=============================
[ BUG: Invalid wait context ]
6.16.0-rc2-syzkaller-00231-g75f5f23f8787 #0 Not tainted
-----------------------------
syz.4.6863/24884 is trying to lock:
ffffc90012e52410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
other info that might help us debug this:
context-{2:2}
4 locks held by syz.4.6863/24884:
 #0: ffff88807ad0ace0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline]
 #0: ffff88807ad0ace0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x12e/0xb50 mm/mmap.c:1269
 #1: ffffffff8e33eda0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #1: ffffffff8e33eda0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #1: ffffffff8e33eda0 (rcu_read_lock){....}-{1:3}, at: ___pte_offset_map+0x29/0x2c0 mm/pgtable-generic.c:287
 #2: ffff88803207d078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #2: ffff88803207d078 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: __pte_offset_map_lock+0x13e/0x210 mm/pgtable-generic.c:402
 #3: ffffc90012e52960 (&kvm->srcu){.?.?}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #3: ffffc90012e52960 (&kvm->srcu){.?.?}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #3: ffffc90012e52960 (&kvm->srcu){.?.?}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0 arch/x86/kvm/xen.c:1818
stack backtrace:
CPU: 1 UID: 0 PID: 24884 Comm: syz.4.6863 Not tainted 6.16.0-rc2-syzkaller-00231-g75f5f23f8787 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline]
 check_wait_context kernel/locking/lockdep.c:4905 [inline]
 __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
 _raw_read_lock_irqsave+0xaf/0x100 kernel/locking/spinlock.c:236
 kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x4e0/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1887
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
 __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1056
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 6b 80 58 f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 13 6c 21 f6 65 8b 05 fc 97 50 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc90000a08c00 EFLAGS: 00000206
RAX: 0b1f104cd40d1500 RBX: 0000000000000a06 RCX: 0b1f104cd40d1500
RDX: 0000000000000002 RSI: ffffffff8da4c097 RDI: 0000000000000001
RBP: ffffc90000a08c90 R08: ffffffff8fc231f7 R09: 1ffffffff1f8463e
R10: dffffc0000000000 R11: fffffbfff1f8463f R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff8880b8727ac0 R15: 1ffff92000141180
 __run_hrtimer kernel/time/hrtimer.c:1757 [inline]
 __hrtimer_run_queues+0x408/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:kasan_mem_to_shadow include/linux/kasan.h:64 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:130 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x6f/0x2c0 mm/kasan/generic.c:189
Code: 1e fa 4c 39 cf 0f 82 58 02 00 00 49 89 ff 49 c1 ef 03 49 ba 00 00 00 00 00 fc ff df 4f 8d 1c 17 49 ff c8 4d 89 c1 49 c1 e9 03 <48> bb 01 00 00 00 00 fc ff df 4d 8d 34 19 4d 89 f4 4d 29 dc 49 83
RSP: 0018:ffffc900133575a8 EFLAGS: 00000a07
RAX: ffffffff820a6c01 RBX: 0000000000000000 RCX: ffffffff820a6c6d
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffea0001a62740
RBP: ffffc90013357890 R08: ffffea0001a62747 R09: 1ffffd400034c4e8
R10: dffffc0000000000 R11: fffff9400034c4e8 R12: 00007f57c8e9b000
R13: dffffc0000000000 R14: ffff88804da53400 R15: 1ffffd400034c4e8
 instrument_atomic_read include/linux/instrumented.h:68 [inline]
 _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
 folio_test_head include/linux/page-flags.h:867 [inline]
 folio_test_large include/linux/page-flags.h:888 [inline]
 folio_mapcount include/linux/mm.h:1139 [inline]
 zap_present_folio_ptes mm/memory.c:1531 [inline]
 zap_present_ptes mm/memory.c:1590 [inline]
 do_zap_pte_range mm/memory.c:1691 [inline]
 zap_pte_range mm/memory.c:1735 [inline]
 zap_pmd_range mm/memory.c:1827 [inline]
 zap_pud_range mm/memory.c:1856 [inline]
 zap_p4d_range mm/memory.c:1877 [inline]
 unmap_page_range+0x1ead/0x41c0 mm/memory.c:1898
 unmap_single_vma mm/memory.c:1941 [inline]
 unmap_vmas+0x399/0x580 mm/memory.c:1985
 exit_mmap+0x248/0xb50 mm/mmap.c:1284
 __mmput+0x118/0x420 kernel/fork.c:1121
 exit_mm+0x1da/0x2c0 kernel/exit.c:581
 do_exit+0x640/0x22e0 kernel/exit.c:943
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1104
 __do_sys_exit_group kernel/exit.c:1115 [inline]
 __se_sys_exit_group kernel/exit.c:1113 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113
 x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f57c978e929
Code: Unable to access opcode bytes at 0x7f57c978e8ff.
RSP: 002b:00007ffd82a8bbc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f57c978e929
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffd82a8bc2c R08: 0000000382a8bcbf R09: 00000000000927c0
R10: 0000000000000001 R11: 0000000000000246 R12: 00000000000001f5
R13: 00000000000927c0 R14: 00000000000e75da R15: 00007ffd82a8bc80
 </TASK>
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 6b 80 58 f6       	call   0xf6588072
   7:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   e:	00 00
  10:	9c                   	pushf
  11:	8f 44 24 20          	pop    0x20(%rsp)
  15:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  1a:	75 4f                	jne    0x6b
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 13 6c 21 f6       	call   0xf6216c42 <-- trapping instruction
  2f:	65 8b 05 fc 97 50 07 	mov    %gs:0x75097fc(%rip),%eax        # 0x7509832
  36:	85 c0                	test   %eax,%eax
  38:	74 40                	je     0x7a
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss