=============================
[ BUG: Invalid wait context ]
6.15.0-syzkaller-11802-g1af80d00e1e0 #0 Not tainted
-----------------------------
syz.5.1940/12737 is trying to lock:
ffffc9000bd50410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1819
other info that might help us debug this:
context-{2:2}
2 locks held by syz.5.1940/12737:
 #0: ffff8880244747d8 (&u->iolock){+.+.}-{4:4}, at: __unix_dgram_recvmsg+0x1e2/0xde0 net/unix/af_unix.c:2499
 #1: ffffc9000bd50960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #1: ffffc9000bd50960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #1: ffffc9000bd50960 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0 arch/x86/kvm/xen.c:1817
stack backtrace:
CPU: 1 UID: 0 PID: 12737 Comm: syz.5.1940 Not tainted 6.15.0-syzkaller-11802-g1af80d00e1e0 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline]
 check_wait_context kernel/locking/lockdep.c:4905 [inline]
 __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
 _raw_read_lock_irqsave+0xaf/0x100 kernel/locking/spinlock.c:236
 kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1819
 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x4e0/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1887
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
 __sysvec_apic_timer_interrupt+0x108/0x410 arch/x86/kernel/apic/apic.c:1056
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 3b ac 60 f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> e3 9a 29 f6 65 8b 05 ac 03 35 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc9000402f520 EFLAGS: 00000206
RAX: 1dd32e5a5bc1f300 RBX: 0000000000000a02 RCX: 1dd32e5a5bc1f300
RDX: 0000000000000006 RSI: ffffffff8d979f2e RDI: 0000000000000001
RBP: ffffc9000402f5b8 R08: ffffffff8fa0f5f7 R09: 1ffffffff1f41ebe
R10: dffffc0000000000 R11: fffffbfff1f41ebf R12: dffffc0000000000
R13: 1ffff1100488e86d R14: ffff888024474300 R15: 1ffff92000805ea4
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 __skb_try_recv_datagram+0x17c/0x4e0 net/core/datagram.c:267
 __unix_dgram_recvmsg+0x2d5/0xde0 net/unix/af_unix.c:2502
 sock_recvmsg_nosec+0x186/0x1c0 net/socket.c:1017
 ____sys_recvmsg+0x3aa/0x460 net/socket.c:2784
 ___sys_recvmsg+0x1b5/0x510 net/socket.c:2828
 do_recvmmsg+0x36a/0x770 net/socket.c:2915
 __sys_recvmmsg+0x19d/0x280 net/socket.c:2997
 __do_compat_sys_recvmmsg_time32 net/compat.c:418 [inline]
 __se_compat_sys_recvmmsg_time32 net/compat.c:414 [inline]
 __ia32_compat_sys_recvmmsg_time32+0xbf/0xe0 net/compat.c:414
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0xb6/0x2b0 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf710e539
Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f50dd55c EFLAGS: 00000206 ORIG_RAX: 0000000000000151
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000800000c0
RDX: 0000000000010106 RSI: 0000000000000002 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
vkms_vblank_simulate: vblank timer overrun
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 3b ac 60 f6       	call   0xf660ac42
   7:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   e:	00 00
  10:	9c                   	pushf
  11:	8f 44 24 20          	pop    0x20(%rsp)
  15:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  1a:	75 4f                	jne    0x6b
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 e3 9a 29 f6       	call   0xf6299b12 <-- trapping instruction
  2f:	65 8b 05 ac 03 35 07 	mov    %gs:0x73503ac(%rip),%eax        # 0x73503e2
  36:	85 c0                	test   %eax,%eax
  38:	74 40                	je     0x7a
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss