============================= [ BUG: Invalid wait context ] 6.15.0-syzkaller-08486-gf66bc387efbe #0 Not tainted ----------------------------- syz.0.682/8681 is trying to lock: ffffc90005f94410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x254/0xeb0 arch/x86/kvm/xen.c:1819 other info that might help us debug this: context-{2:2} 1 lock held by syz.0.682/8681: #0: ffffc90005f94960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline] #0: ffffc90005f94960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline] #0: ffffc90005f94960 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x23a/0xeb0 arch/x86/kvm/xen.c:1817 stack backtrace: CPU: 1 UID: 0 PID: 8681 Comm: syz.0.682 Not tainted 6.15.0-syzkaller-08486-gf66bc387efbe #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline] check_wait_context kernel/locking/lockdep.c:4905 [inline] __lock_acquire+0xa12/0x1c90 kernel/locking/lockdep.c:5190 lock_acquire kernel/locking/lockdep.c:5871 [inline] lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5828 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline] _raw_read_lock_irqsave+0x46/0x90 kernel/locking/spinlock.c:236 kvm_xen_set_evtchn_fast+0x254/0xeb0 arch/x86/kvm/xen.c:1819 xen_timer_callback+0x1db/0x2a0 arch/x86/kvm/xen.c:140 __run_hrtimer kernel/time/hrtimer.c:1761 [inline] __hrtimer_run_queues+0x5ed/0xad0 kernel/time/hrtimer.c:1825 hrtimer_interrupt+0x397/0x8e0 kernel/time/hrtimer.c:1887 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline] __sysvec_apic_timer_interrupt+0x108/0x3f0 arch/x86/kernel/apic/apic.c:1056 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0x9f/0xc0 arch/x86/kernel/apic/apic.c:1050 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194 Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 e6 d2 19 f6 48 89 df e8 ce 26 1a f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 01 00 00 00 e8 65 4e 0a f6 65 8b 05 2e 72 2c 08 85 c0 74 16 5b RSP: 0018:ffffc90004d4f9a0 EFLAGS: 00000246 RAX: 0000000000000002 RBX: ffffffff9ad170c8 RCX: ffffffff81c39c7f RDX: 0000000000000000 RSI: ffffffff8dc06ed3 RDI: ffffffff8bf52fc0 RBP: 0000000000000206 R08: 0000000000000001 R09: 0000000000000001 R10: ffffffff90877557 R11: 0000000000000001 R12: 0000000000000001 R13: ffffffff9ad170c8 R14: 0000000000000103 R15: 0000000000000001 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline] avc_reclaim_node security/selinux/avc.c:488 [inline] avc_alloc_node+0x420/0x6a0 security/selinux/avc.c:507 avc_insert security/selinux/avc.c:618 [inline] avc_compute_av+0x100/0x7f0 security/selinux/avc.c:993 avc_perm_nonode+0xab/0x180 security/selinux/avc.c:1117 avc_has_perm_noaudit+0x2de/0x3b0 security/selinux/avc.c:1160 avc_has_perm+0xc0/0x1c0 security/selinux/avc.c:1195 inode_has_perm+0x168/0x1d0 security/selinux/hooks.c:1681 selinux_mmap_file+0x10a/0x1b0 security/selinux/hooks.c:3955 security_mmap_file+0x82a/0x990 security/security.c:2982 vm_mmap_pgoff+0xec/0x450 mm/util.c:573 ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:607 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f192df8e9a3 Code: f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 89 ca 41 f7 c1 ff 0f 00 00 75 14 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 25 c3 0f 1f 40 00 48 c7 c0 a8 ff ff ff 64 c7 RSP: 002b:00007ffc74b62c38 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 0000000000400000 RCX: 00007f192df8e9a3 RDX: 0000000000000003 RSI: 00000000003c0000 RDI: 0000001b2e260000 RBP: 0000001b2e260000 R08: 0000000000000004 R09: 0000000000040000 R10: 0000000000000011 R11: 0000000000000246 R12: 00000000000000a6 R13: 00000000000927c0 R14: 0000000000019cd0 R15: 00007ffc74b62f20 ---------------- Code disassembly (best guess): 0: f5 cmc 1: 53 push %rbx 2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi 7: 48 89 fb mov %rdi,%rbx a: 48 83 c7 18 add $0x18,%rdi e: e8 e6 d2 19 f6 call 0xf619d2f9 13: 48 89 df mov %rbx,%rdi 16: e8 ce 26 1a f6 call 0xf61a26e9 1b: f7 c5 00 02 00 00 test $0x200,%ebp 21: 75 23 jne 0x46 23: 9c pushf 24: 58 pop %rax 25: f6 c4 02 test $0x2,%ah 28: 75 37 jne 0x61 * 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction 2f: e8 65 4e 0a f6 call 0xf60a4e99 34: 65 8b 05 2e 72 2c 08 mov %gs:0x82c722e(%rip),%eax # 0x82c7269 3b: 85 c0 test %eax,%eax 3d: 74 16 je 0x55 3f: 5b pop %rbx