hrtimer: interrupt took 36051 ns
=============================
[ BUG: Invalid wait context ]
syzkaller #0 Not tainted
-----------------------------
syz.0.0/5324 is trying to lock:
ffff88803a1e9430 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
other info that might help us debug this:
context-{2:2}
5 locks held by syz.0.0/5324:
 #0: ffff88803f6e2068 (&pipe->mutex){+.+.}-{4:4}, at: splice_to_socket+0xf5/0xf00 fs/splice.c:807
 #1: ffff88803301e260 (sk_lock-AF_NETLINK){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1679 [inline]
 #1: ffff88803301e260 (sk_lock-AF_NETLINK){+.+.}-{0:0}, at: netlink_insert+0xd3/0x1370 net/netlink/af_netlink.c:557
 #2: ffffc90000007be0 ((&ndev->rs_timer)){+.-.}-{0:0}, at: call_timer_fn+0xbe/0x5f0 kernel/time/timer.c:1744
 #3: ffffffff8df3d6e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #3: ffffffff8df3d6e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #3: ffffffff8df3d6e0 (rcu_read_lock){....}-{1:3}, at: ndisc_send_skb+0x1e4/0x1510 net/ipv6/ndisc.c:482
 #4: ffff88803a1e9980 (&kvm->srcu){.?.?}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #4: ffff88803a1e9980 (&kvm->srcu){.?.?}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #4: ffff88803a1e9980 (&kvm->srcu){.?.?}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0 arch/x86/kvm/xen.c:1818
stack backtrace:
CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
 check_wait_context kernel/locking/lockdep.c:4902 [inline]
 __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5187
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
 _raw_read_lock_irqsave+0xaf/0x100 kernel/locking/spinlock.c:236
 kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140
 __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
 __hrtimer_run_queues+0x4e0/0xc60 kernel/time/hrtimer.c:1841
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1903
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1041 [inline]
 __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1058
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1052
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:stack_trace_consume_entry+0x0/0x280 kernel/stacktrace.c:83
Code: 75 0e 48 8d 65 f0 5b 41 5e 5d c3 cc cc cc cc cc e8 e5 52 9c 09 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 55 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 ba 00 00
RSP: 0018:ffffc900000072a0 EFLAGS: 00000282
RAX: ffffffff8191090b RBX: ffffc90000007360 RCX: e23492de5dd6f900
RDX: 0000000000000001 RSI: ffffffff8191090b RDI: ffffc90000007360
RBP: ffffc90000007330 R08: 0000000000000018 R09: ffffffff81738c45
R10: ffffc900000072f8 R11: ffffffff81ac2e10 R12: ffff88801f264900
R13: 0000000000000020 R14: ffffffff81ac2e10 R15: ffffc900000072a8
 arch_stack_walk+0x110/0x150 arch/x86/kernel/stacktrace.c:27
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
 poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __kmalloc_cache_noprof+0x3d5/0x6f0 mm/slub.c:5771
 kmalloc_noprof include/linux/slab.h:957 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 ref_tracker_alloc+0x133/0x460 lib/ref_tracker.c:271
 __netdev_tracker_alloc include/linux/netdevice.h:4375 [inline]
 netdev_hold include/linux/netdevice.h:4404 [inline]
 dst_init+0xd9/0x450 net/core/dst.c:52
 dst_alloc+0x12a/0x170 net/core/dst.c:93
 ip6_dst_alloc net/ipv6/route.c:342 [inline]
 icmp6_dst_alloc+0x75/0x420 net/ipv6/route.c:3322
 ndisc_send_skb+0x3f1/0x1510 net/ipv6/ndisc.c:491
 addrconf_rs_timer+0x369/0x670 net/ipv6/addrconf.c:4037
 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:finish_task_switch+0x26b/0x950 kernel/sched/core.c:5193
Code: 0f 84 3c 01 00 00 48 85 db 0f 85 63 01 00 00 0f 1f 44 00 00 4c 8b 75 d0 4c 89 e7 e8 3f 0d ba 09 e8 1a c9 36 00 fb 4c 8b 65 c0 <49> 8d bc 24 58 16 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 28 84 c0
