program:
syz_kvm_add_vcpu$x86(0x0, &(0x7f0000000200)={0x0, 0x0, 0x8c})
eventfd(0x5)
socket$alg(0x26, 0x5, 0x0)
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
close(r0)
r1 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r0, &(0x7f0000000040)={0xa, 0x4e22, 0x0, @empty, 0x1}, 0x1c)
listen(r1, 0x0)
r2 = socket$inet_mptcp(0x2, 0x1, 0x106)
connect$inet(r2, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
r3 = accept(r1, 0x0, 0x0)
sendmsg$TEAM_CMD_OPTIONS_SET(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000100)=ANY=[], 0xfffffdef}}, 0x1)
perf_event_open(&(0x7f0000000480)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5d31, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x100000, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x5, 0x3}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r4 = socket$netlink(0x10, 0x3, 0x0)
writev(r4, &(0x7f00000003c0)=[{&(0x7f0000000180)="390000001300034700bb65e1c3e4ffff01000000010000005600000025000000190004000400000007fd17e5ffff0800040000000000000000", 0x39}], 0x1)
syz_usb_connect(0x0, 0x3f, 0x0, 0x0)
recvfrom(r2, &(0x7f0000000180)=""/60, 0xfffffffffffffecb, 0x4112, 0x0, 0x0)
r5 = dup(r2)
write$6lowpan_enable(r5, &(0x7f0000000000)='0', 0xfffffd2c)
mkdir(&(0x7f0000000100)='./bus\x00', 0x52)
r6 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r7 = ioctl$KVM_CREATE_VM(r6, 0xae01, 0x0)
r8 = ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0)
ioctl$KVM_SET_CPUID2(r8, 0x4048aecb, &(0x7f0000000240)={0x7, 0x0, [{0x7, 0xffffffff, 0x2dc43c0faeff3249, 0x0, 0x6, 0x6, 0x2}, {0x80000007, 0x4, 0x0, 0x8001, 0x27, 0x7, 0x7f}, {0x40000001, 0x8, 0x0, 0x3, 0x7fffffff, 0x5, 0xffff}, {0xb, 0xe5f, 0x1, 0x7, 0xdf4, 0x6, 0x7fffffff}, {0x80000000, 0x0, 0x5, 0x6, 0x80000000, 0x0, 0xffffffff}, {0xd, 0x2bb, 0x1, 0xd, 0x3, 0x7ff, 0xffffffff}, {0x80000008, 0x3bf, 0x0, 0xf9, 0xffffa15c, 0xa524, 0x7}]})
r9 = openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0)
ioctl$TIOCMIWAIT(r9, 0x545c, 0x0)
ioctl$TIOCVHANGUP(r9, 0x5437, 0x0)
ioctl$TIOCVHANGUP(r9, 0x5437, 0x0)
openat$ttyS3(0xffffffffffffff9c, &(0x7f0000000000), 0x44880, 0x0)
socket$inet6_tcp(0xa, 0x1, 0x0)
[ 75.547890][ T5301] Bluetooth: hci0: command tx timeout
[ 75.726452][ T5317] netlink: 'syz.0.0': attribute type 4 has an invalid length.
[ 76.434954][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[ 76.438221][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[ 77.187346][ C0] hrtimer: interrupt took 34331 ns
[ 77.618414][ T5301] Bluetooth: hci0: command tx timeout
[ 78.824981][ C0]
[ 78.826074][ C0] =============================
[ 78.828201][ C0] [ BUG: Invalid wait context ]
[ 78.830266][ C0] 6.15.0-syzkaller #0 Not tainted
[ 78.832463][ C0] -----------------------------
[ 78.834513][ C0] syz.0.0/5317 is trying to lock:
[ 78.836748][ C0] ffffc900019bf410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[ 78.840674][ C0] other info that might help us debug this:
[ 78.842915][ C0] context-{2:2}
[ 78.844498][ C0] 3 locks held by syz.0.0/5317:
[ 78.846643][ C0] #0: ffff888011f06fe0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x12b/0xba0
[ 78.850698][ C0] #1: ffffffff8df3dee0 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xa5/0x2390
[ 78.854582][ C0] #2: ffffc900019bf958 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9a0
[ 78.859102][ C0] stack backtrace:
[ 78.860834][ C0] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted 6.15.0-syzkaller #0 PREEMPT(full)
[ 78.860847][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 78.860853][ C0] Call Trace:
[ 78.860860][ C0]
[ 78.860866][ C0] dump_stack_lvl+0x189/0x250
[ 78.860888][ C0] ? __pfx_dump_stack_lvl+0x10/0x10
[ 78.860902][ C0] ? __pfx__printk+0x10/0x10
[ 78.860913][ C0] ? print_lock_name+0xde/0x100
[ 78.860930][ C0] __lock_acquire+0xbcf/0xd20
[ 78.860943][ C0] ? kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[ 78.860954][ C0] lock_acquire+0x120/0x360
[ 78.860966][ C0] ? kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[ 78.860975][ C0] ? __lock_acquire+0xaac/0xd20
[ 78.860989][ C0] _raw_read_lock_irqsave+0xaf/0x100
[ 78.861052][ C0] ? kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[ 78.861061][ C0] ? __pfx__raw_read_lock_irqsave+0x10/0x10
[ 78.861071][ C0] ? xa_load+0x1ea/0x210
[ 78.861085][ C0] kvm_xen_set_evtchn_fast+0x1fb/0x9a0
[ 78.861094][ C0] ? do_raw_spin_unlock+0x4d/0x240
[ 78.861104][ C0] ? _raw_spin_unlock_irqrestore+0xad/0x110
[ 78.861113][ C0] ? kvm_xen_set_evtchn_fast+0x1c3/0x9a0
[ 78.861123][ C0] xen_timer_callback+0x109/0x220
[ 78.861134][ C0] ? __pfx_xen_timer_callback+0x10/0x10
[ 78.861143][ C0] __hrtimer_run_queues+0x4dd/0xc60
[ 78.861161][ C0] ? __pfx___hrtimer_run_queues+0x10/0x10
[ 78.861179][ C0] hrtimer_interrupt+0x45b/0xaa0
[ 78.861198][ C0] __sysvec_apic_timer_interrupt+0x108/0x410
[ 78.861212][ C0] sysvec_apic_timer_interrupt+0xa1/0xc0
[ 78.861223][ C0]
[ 78.861227][ C0]
[ 78.861231][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 78.861242][ C0] RIP: 0010:lock_acquire+0x175/0x360
[ 78.861254][ C0] Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 8b 9f d7 10 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
[ 78.861262][ C0] RSP: 0018:ffffc9000d5deb58 EFLAGS: 00000206
[ 78.861273][ C0] RAX: 0915114465f86700 RBX: 0000000000000000 RCX: 0915114465f86700
[ 78.861280][ C0] RDX: 0000000000000000 RSI: ffffffff8d9390ac RDI: ffffffff8bc1f540
[ 78.861286][ C0] RBP: ffffffff8171ca05 R08: 0000000000000000 R09: 0000000000000000
[ 78.861292][ C0] R10: 0000000000000000 R11: ffffffff8171ca05 R12: 0000000000000002
[ 78.861298][ C0] R13: ffffffff8df3dee0 R14: 0000000000000000 R15: 0000000000000246
[ 78.861305][ C0] ? unwind_next_frame+0xa5/0x2390
[ 78.861316][ C0] ? unwind_next_frame+0xa5/0x2390
[ 78.861331][ C0] ? unwind_next_frame+0xa5/0x2390
[ 78.861343][ C0] ? tlb_flush_mmu+0x3a0/0x680
