program: openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0) (async) r0 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0) ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) (async) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) ioctl$KVM_SET_CPUID2(r2, 0x4048aecb, &(0x7f0000000240)={0x7, 0x0, [{0x7, 0xffffffff, 0x2dc43c0faeff3249, 0x0, 0x6, 0x6, 0x2}, {0x80000007, 0x4, 0x0, 0x8001, 0x27, 0x807, 0x7f}, {0x40000001, 0x8, 0x0, 0x3, 0x7fffffff, 0x5, 0xffff}, {0xb, 0xe5f, 0x1, 0x7, 0xdf4, 0x6, 0x7fffffff}, {0x80000000, 0x0, 0x5, 0x6, 0x80000000, 0x0, 0xffffffff}, {0xd, 0x2bb, 0x1, 0xd, 0x3, 0x7ff, 0xffffffff}, {0x80000008, 0x3bf, 0x0, 0xf9, 0xffffa15c, 0xa524, 0x7}]}) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000700)={'wlan1\x00'}) (async) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r3, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r4, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) (async) sendmsg$NL80211_CMD_SET_INTERFACE(r3, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r4, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x48241, 0x0) ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f00000000c0)={'syzkaller1\x00', 0x6bf1c2d5adba8c32}) r7 = socket$kcm(0x2, 0xa, 0x2) ioctl$SIOCSIFHWADDR(r7, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local}) socket$nl_route(0x10, 0x3, 0x0) (async) r8 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r8, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000009c0)=@newlink={0x28, 0x10, 0xc362e63b3f31ba5f, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x20080, 0x80e1}, [@IFLA_GROUP={0x8}]}, 0x28}}, 0x0) write$tun(r6, &(0x7f00000004c0)={@val={0x0, 0x6007}, @void, @eth={@multicast, @remote, @val={@val={0x88a8, 0x1, 0x1, 0x1}, {0x8100, 0x0, 0x1, 0x4}}, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x2c, 0x0, 0x0, 0x0, 0x2f, 0x0, @loopback, @multicast1}, {0x0, 0x12eb, 0x18, 0x0, @wg=@data={0x4, 0x0, 0xffffdd86}}}}}}}, 0xfd40) r9 = socket$rxrpc(0x21, 0x2, 0xa) write(r9, 0x0, 0x0) setsockopt$RXRPC_SECURITY_KEY(r9, 0x110, 0x1, 0x0, 0x0) r10 = socket$nl_generic(0x10, 0x3, 0x10) r11 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) r12 = openat$qat_adf_ctl(0xffffffffffffff9c, &(0x7f0000000100), 0x406200, 0x0) ioctl$IOCTL_CONFIG_SYS_RESOURCE_PARAMETERS(r12, 0x40096100, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r10, 0x8933, &(0x7f00000000c0)={'wlan1\x00'}) (async) ioctl$sock_SIOCGIFINDEX_80211(r10, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) r14 = socket$nl_generic(0x10, 0x3, 0x10) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000600)={0x7, 0x3, &(0x7f0000000000)=@framed={{0x6a, 0xa, 0x0, 0xffc4, 0x0, 0x71, 0x10, 0xb1}}, &(0x7f0000000480)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) (async) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000600)={0x7, 0x3, &(0x7f0000000000)=@framed={{0x6a, 0xa, 0x0, 0xffc4, 0x0, 0x71, 0x10, 0xb1}}, &(0x7f0000000480)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) ioctl$sock_SIOCGIFINDEX_80211(r14, 0x8933, &(0x7f0000000740)={'wlan1\x00'}) (async) ioctl$sock_SIOCGIFINDEX_80211(r14, 0x8933, &(0x7f0000000740)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_REGISTER_FRAME(r14, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000080)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16, @ANYBLOB="010000000000000000003a00000008000300", @ANYRES32=r15, @ANYBLOB="05005b"], 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r10, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r11, @ANYBLOB="050000000000000000002e00000008000300", @ANYRES32=r13, @ANYBLOB="0a6705000202020202020000"], 0x28}}, 0x0) (async) sendmsg$NL80211_CMD_CONNECT(r10, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)=ANY=[@ANYBLOB='(\x00\x00\x00', @ANYRES16=r11, @ANYBLOB="050000000000000000002e00000008000300", @ANYRES32=r13, @ANYBLOB="0a6705000202020202020000"], 0x28}}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000540)=ANY=[@ANYBLOB="b0000000080211000001"], 0x1e) [ 82.062328][ T4675] Bluetooth: hci0: command tx timeout [ 82.066178][ T1313] ieee802154 phy0 wpan0: encryption failed: -22 [ 82.068646][ T1313] ieee802154 phy1 wpan1: encryption failed: -22 [ 82.258147][ T5328] syz.0.0 uses obsolete (PF_INET,SOCK_PACKET) [ 82.300290][ T5329] bridge0: port 2(bridge_slave_1) entered disabled state [ 82.303761][ T5329] bridge0: port 1(bridge_slave_0) entered disabled state [ 82.329967][ T5332] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'. [ 82.380795][ T5329] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 82.389133][ T5329] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 82.443501][ T5329] netdevsim netdevsim0 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 82.447657][ T5329] netdevsim netdevsim0 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 82.450871][ T5329] netdevsim netdevsim0 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 82.454436][ T5329] netdevsim netdevsim0 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 82.486975][ T5329] syz.0.0 (5329) used greatest stack depth: 18840 bytes left [ 84.066321][ T5312] Bluetooth: hci0: command tx timeout [ 85.115479][ C0] [ 85.116536][ C0] ============================= [ 85.118491][ C0] [ BUG: Invalid wait context ] [ 85.120491][ C0] 6.15.0-rc3-syzkaller-00008-ga33b5a08cbbd #0 Not tainted [ 85.123121][ C0] ----------------------------- [ 85.125070][ C0] swapper/0/0 is trying to lock: [ 85.126984][ C0] ffffc900019ef410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fc/0xa00 [ 85.130649][ C0] other info that might help us debug this: [ 85.132881][ C0] context-{2:2} [ 85.134303][ C0] 1 lock held by swapper/0/0: [ 85.135928][ C0] #0: ffffc900019ef958 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c9/0xa00 [ 85.139653][ C0] stack backtrace: [ 85.141083][ C0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.15.0-rc3-syzkaller-00008-ga33b5a08cbbd #0 PREEMPT(full) [ 85.141102][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.141108][ C0] Call Trace: [ 85.141114][ C0] [ 85.141120][ C0] dump_stack_lvl+0x241/0x360 [ 85.141136][ C0] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.141149][ C0] ? __pfx__printk+0x10/0x10 [ 85.141163][ C0] __lock_acquire+0xc30/0xd80 [ 85.141180][ C0] lock_acquire+0x116/0x2f0 [ 85.141192][ C0] ? kvm_xen_set_evtchn_fast+0x1fc/0xa00 [ 85.141205][ C0] _raw_read_lock_irqsave+0xe0/0x130 [ 85.141262][ C0] ? kvm_xen_set_evtchn_fast+0x1fc/0xa00 [ 85.141272][ C0] ? __pfx__raw_read_lock_irqsave+0x10/0x10 [ 85.141286][ C0] ? do_raw_spin_lock+0x151/0x370 [ 85.141295][ C0] ? kvm_xen_set_evtchn_fast+0x1c9/0xa00 [ 85.141301][ C0] kvm_xen_set_evtchn_fast+0x1fc/0xa00 [ 85.141307][ C0] ? do_raw_spin_unlock+0x58/0x8b0 [ 85.141318][ C0] xen_timer_callback+0x1a4/0x3d0 [ 85.141327][ C0] ? __pfx_xen_timer_callback+0x10/0x10 [ 85.141337][ C0] ? __pfx_xen_timer_callback+0x10/0x10 [ 85.141346][ C0] ? __pfx_xen_timer_callback+0x10/0x10 [ 85.141356][ C0] __hrtimer_run_queues+0x55c/0xd40 [ 85.141366][ C0] ? ktime_get_update_offsets_now+0x2d/0x3b0 [ 85.141381][ C0] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 85.141389][ C0] ? kvm_clock_get_cycles+0x52/0x70 [ 85.141402][ C0] ? ktime_get_update_offsets_now+0x38e/0x3b0 [ 85.141414][ C0] hrtimer_interrupt+0x403/0xa40 [ 85.141427][ C0] __sysvec_apic_timer_interrupt+0x110/0x420 [ 85.141440][ C0] sysvec_apic_timer_interrupt+0xa1/0xc0 [ 85.141455][ C0] [ 85.141458][ C0] [ 85.141462][ C0] asm_sysvec_apic_timer_interrupt+0x1a/0x20 [ 85.141471][ C0] RIP: 0010:pv_native_safe_halt+0x13/0x20 [ 85.141478][ C0] Code: cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 53 7e 18 00 f3 0f 1e fa fb f4 cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 [ 85.141483][ C0] RSP: 0018:ffffffff8ea07d60 EFLAGS: 000002c6 [ 85.141490][ C0] RAX: 27a9863d759a9700 RBX: ffffffff8197272e RCX: ffffffff8c2fb89c [ 85.141494][ C0] RDX: 0000000000000001 RSI: ffffffff8e6497f7 RDI: ffffffff8ca1b680 [ 85.141498][ C0] RBP: ffffffff8ea07eb8 R08: ffff88801fc32b5b R09: 1ffff11003f8656b [ 85.141502][ C0] R10: dffffc0000000000 R11: ffffed1003f8656c R12: 1ffffffff1d40fc6 [ 85.141506][ C0] R13: 1ffffffff1d52cb0 R14: 0000000000000000 R15: dffffc0000000000 [ 85.141511][ C0] ? do_idle+0x22e/0x5d0 [ 85.141517][ C0] ? ct_kernel_exit+0x12c/0x1a0 [ 85.141524][ C0] default_idle+0x13/0x20 [ 85.141530][ C0] default_idle_call+0x74/0xb0 [ 85.141537][ C0] do_idle+0x22e/0x5d0 [ 85.141542][ C0] ? __pfx___schedule+0x10/0x10 [ 85.141551][ C0] ? __pfx_do_idle+0x10/0x10 [ 85.141556][ C0] ? lockdep_hardirqs_on+0x9d/0x150 [ 85.141562][ C0] ? _raw_spin_unlock_irqrestore+0xde/0x140 [ 85.141570][ C0] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.141579][ C0] ? rest_init+0x31/0x300 [ 85.141585][ C0] ? rest_init+0x31/0x300 [ 85.141591][ C0] cpu_startup_entry+0x42/0x60 [ 85.141597][ C0] rest_init+0x2dc/0x300 [ 85.141603][ C0] ? __pfx_x86_late_time_init+0x10/0x10 [ 85.141612][ C0] start_kernel+0x484/0x510 [ 85.141624][ C0] x86_64_start_reservations+0x2a/0x30 [ 85.141632][ C0] x86_64_start_kernel+0x66/0x70 [ 85.141638][ C0] common_startup_64+0x13e/0x147 [ 85.141649][ C0] [ 85.276933][ C0] hrtimer: interrupt took 161632446 ns