RSP: 0018:ffffc9000d3a6ff8 EFLAGS: 00000282
RAX: e23492de5dd6f900 RBX: 0000000000000000 RCX: e23492de5dd6f900
RDX: 0000000000000006 RSI: ffffffff8d7114c0 RDI: ffffffff8bbf1a60
RBP: ffffc9000d3a7050 R08: ffffffff8f7d0e77 R09: 1ffffffff1efa1ce
R10: dffffc0000000000 R11: fffffbfff1efa1cf R12: ffff88801f264900
R13: dffffc0000000000 R14: ffff8880005c0000 R15: ffff88801fe3abd8
 context_switch kernel/sched/core.c:5328 [inline]
 __schedule+0x17a0/0x4cc0 kernel/sched/core.c:6929
 preempt_schedule_irq+0xb5/0x150 kernel/sched/core.c:7256
 irqentry_exit+0x6f/0x90 kernel/entry/common.c:211
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_acquire+0x175/0x360 kernel/locking/lockdep.c:5872
Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 5b ad d1 10 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc9000d3a73e8 EFLAGS: 00000206
RAX: e23492de5dd6f900 RBX: 0000000000000000 RCX: e23492de5dd6f900
RDX: ffffffff931c8f20 RSI: ffffffff8d8f83e5 RDI: ffffffff8bbf1a60
RBP: ffffffff89681bf3 R08: 0000000000000008 R09: ffffffff958fea98
R10: 00000000502da594 R11: 00000000bad18480 R12: 0000000000000000
R13: ffff88803301e260 R14: 0000000000000001 R15: 0000000000000246
 lock_sock_nested+0x48/0x100 net/core/sock.c:3720
 lock_sock include/net/sock.h:1679 [inline]
 netlink_insert+0xd3/0x1370 net/netlink/af_netlink.c:557
 netlink_autobind+0x22e/0x300 net/netlink/af_netlink.c:828
 netlink_sendmsg+0x523/0xb30 net/netlink/af_netlink.c:1859
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 sock_sendmsg+0x158/0x230 net/socket.c:765
 splice_to_socket+0x8f5/0xf00 fs/splice.c:886
 do_splice_from fs/splice.c:938 [inline]
 do_splice+0xc79/0x1660 fs/splice.c:1351
 __do_splice fs/splice.c:1433 [inline]
 __do_sys_splice fs/splice.c:1636 [inline]
 __se_sys_splice+0x2e1/0x460 fs/splice.c:1618
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd486f8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd487ee1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00007fd4871e5fa0 RCX: 00007fd486f8f749
RDX: 0000000000000008 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007fd487013f91 R08: 000000000004ffe2 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd4871e6038 R14: 00007fd4871e5fa0 R15: 00007ffd7bbc30a8
 </TASK>
----------------
Code disassembly (best guess):
   0:	75 0e                	jne    0x10
   2:	48 8d 65 f0          	lea    -0x10(%rbp),%rsp
   6:	5b                   	pop    %rbx
   7:	41 5e                	pop    %r14
   9:	5d                   	pop    %rbp
   a:	c3                   	ret
   b:	cc                   	int3
   c:	cc                   	int3
   d:	cc                   	int3
   e:	cc                   	int3
   f:	cc                   	int3
  10:	e8 e5 52 9c 09       	call   0x99c52fa
  15:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1a:	90                   	nop
  1b:	90                   	nop
  1c:	90                   	nop
  1d:	90                   	nop
  1e:	90                   	nop
  1f:	90                   	nop
  20:	90                   	nop
  21:	90                   	nop
  22:	90                   	nop
  23:	90                   	nop
  24:	90                   	nop
  25:	90                   	nop
  26:	90                   	nop
  27:	90                   	nop
  28:	90                   	nop
  29:	90                   	nop
* 2a:	f3 0f 1e fa          	endbr64 <-- trapping instruction
  2e:	55                   	push   %rbp
  2f:	41 57                	push   %r15
  31:	41 56                	push   %r14
  33:	41 55                	push   %r13
  35:	41 54                	push   %r12
  37:	53                   	push   %rbx
  38:	48 83 ec 18          	sub    $0x18,%rsp
  3c:	48                   	rex.W
  3d:	ba                   	.byte 0xba