program:
r0 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_CPUID2(r2, 0x4048aecb, &(0x7f0000000240)=ANY=[@ANYBLOB="070000000000000007000000ffffffff4932ffae000000000600000006000000020000000000000000000000000000000700008004000000000000000180000027000000070000007f00000000000000000000000000000001000040080000000000000003000000ffffff7f05000000ffff00000000000000000000000000000b0000005f0f00000100000007000000f40d000006000000ffffff7f000000000000000000000000000000800000000005000000060000000000008000000000ffffffff0000000000000000000000000d000000bb020000010000000d00000003000000ff070000ffffffff00000000000000000000002008000080bf03000000000000f90000005ca1ffff24a500000700"/288])
r3 = syz_usb_connect$printer(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000030020f003176c400000000001090224725100000000090400001207010300090501020000000000090582020002"], 0x0)
syz_usb_disconnect(r3)
r4 = syz_usb_connect(0x0, 0x4a, &(0x7f00000000c0)=ANY=[], 0x0)
syz_usb_control_io(r3, 0x0, 0x0)
syz_usb_ep_write$ath9k_ep1(r4, 0x82, 0x88, &(0x7f0000000040)=ANY=[])
r5 = socket$inet_tcp(0x2, 0x1, 0x0)
bind$inet(r5, &(0x7f0000000200)={0x2, 0x4e20, @empty}, 0x10)
r6 = memfd_create(&(0x7f0000000000)='/dev/loop#\x00', 0x6)
fcntl$addseals(r6, 0x409, 0x4)
fallocate(r6, 0x0, 0x0, 0x4)
r7 = socket$nl_route(0x10, 0x3, 0x0)
r8 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000c80)={'lo\x00', <r9=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)=@newqdisc={0x38, 0x24, 0x4ee4e6a52ff56541, 0x70bd28, 0x0, {0x0, 0x0, 0x0, r9, {}, {0xffff, 0xffff}, {0xd, 0xfff2}}, [@qdisc_kind_options=@q_fq={{0x7}, {0xc, 0x2, [@TCA_FQ_FLOW_MAX_RATE={0x8, 0x7, 0x800}]}}]}, 0x38}}, 0x0)
setsockopt$inet_tcp_int(r5, 0x6, 0x2, &(0x7f0000000040)=0x2800, 0x4)
connect$inet(r5, &(0x7f0000000000)={0x2, 0x4e20, @empty}, 0x10)
sendmsg$inet(r5, &(0x7f00000015c0)={0x0, 0x14, &(0x7f0000001600)=[{&(0x7f0000000240)=' ', 0xffffff1f}], 0x1}, 0x0)
r10 = socket$nl_route(0x10, 0x3, 0x0)
r11 = socket$inet6_udp(0xa, 0x2, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000080))
ioctl$sock_SIOCGIFINDEX(r11, 0x8933, &(0x7f0000000040)={'lo\x00', <r12=>0x0})
sendmsg$nl_route_sched(r10, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=@newqdisc={0x4c, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, r12, {}, {0xffff, 0xffff}, {0xfff1}}, [@qdisc_kind_options=@q_netem={{0xa}, {0x1c, 0x2, {{0x0, 0xfc, 0x0, 0x1, 0xffffffff}}}}]}, 0x4c}, 0x1, 0x0, 0x0, 0x40080c0}, 0x0)
setsockopt$inet_tcp_TCP_REPAIR(r5, 0x6, 0x13, &(0x7f0000000140), 0x4)
r13 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
read$char_usb(r13, 0x0, 0x0)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f00000002c0)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48)

[   68.674091][ T4660] Bluetooth: hci0: command tx timeout
[   69.017485][ T5306] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   69.166680][ T5306] usb 5-1: Using ep0 maxpacket: 32
[   69.172046][ T5306] usb 5-1: config index 0 descriptor too short (expected 29220, got 36)
[   69.175352][ T5306] usb 5-1: config 0 has too many interfaces: 81, using maximum allowed: 32
[   69.179328][ T5306] usb 5-1: config 0 has 1 interface, different from the descriptor's value: 81
[   69.182423][ T5306] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0
[   69.186244][ T5306] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0
[   69.190956][ T5306] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18
[   69.195980][ T5306] usb 5-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40
[   69.200649][ T5306] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   69.211715][ T5306] usb 5-1: config 0 descriptor??
[   69.422817][ T5306] usblp 5-1:0.0: usblp0: USB Bidirectional printer dev 2 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17
[   69.452612][ T5306] usb 5-1: USB disconnect, device number 2
[   69.461680][ T5306] usblp0: removed
[   69.916706][ T5306] usb 5-1: new high-speed USB device number 3 using dummy_hcd
[   70.066669][ T5306] usb 5-1: Using ep0 maxpacket: 32
[   70.071312][ T5306] usb 5-1: config index 0 descriptor too short (expected 29220, got 36)
[   70.074649][ T5306] usb 5-1: config 0 has too many interfaces: 81, using maximum allowed: 32
[   70.080203][ T5306] usb 5-1: config 0 has 1 interface, different from the descriptor's value: 81
[   70.084003][ T5306] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0
[   70.087896][ T5306] usb 5-1: config 0 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0
[   70.091678][ T5306] usb 5-1: config 0 interface 0 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 18
[   70.097914][ T5306] usb 5-1: New USB device found, idVendor=03f0, idProduct=6c17, bcdDevice= 0.40
[   70.101486][ T5306] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   70.107811][ T5306] usb 5-1: config 0 descriptor??