[ 78.861352][ C0] ? unwind_next_frame+0xa5/0x2390
[ 78.861362][ C0] unwind_next_frame+0xc2/0x2390
[ 78.861372][ C0] ? unwind_next_frame+0xa5/0x2390
[ 78.861383][ C0] ? unwind_next_frame+0xa5/0x2390
[ 78.861394][ C0] ? free_pages_and_swap_cache+0x277/0x520
[ 78.861413][ C0] ? __pfx_stack_trace_consume_entry+0x10/0x10
[ 78.861424][ C0] arch_stack_walk+0x11c/0x150
[ 78.861439][ C0] ? tlb_flush_mmu+0x3a0/0x680
[ 78.861447][ C0] stack_trace_save+0x9c/0xe0
[ 78.861458][ C0] ? __pfx_stack_trace_save+0x10/0x10
[ 78.861469][ C0] save_stack+0xf7/0x1f0
[ 78.861482][ C0] ? __pfx_save_stack+0x10/0x10
[ 78.861491][ C0] ? free_unref_folios+0xb81/0x14a0
[ 78.861503][ C0] ? folios_put_refs+0x559/0x640
[ 78.861512][ C0] ? free_pages_and_swap_cache+0x277/0x520
[ 78.861520][ C0] ? tlb_flush_mmu+0x3a0/0x680
[ 78.861530][ C0] ? page_ext_put+0x97/0xc0
[ 78.861540][ C0] __reset_page_owner+0x71/0x1f0
[ 78.861552][ C0] free_unref_folios+0xb81/0x14a0
[ 78.861566][ C0] folios_put_refs+0x559/0x640
[ 78.861578][ C0] ? __pfx_folios_put_refs+0x10/0x10
[ 78.861589][ C0] ? free_swap_cache+0x109/0x300
[ 78.861598][ C0] free_pages_and_swap_cache+0x277/0x520
[ 78.861607][ C0] ? __pfx_free_pages_and_swap_cache+0x10/0x10
[ 78.861623][ C0] ? tlb_table_flush+0x145/0x410
[ 78.861632][ C0] tlb_flush_mmu+0x3a0/0x680
[ 78.861639][ C0] ? unmap_page_range+0x37d7/0x4210
[ 78.861648][ C0] unmap_page_range+0x37fd/0x4210
[ 78.861655][ C0] ? lockdep_hardirqs_on+0x9c/0x150
[ 78.861670][ C0] ? mas_next_slot+0xc20/0xcf0
[ 78.861682][ C0] ? __pfx_unmap_page_range+0x10/0x10
[ 78.861692][ C0] ? unmap_single_vma+0x1b2/0x2a0
[ 78.861702][ C0] unmap_vmas+0x25d/0x3c0
[ 78.861710][ C0] ? __pfx_unmap_vmas+0x10/0x10
[ 78.861722][ C0] exit_mmap+0x245/0xba0
[ 78.861736][ C0] ? __pfx_exit_mmap+0x10/0x10
[ 78.861747][ C0] ? __mutex_unlock_slowpath+0x1cd/0x700
[ 78.861761][ C0] ? __pfx_exit_aio+0x10/0x10
[ 78.861774][ C0] ? uprobe_clear_state+0x274/0x290
[ 78.861785][ C0] __mmput+0x118/0x420
[ 78.861796][ C0] exit_mm+0x1da/0x2c0
[ 78.861808][ C0] ? __pfx_exit_mm+0x10/0x10
[ 78.861818][ C0] ? taskstats_exit+0x43c/0xa30
[ 78.861830][ C0] ? tty_audit_exit+0x153/0x200
[ 78.861841][ C0] do_exit+0x859/0x2550
[ 78.861853][ C0] ? do_raw_spin_lock+0x121/0x290
[ 78.861862][ C0] ? __pfx_do_exit+0x10/0x10
[ 78.861872][ C0] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 78.861886][ C0] do_group_exit+0x21c/0x2d0
[ 78.861898][ C0] ? lockdep_hardirqs_on+0x9c/0x150
[ 78.861908][ C0] get_signal+0x125e/0x1310
[ 78.861927][ C0] arch_do_signal_or_restart+0x95/0x780
[ 78.861939][ C0] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 78.861950][ C0] ? local_irq_enable_exit_to_user+0x5/0x10
[ 78.861964][ C0] syscall_exit_to_user_mode+0x8b/0x120
[ 78.861976][ C0] do_syscall_64+0x103/0x210
[ 78.861988][ C0] ? asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 78.861999][ C0] ? clear_bhb_loop+0x60/0xb0
[ 78.862010][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 78.862019][ C0] RIP: 0033:0x7f5bda18e969
[ 78.862027][ C0] Code: Unable to access opcode bytes at 0x7f5bda18e93f.
[ 78.862033][ C0] RSP: 002b:00007f5bdaf740e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 78.862043][ C0] RAX: fffffffffffffe00 RBX: 00007f5bda3b6088 RCX: 00007f5bda18e969
[ 78.862049][ C0] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f5bda3b6088
[ 78.862055][ C0] RBP: 00007f5bda3b6080 R08: 0000000000000000 R09: 0000000000000000
[ 78.862061][ C0] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5bda3b608c
[ 78.862066][ C0] R13: 0000000000000000 R14: 00007fff7c2d6af0 R15: 00007fff7c2d6bd8
[ 78.862075][ C0]