=============================
[ BUG: Invalid wait context ]
6.16.0-next-20250808-syzkaller #0 Not tainted
-----------------------------
kworker/u8:6/1141 is trying to lock:
ffff888027d4d410
(&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
other info that might help us debug this:
context-{2:2}
6 locks held by kworker/u8:6/1141:
#0:
ffff88801a889148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline]
ffff88801a889148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3319
#1: ffffc90003d67bc0 ((work_completion)(&(&kfence_timer)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline]
#1: ffffc90003d67bc0 ((work_completion)(&(&kfence_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3319
#2: ffffffff8e3d3010 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_enable+0x12/0x20 kernel/jump_label.c:222
#3: ffffffff8e5f2ee8 (jump_label_mutex){+.+.}-{4:4}, at: jump_label_lock kernel/jump_label.c:27 [inline]
#3: ffffffff8e5f2ee8 (jump_label_mutex){+.+.}-{4:4}, at: static_key_enable_cpuslocked+0xcb/0x250 kernel/jump_label.c:207
#4: ffffffff8e3e63c8 (text_mutex){+.+.}-{4:4}, at: arch_jump_label_transform_apply+0x17/0x30 arch/x86/kernel/jump_label.c:145
#5: ffff888027d4d960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
#5: ffff888027d4d960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
#5: ffff888027d4d960 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0 arch/x86/kvm/xen.c:1818
stack backtrace:
CPU: 1 UID: 0 PID: 1141 Comm: kworker/u8:6 Not tainted 6.16.0-next-20250808-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: events_unbound toggle_allocation_gate
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline]
check_wait_context kernel/locking/lockdep.c:4902 [inline]
__lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5187
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
_raw_read_lock_irqsave+0xaf/0x100 kernel/locking/spinlock.c:236
kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x4e0/0xc60 kernel/time/hrtimer.c:1825
hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1887
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
__sysvec_apic_timer_interrupt+0x108/0x410 arch/x86/kernel/apic/apic.c:1056
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:arch_static_branch arch/x86/include/asm/jump_label.h:36 [inline]
RIP: 0010:native_write_msr arch/x86/include/asm/msr.h:139 [inline]
RIP: 0010:wrmsrq arch/x86/include/asm/msr.h:199 [inline]
RIP: 0010:native_x2apic_icr_write arch/x86/include/asm/apic.h:233 [inline]
RIP: 0010:__x2apic_send_IPI_dest arch/x86/kernel/apic/x2apic_phys.c:113 [inline]
RIP: 0010:x2apic_send_IPI+0x73/0xe0 arch/x86/kernel/apic/x2apic_phys.c:50
Code: 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 75 42 41 8b 16 0f ae f0 0f ae e8 83 fb 02 b8 00 04 00 00 0f 45 c3 b9 30 08 00 00 0f 30 <66> 90 5b 41 5c 41 5e 41 5f 5d c3 cc cc cc cc cc 89 fe 89 fd 48 c7
RSP: 0018:ffffc90003d67630 EFLAGS: 00000206
RAX: 00000000000000fb RBX: 00000000000000fb RCX: 0000000000000830
RDX: 0000000000000000 RSI: 00000000000000fb RDI: 0000000000000000
RBP: ffffc90003d677e0 R08: ffffffff8fe4c437 R09: 1ffffffff1fc9886
R10: dffffc0000000000 R11: ffffffff8170a100 R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff8880b86201b0 R15: ffffffff8debdd10
arch_send_call_function_single_ipi arch/x86/include/asm/smp.h:95 [inline]
send_call_function_single_ipi kernel/smp.c:120 [inline]
smp_call_function_many_cond+0xab8/0x12d0 kernel/smp.c:857
on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1044
on_each_cpu include/linux/smp.h:71 [inline]
smp_text_poke_sync_each_cpu arch/x86/kernel/alternative.c:2653 [inline]
smp_text_poke_batch_finish+0xe98/0x1130 arch/x86/kernel/alternative.c:2946
arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
static_key_enable_cpuslocked+0x128/0x250 kernel/jump_label.c:210
static_key_enable+0x1a/0x20 kernel/jump_label.c:223
toggle_allocation_gate+0xad/0x240 mm/kfence/core.c:850
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
vkms_vblank_simulate: vblank timer overrun
vkms_vblank_simulate: vblank timer overrun
hrtimer: interrupt took 386075666 ns
vkms_vblank_simulate: vblank timer overrun
vkms_vblank_simulate: vblank timer overrun
----------------
Code disassembly (best guess):
0: 89 f0 mov %esi,%eax
2: 48 c1 e8 03 shr $0x3,%rax
6: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax
b: 84 c0 test %al,%al
d: 75 42 jne 0x51
f: 41 8b 16 mov (%r14),%edx
12: 0f ae f0 mfence
15: 0f ae e8 lfence
18: 83 fb 02 cmp $0x2,%ebx
1b: b8 00 04 00 00 mov $0x400,%eax
20: 0f 45 c3 cmovne %ebx,%eax
23: b9 30 08 00 00 mov $0x830,%ecx
28: 0f 30 wrmsr
* 2a: 66 90 xchg %ax,%ax <-- trapping instruction
2c: 5b pop %rbx
2d: 41 5c pop %r12
2f: 41 5e pop %r14
31: 41 5f pop %r15
33: 5d pop %rbp
34: c3 ret
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: cc int3
3a: 89 fe mov %edi,%esi
3c: 89 fd mov %edi,%ebp
3e: 48 rex.W
3f: c7 .byte 0xc7