 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0x88b/0xdd0 kernel/workqueue.c:3531
5 locks held by kworker/1:4/5879:
3 locks held by kworker/0:3/5886:
3 locks held by kworker/0:4/5894:
2 locks held by kworker/1:5/5902:
4 locks held by kworker/0:5/5921:
 #0: ffff888058c15548 ((wq_completion)wg-kex-wg2#4){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff888058c15548 ((wq_completion)wg-kex-wg2#4){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc9000add7bc0 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc9000add7bc0 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __ptr = (unsigned long) ((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker)))); (typeof((__typeof_unqual__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffff8880786f5308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_response+0x1c7/0xb00 drivers/net/wireguard/noise.c:742
 #3: ffff888057512ad8 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_response+0x267/0xb00 drivers/net/wireguard/noise.c:753
3 locks held by kworker/1:7/5942:
2 locks held by kworker/0:6/5958:
3 locks held by kworker/u8:8/5961:
3 locks held by kworker/u8:9/5983:
3 locks held by kworker/u8:10/6041:
3 locks held by kworker/u8:11/6070:
3 locks held by kworker/u8:12/6129:
4 locks held by syz.3.57/6151:
 #0: ffff88806ca0d0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffff88803023e0b8 (&buf->lock){+.+.}-{4:4}, at: tiocsti+0x1da/0x2c0 drivers/tty/tty_io.c:2288
 #2: ffff88806ca0d2e8 (&tty->termios_rwsem){++++}-{4:4}, at: n_tty_receive_buf_common+0x84/0x12f0 drivers/tty/n_tty.c:1686
 #3: ffffc9000613d380 (&ldata->output_lock){+.+.}-{4:4}, at: flush_echoes drivers/tty/n_tty.c:789 [inline]
 #3: ffffc9000613d380 (&ldata->output_lock){+.+.}-{4:4}, at: __receive_buf drivers/tty/n_tty.c:1626 [inline]
 #3: ffffc9000613d380 (&ldata->output_lock){+.+.}-{4:4}, at: n_tty_receive_buf_common+0xbe3/0x12f0 drivers/tty/n_tty.c:1723
4 locks held by syz.3.57/6152:
3 locks held by kworker/0:7/6162:
5 locks held by kworker/u8:13/6163:

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.16.0-rc1-syzkaller-00101-g27605c8c0f69 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:307 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:470
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 12 Comm: kworker/u8:0 Not tainted 6.16.0-rc1-syzkaller-00101-g27605c8c0f69 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: wg-kex-wg2 wg_packet_handshake_send_worker
RIP: 0010:__lock_acquire+0xae1/0xd20 kernel/locking/lockdep.c:5254
Code: 00 00 85 c0 0f 84 e4 01 00 00 41 f6 46 22 10 75 2e 48 8b 1c 24 4c 89 bb e0 0a 00 00 8b 83 e8 0a 00 00 ff c0 89 83 e8 0a 00 00 <83> f8 30 0f 83 64 01 00 00 3b 05 58 35 03 12 0f 87 c9 01 00 00 41
RSP: 0018:ffffc90000a07788 EFLAGS: 00000002
RAX: 0000000000000008 RBX: ffff88801d2d5a00 RCX: 5a2a391c22cef500
RDX: 0000000000000000 RSI: ffff88801d2d6608 RDI: ffff88801d2d5a00
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff81728de5
R10: ffffc90000a079d8 R11: ffffffff81ace8a0 R12: 00000000c6ada59f
R13: ffff88801d2d64f0 R14: ffff88801d2d6608 R15: 03813abc02fcf7df
FS:  0000000000000000(0000) GS:ffff888125d86000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2e17381ef8 CR3: 000000007af96000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kmem_cache_free+0x18f/0x400 mm/slub.c:4745
 kfree_skb_reason include/linux/skbuff.h:1275 [inline]
 kfree_skb include/linux/skbuff.h:1284 [inline]
 ip6_mc_input+0x9c3/0xbe0 net/ipv6/ip6_input.c:591
 ip_sabotage_in+0x1de/0x270 net/bridge/br_netfilter_hooks.c:993
 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
 nf_hook_slow+0xc2/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:272 [inline]
 NF_HOOK+0x206/0x3a0 include/linux/netfilter.h:315
 __netif_receive_skb_one_core net/core/dev.c:5977 [inline]
 __netif_receive_skb+0xd3/0x380 net/core/dev.c:6090
 netif_receive_skb_internal net/core/dev.c:6176 [inline]
 netif_receive_skb+0x1cb/0x790 net/core/dev.c:6235
 NF_HOOK+0x9d/0x390 include/linux/netfilter.h:318
 br_handle_frame_finish+0x14d1/0x19b0 net/bridge/br_input.c:-1
 br_nf_hook_thresh+0x3c6/0x4a0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0x948/0xd00 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:317 [inline]
 br_nf_pre_routing_ipv6+0x37e/0x6b0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:283 [inline]
 br_handle_frame+0x97f/0x14c0 net/bridge/br_input.c:434
 __netif_receive_skb_core+0x10de/0x4180 net/core/dev.c:5863
 __netif_receive_skb_one_core net/core/dev.c:5975 [inline]
 __netif_receive_skb+0x72/0x380 net/core/dev.c:6090
 process_backlog+0x60e/0x14f0 net/core/dev.c:6442
 __napi_poll+0xc4/0x480 net/core/dev.c:7414
 napi_poll net/core/dev.c:7478 [inline]
 net_rx_action+0x707/0xe30 net/core/dev.c:7605
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 do_softirq+0xec/0x180 kernel/softirq.c:480
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x17d/0x1c0 kernel/softirq.c:407
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 fpregs_unlock arch/x86/include/asm/fpu/api.h:77 [inline]
 kernel_fpu_end+0xd2/0x120 arch/x86/kernel/fpu/core.c:476
 poly1305_blocks_arch+0x5b/0xe0 arch/x86/lib/crypto/poly1305_glue.c:80
 poly1305_blocks lib/crypto/poly1305.c:36 [inline]
 poly1305_update+0xd6/0x1b0 lib/crypto/poly1305.c:44
 __chacha20poly1305_encrypt+0x23a/0x310 lib/crypto/chacha20poly1305.c:77
 chacha20poly1305_encrypt+0x2f4/0x700 lib/crypto/chacha20poly1305.c:104
 message_encrypt drivers/net/wireguard/noise.c:467 [inline]
 wg_noise_handshake_create_initiation+0x4dd/0x7e0 drivers/net/wireguard/noise.c:566
 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:34 [inline]
 wg_packet_handshake_send_worker+0x163/0x320 drivers/net/wireguard/send.c:51
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>