[   70.319674][ T5306] usblp 5-1:0.0: usblp0: USB Bidirectional printer dev 3 if 0 alt 0 proto 3 vid 0x03F0 pid 0x6C17
[   70.737894][ T4660] Bluetooth: hci0: command tx timeout
[   71.675063][    C0] 
[   71.676106][    C0] =============================
[   71.678092][    C0] [ BUG: Invalid wait context ]
[   71.680055][    C0] 6.15.0-rc4-syzkaller-00042-gb6ea1680d0ac #0 Not tainted
[   71.682830][    C0] -----------------------------
[   71.684788][    C0] swapper/0/0 is trying to lock:
[   71.686811][    C0] ffffc90001a0f410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[   71.690740][    C0] other info that might help us debug this:
[   71.692900][    C0] context-{2:2}
[   71.694217][    C0] 1 lock held by swapper/0/0:
[   71.696000][    C0]  #0: ffffc90001a0f958 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9a0
[   71.699629][    C0] stack backtrace:
[   71.701235][    C0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc4-syzkaller-00042-gb6ea1680d0ac #0 PREEMPT(full) 
[   71.701247][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   71.701253][    C0] Call Trace:
[   71.701260][    C0]  <IRQ>
[   71.701265][    C0]  dump_stack_lvl+0x189/0x250
[   71.701282][    C0]  ? __pfx_dump_stack_lvl+0x10/0x10
[   71.701316][    C0]  ? __pfx__printk+0x10/0x10
[   71.701326][    C0]  ? print_lock_name+0xde/0x100
[   71.701338][    C0]  __lock_acquire+0xbcf/0xd20
[   71.701351][    C0]  ? kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[   71.701361][    C0]  lock_acquire+0x120/0x360
[   71.701372][    C0]  ? kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[   71.701381][    C0]  ? __lock_acquire+0xaac/0xd20
[   71.701394][    C0]  _raw_read_lock_irqsave+0xaf/0x100
[   71.701442][    C0]  ? kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[   71.701451][    C0]  ? __pfx__raw_read_lock_irqsave+0x10/0x10
[   71.701460][    C0]  ? xa_load+0x1ea/0x210
[   71.701472][    C0]  kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[   71.701481][    C0]  ? do_raw_spin_unlock+0x4d/0x240
[   71.701491][    C0]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   71.701500][    C0]  ? kvm_xen_set_evtchn_fast+0x1c3/0x9a0
[   71.701509][    C0]  xen_timer_callback+0x109/0x220
[   71.701517][    C0]  ? __pfx_xen_timer_callback+0x10/0x10
[   71.701526][    C0]  __hrtimer_run_queues+0x4dd/0xc60
[   71.701542][    C0]  ? __pfx___hrtimer_run_queues+0x10/0x10
[   71.701556][    C0]  hrtimer_interrupt+0x45b/0xaa0
[   71.701572][    C0]  __sysvec_apic_timer_interrupt+0x108/0x410
[   71.701583][    C0]  sysvec_apic_timer_interrupt+0xa1/0xc0
[   71.701593][    C0]  </IRQ>
[   71.701596][    C0]  <TASK>
[   71.701600][    C0]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   71.701610][    C0] RIP: 0010:pv_native_safe_halt+0x13/0x20
[   71.701619][    C0] Code: cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 03 3b 12 00 f3 0f 1e fa fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
[   71.701627][    C0] RSP: 0018:ffffffff8dc07d80 EFLAGS: 000002c6
[   71.701636][    C0] RAX: a7d37bc4c9925d00 RBX: ffffffff81973da8 RCX: a7d37bc4c9925d00
[   71.701642][    C0] RDX: 0000000000000001 RSI: ffffffff8d749f9b RDI: ffffffff8bc1cde0
[   71.701648][    C0] RBP: ffffffff8dc07ec0 R08: ffff88801fe32b5b R09: 1ffff11003fc656b
[   71.701655][    C0] R10: dffffc0000000000 R11: ffffed1003fc656c R12: ffffffff8f7ed370
[   71.701662][    C0] R13: 0000000000000000 R14: 0000000000000000 R15: 1ffffffff1b92a48
[   71.701668][    C0]  ? do_idle+0x1e8/0x510
[   71.701679][    C0]  default_idle+0x13/0x20
[   71.701688][    C0]  default_idle_call+0x74/0xb0
[   71.701698][    C0]  do_idle+0x1e8/0x510
[   71.701707][    C0]  ? __pfx_do_idle+0x10/0x10
[   71.701713][    C0]  ? _raw_spin_unlock_irqrestore+0x85/0x110
[   71.701723][    C0]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   71.701730][    C0]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   71.701738][    C0]  cpu_startup_entry+0x44/0x60
[   71.701745][    C0]  rest_init+0x2de/0x300
[   71.701755][    C0]  ? __pfx_x86_late_time_init+0x10/0x10
[   71.701767][    C0]  start_kernel+0x470/0x4f0
[   71.701783][    C0]  x86_64_start_reservations+0x2a/0x30
[   71.701794][    C0]  x86_64_start_kernel+0x66/0x70
[   71.701803][    C0]  common_startup_64+0x13e/0x147
[   71.701818][    C0]  </TASK>
[   72.017572][ T5306] usb 5-1: USB disconnect, device number 3
[   72.032035][ T5306] usblp0: removed