=============================
[ BUG: Invalid wait context ]
6.16.0-rc6-next-20250718-syzkaller #0 Not tainted
-----------------------------
kworker/u8:6/1103 is trying to lock:
ffff888030e21410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
other info that might help us debug this:
context-{2:2}
10 locks held by kworker/u8:6/1103:
 #0: ffff88801a489148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline]
 #0: ffff88801a489148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3319
 #1: ffffc90003c2fbc0 ((work_completion)(&(&kfence_timer)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline]
 #1: ffffc90003c2fbc0 ((work_completion)(&(&kfence_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3319
 #2: ffffffff8dfd6030 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_enable+0x12/0x20 kernel/jump_label.c:222
 #3: ffffffff8e1f73e8 (jump_label_mutex){+.+.}-{4:4}, at: jump_label_lock kernel/jump_label.c:27 [inline]
 #3: ffffffff8e1f73e8 (jump_label_mutex){+.+.}-{4:4}, at: static_key_enable_cpuslocked+0xcb/0x250 kernel/jump_label.c:207
 #4: ffffffff8dfe9448 (text_mutex){+.+.}-{4:4}, at: arch_jump_label_transform_apply+0x17/0x30 arch/x86/kernel/jump_label.c:145
 #5: ffffffff8e13d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #5: ffffffff8e13d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #5: ffffffff8e13d8a0 (rcu_read_lock){....}-{1:3}, at: ___pte_offset_map+0x29/0x250 mm/pgtable-generic.c:286
 #6: ffff88801a47b078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #6: ffff88801a47b078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: __pte_offset_map_lock+0x13e/0x210 mm/pgtable-generic.c:401
 #7: ffffffff8e13d9c0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #7: ffffffff8e13d9c0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2599 [inline]
 #7: ffffffff8e13d9c0 (rcu_callback){....}-{0:0}, at: rcu_core+0xc34/0x1710 kernel/rcu/tree.c:2861
 #8: ffffffff8e13d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #8: ffffffff8e13d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #8: ffffffff8e13d8a0 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 #8: ffffffff8e13d8a0 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xa5/0x2390 arch/x86/kernel/unwind_orc.c:479
 #9: ffff888030e21960 (&kvm->srcu){.?.?}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #9: ffff888030e21960 (&kvm->srcu){.?.?}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #9: ffff888030e21960 (&kvm->srcu){.?.?}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0 arch/x86/kvm/xen.c:1818
stack backtrace:
CPU: 1 UID: 0 PID: 1103 Comm: kworker/u8:6 Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: events_unbound toggle_allocation_gate
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline]
 check_wait_context kernel/locking/lockdep.c:4905 [inline]
 __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
 _raw_read_lock_irqsave+0xaf/0x100 kernel/locking/spinlock.c:236
 kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x4e0/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1887
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
 __sysvec_apic_timer_interrupt+0x108/0x410 arch/x86/kernel/apic/apic.c:1056
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x175/0x360 kernel/locking/lockdep.c:5875
Code: 00 00 00 00 9c 8f 44 24 30 f7 44 24 30 00 02 00 00 0f 85 cd 00 00 00 f7 44 24 08 00 02 00 00 74 01 fb 65 48 8b 05 cb 6b 06 11 <48> 3b 44 24 58 0f 85 f2 00 00 00 48 83 c4 60 5b 41 5c 41 5d 41 5e
RSP: 0018:ffffc90000a08698 EFLAGS: 00000206
RAX: 5526e940cd7f2000 RBX: 0000000000000000 RCX: 5526e940cd7f2000
RDX: 0000000000000000 RSI: ffffffff8db80ddc RDI: ffffffff8be34680
RBP: ffffffff8172b195 R08: 0000000000000000 R09: ffffffff8172b195
R10: ffffc90000a08858 R11: ffffffff81ac4660 R12: 0000000000000002
R13: ffffffff8e13d8a0 R14: 0000000000000000 R15: 0000000000000246
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free_after_rcu_debug+0x129/0x2a0 mm/slub.c:4730
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2861
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:spin_unlock include/linux/spinlock.h:391 [inline]
RIP: 0010:__text_poke+0x7ac/0xa10 arch/x86/kernel/alternative.c:2566
Code: 00 4d 85 f6 75 16 e8 d3 6b 58 00 eb 15 e8 cc 6b 58 00 e8 b7 d3 10 0a 4d 85 f6 74 ea e8 bd 6b 58 00 fb 48 8b bc 24 e0 00 00 00 <e8> 0f 6a 13 0a e8 5a da 10 0a 89 c3 31 ff 89 c6 e8 df 6f 58 00 85
RSP: 0018:ffffc90003c2f6e0 EFLAGS: 00000293
RAX: ffffffff81674553 RBX: 0000000000000000 RCX: ffff888026b10000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801a47b060
RBP: ffffc90003c2f830 R08: ffffffff8fa2a737 R09: 1ffffffff1f454e6
R10: dffffc0000000000 R11: fffffbfff1f454e7 R12: dffffc0000000000
R13: ffff88801a47c558 R14: 0000000000000200 R15: ffffffff821823e2
 text_poke arch/x86/kernel/alternative.c:2590 [inline]
 smp_text_poke_batch_finish+0x38c/0x1100 arch/x86/kernel/alternative.c:2898
 arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
 static_key_enable_cpuslocked+0x128/0x250 kernel/jump_label.c:210
 static_key_enable+0x1a/0x20 kernel/jump_label.c:223
 toggle_allocation_gate+0xad/0x240 mm/kfence/core.c:850
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 00                	add    %al,(%rax)
   4:	9c                   	pushf
   5:	8f 44 24 30          	pop    0x30(%rsp)
   9:	f7 44 24 30 00 02 00 	testl  $0x200,0x30(%rsp)
  10:	00
  11:	0f 85 cd 00 00 00    	jne    0xe4
  17:	f7 44 24 08 00 02 00 	testl  $0x200,0x8(%rsp)
  1e:	00
  1f:	74 01                	je     0x22
  21:	fb                   	sti
  22:	65 48 8b 05 cb 6b 06 	mov    %gs:0x11066bcb(%rip),%rax        # 0x11066bf5
  29:	11
* 2a:	48 3b 44 24 58       	cmp    0x58(%rsp),%rax <-- trapping instruction
  2f:	0f 85 f2 00 00 00    	jne    0x127
  35:	48 83 c4 60          	add    $0x60,%rsp
  39:	5b                   	pop    %rbx
  3a:	41 5c                	pop    %r12
  3c:	41 5d                	pop    %r13
  3e:	41 5e                	pop    %r14