============================= [ BUG: Invalid wait context ] syzkaller #0 Tainted: G L ----------------------------- kworker/u8:18/11489 is trying to lock: ffff88807ab792e0 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1819 other info that might help us debug this: context-{2:2} 6 locks held by kworker/u8:18/11489: #0: ffff88801b6d6948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3250 [inline] #0: ffff88801b6d6948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 kernel/workqueue.c:3358 #1: ffffc9001bd17c40 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline] #1: ffffc9001bd17c40 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 kernel/workqueue.c:3358 #2: ffffffff8fbbe870 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xf4/0x800 net/core/net_namespace.c:675 #3: ffffffff8fbcd088 (rtnl_mutex){+.+.}-{4:4}, at: default_device_exit_batch+0xe5/0xa00 net/core/dev.c:13053 #4: ffffffff8e91ee98 (sysctl_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline] #4: ffffffff8e91ee98 (sysctl_lock){+.+.}-{3:3}, at: start_unregistering fs/proc/proc_sysctl.c:321 [inline] #4: ffffffff8e91ee98 (sysctl_lock){+.+.}-{3:3}, at: drop_sysctl_table+0x217/0x5e0 fs/proc/proc_sysctl.c:1517 #5: ffff88807ab79840 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline] #5: ffff88807ab79840 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline] #5: ffff88807ab79840 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0 arch/x86/kvm/xen.c:1817 stack backtrace: CPU: 1 UID: 0 PID: 11489 Comm: kworker/u8:18 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: netns cleanup_net Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_lock_invalid_wait_context kernel/locking/lockdep.c:4830 [inline] check_wait_context kernel/locking/lockdep.c:4902 [inline] __lock_acquire+0xec1/0x2cf0 kernel/locking/lockdep.c:5187 lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:172 [inline] _raw_read_lock_irqsave+0x48/0x60 kernel/locking/spinlock.c:236 kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1819 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140 __run_hrtimer kernel/time/hrtimer.c:1785 [inline] __hrtimer_run_queues+0x4e7/0xcc0 kernel/time/hrtimer.c:1849 hrtimer_interrupt+0x42b/0x1010 kernel/time/hrtimer.c:1911 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline] __sysvec_apic_timer_interrupt+0x102/0x460 arch/x86/kernel/apic/apic.c:1062 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1056 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:lock_acquire+0x20b/0x2e0 kernel/locking/lockdep.c:5872 Code: e9 30 ff ff ff e8 d5 ed 0b 0a f7 c3 00 02 00 00 0f 84 38 ff ff ff 65 48 8b 05 51 3b 7a 11 48 3b 44 24 30 75 33 fb 48 83 c4 38 <5b> 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 48 8d 3d ee 5a 73 RSP: 0018:ffffc9001bd17150 EFLAGS: 00000296 RAX: 6ccafa4bd6958200 RBX: 0000000000000246 RCX: 0000000080000001 RDX: 0000000067fc6b00 RSI: ffffffff8e163674 RDI: ffffffff8c27ae80 RBP: 0000000000000000 R08: ffffffff826deed7 R09: ffffffff8e91ee98 R10: dffffc0000000000 R11: fffffbfff1d23dd1 R12: 0000000000000000 R13: ffffffff8e91ee98 R14: 0000000000000000 R15: 0000000000000001 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:341 [inline] start_unregistering fs/proc/proc_sysctl.c:321 [inline] drop_sysctl_table+0x217/0x5e0 fs/proc/proc_sysctl.c:1517 drop_sysctl_table+0x3f2/0x5e0 fs/proc/proc_sysctl.c:1524 unregister_sysctl_table+0x41/0x60 fs/proc/proc_sysctl.c:1542 __addrconf_sysctl_unregister net/ipv6/addrconf.c:7357 [inline] addrconf_sysctl_unregister net/ipv6/addrconf.c:7385 [inline] addrconf_ifdown+0x16c8/0x1a40 net/ipv6/addrconf.c:4010 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x1be/0x400 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] unregister_netdevice_many_notify+0x186a/0x2370 net/core/dev.c:12412 unregister_netdevice_many net/core/dev.c:12475 [inline] default_device_exit_batch+0x981/0xa00 net/core/dev.c:13067 ops_exit_list net/core/net_namespace.c:205 [inline] ops_undo_list+0x52b/0x940 net/core/net_namespace.c:252 cleanup_net+0x56b/0x800 net/core/net_namespace.c:704 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358 worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439 kthread+0x388/0x470 kernel/kthread.c:467 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ---------------- Code disassembly (best guess): 0: e9 30 ff ff ff jmp 0xffffff35 5: e8 d5 ed 0b 0a call 0xa0beddf a: f7 c3 00 02 00 00 test $0x200,%ebx 10: 0f 84 38 ff ff ff je 0xffffff4e 16: 65 48 8b 05 51 3b 7a mov %gs:0x117a3b51(%rip),%rax # 0x117a3b6f 1d: 11 1e: 48 3b 44 24 30 cmp 0x30(%rsp),%rax 23: 75 33 jne 0x58 25: fb sti 26: 48 83 c4 38 add $0x38,%rsp * 2a: 5b pop %rbx <-- trapping instruction 2b: 41 5c pop %r12 2d: 41 5d pop %r13 2f: 41 5e pop %r14 31: 41 5f pop %r15 33: 5d pop %rbp 34: c3 ret 35: cc int3 36: cc int3 37: cc int3 38: cc int3 39: cc int3 3a: 48 rex.W 3b: 8d .byte 0x8d 3c: 3d .byte 0x3d 3d: ee out %al,(%dx) 3e: 5a pop %rdx 3f: 73 .byte 0x73