=============================
[ BUG: Invalid wait context ]
syzkaller #0 Not tainted
-----------------------------
kworker/u32:2/46 is trying to lock:
ffff8880549dd2e0 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x253/0xe80 arch/x86/kvm/xen.c:1820
other info that might help us debug this:
context-{2:2}
5 locks held by kworker/u32:2/46:
 #0: ffff88802283d948 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
 #1: ffffc900007efc98 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
 #2: ffff888028ba20a8 (&ctx->uring_lock){+.+.}-{4:4}, at: class_mutex_constructor include/linux/mutex.h:253 [inline]
 #2: ffff888028ba20a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_req_caches_free+0x18/0x55 io_uring/io_uring.c:2838
 #3: ffffffff8e5e32e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #3: ffffffff8e5e32e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #3: ffffffff8e5e32e0 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1195 [inline]
 #3: ffffffff8e5e32e0 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xbd/0x1ea0 arch/x86/kernel/unwind_orc.c:495
 #4: ffff8880549dd838 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:185 [inline]
 #4: ffff8880549dd838 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:277 [inline]
 #4: ffff8880549dd838 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x245/0xe80 arch/x86/kvm/xen.c:1818
stack backtrace:
CPU: 3 UID: 0 PID: 46 Comm: kworker/u32:2 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iou_exit io_ring_exit_work
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
 check_wait_context kernel/locking/lockdep.c:4902 [inline]
 __lock_acquire+0xfa4/0x2630 kernel/locking/lockdep.c:5187
 lock_acquire kernel/locking/lockdep.c:5868 [inline]
 lock_acquire+0x17c/0x330 kernel/locking/lockdep.c:5825
 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
 _raw_read_lock_irqsave+0x46/0x90 kernel/locking/spinlock.c:236
 kvm_xen_set_evtchn_fast+0x253/0xe80 arch/x86/kvm/xen.c:1820
 xen_timer_callback+0x1db/0x2a0 arch/x86/kvm/xen.c:140
 __run_hrtimer kernel/time/hrtimer.c:1777 [inline]
 __hrtimer_run_queues+0x1ad/0x990 kernel/time/hrtimer.c:1841
 hrtimer_interrupt+0x397/0x8c0 kernel/time/hrtimer.c:1903
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
 __sysvec_apic_timer_interrupt+0x109/0x3c0 arch/x86/kernel/apic/apic.c:1062
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0x9e/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
RIP: 0010:rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
RIP: 0010:rcu_is_watching+0x5c/0xc0 kernel/rcu/tree.c:751
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5c 48 03 1c ed 20 0f ef 8d 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 24 8b
RSP: 0018:ffffc900007ef528 EFLAGS: 00000a02
RAX: dffffc0000000000 RBX: ffff88806a7339e8 RCX: ffffffff914c6c01
RDX: 1ffff1100d4e673d RSI: ffffffff8bfa35a0 RDI: ffffffff8def0f38
RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000007
R10: 0000000000000200 R11: 0000000000003508 R12: ffffc900007ef648
R13: ffffc900007ef5f8 R14: ffffc900007efbe0 R15: ffffc900007ef62c
 trace_lock_release include/trace/events/lock.h:69 [inline]
 lock_release+0x21e/0x2e0 kernel/locking/lockdep.c:5879
 rcu_lock_release include/linux/rcupdate.h:341 [inline]
 rcu_read_unlock include/linux/rcupdate.h:897 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1195 [inline]
 unwind_next_frame+0x3c3/0x1ea0 arch/x86/kernel/unwind_orc.c:495
 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:556
 slab_free_hook mm/slub.c:2501 [inline]
 slab_free mm/slub.c:6674 [inline]
 kmem_cache_free+0x478/0x720 mm/slub.c:6785
 __io_req_caches_free+0x1a6/0x220 io_uring/io_uring.c:2827
 io_req_caches_free+0x24/0x55 io_uring/io_uring.c:2839
 io_ring_exit_work+0x3eb/0xc2b io_uring/io_uring.c:3025
 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
 kthread+0x3b3/0x730 kernel/kthread.c:463
 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
----------------
Code disassembly (best guess):
   0:	00 fc                	add    %bh,%ah
   2:	ff                   	lcall  (bad)
   3:	df 48 89             	fisttps -0x77(%rax)
   6:	fa                   	cli
   7:	48 c1 ea 03          	shr    $0x3,%rdx
   b:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   f:	75 5c                	jne    0x6d
  11:	48 03 1c ed 20 0f ef 	add    -0x7210f0e0(,%rbp,8),%rbx
  18:	8d
  19:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  20:	fc ff df
  23:	48 89 da             	mov    %rbx,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2e:	48 89 d8             	mov    %rbx,%rax
  31:	83 e0 07             	and    $0x7,%eax
  34:	83 c0 03             	add    $0x3,%eax
  37:	38 d0                	cmp    %dl,%al
  39:	7c 04                	jl     0x3f
  3b:	84 d2                	test   %dl,%dl
  3d:	75 24                	jne    0x63
  3f:	8b                   	.byte 0x8b