program:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000380)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f00000000c0)={0x73622a85, 0x110b, 0x8000000000002})
r1 = openat$udambuf(0xffffffffffffff9c, &(0x7f0000000580), 0x2)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f00000005c0)={&(0x7f0000fa3000/0x2000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000f1f000/0x4000)=nil, &(0x7f000043d000/0x14000)=nil, &(0x7f0000bc5000/0x2000)=nil, &(0x7f0000f35000/0x4000)=nil, &(0x7f0000459000/0x2000)=nil, &(0x7f0000885000/0x1000)=nil, &(0x7f0000c04000/0x1000)=nil, &(0x7f0000f03000/0x1000)=nil, &(0x7f0000548000/0x4000)=nil, &(0x7f0000000480)="a95d384481b751d027fb3c2f4c87eddc9291b3d98fa4cfa5c9bb90562ad358935d5244a5fd65ad613566b55b80a4d83f50b2d9e3f0f88d2d80f5a90073c69db430bca4461868a2840613219298e0b8c39ddc7df020b753bfac54e16df8ab0ac84027963b381fbbe489c571cda76375b3acd483274ca48418db27c7c9057a5ec55eb31f3cda2e88b7b0de183273c5fb57f3497333a2818a9716e132939e1f04b232e1b2e560ee613ce3960a75d30271b5f41d29faf1cae1b5b2538db0ff2449cea69c9fb778", 0xc5, r1}, 0x68)
keyctl$read(0xb, 0x0, 0x0, 0x0)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000200)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r3 = openat$kvm(0x0, &(0x7f0000000040), 0x0, 0x0)
r4 = ioctl$KVM_CREATE_VM(r3, 0xae01, 0x0)
r5 = ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x0)
ioctl$KVM_SET_CPUID2(r5, 0x4048aecb, &(0x7f0000000640)=ANY=[@ANYBLOB="070000000000000007000000ffffffff4932ffae000000000600000006000000020000000000000000000000000000000700008004000000000000000180000027000000070000007f00000000000000000000000000000001000040080000000000000003000000ffffff7f05000000ffff00000000000000000000000000000b0000005f0e00000100000007000000f40d000006000000ffffff7f0000000000000000000000000000008000000000050000ffff0000000000000000000000000d000000bb020000010000000d00000003000000ff070000ffffffff00000000000000000000000008000080bf03000000000000f90000005ca1ffff24a5000007000000000000000000000000000000543cb1db7774204e1f8831d4a96cd54d5984cb0da206476ddbb3599da73b85df63df7ae6123b3601bc5d15c58d5f420079be34fbfc9ed55b50d5a2ef109155580c61ff1364d6e4558525a47e400438a5fa2448b0608a161fb74437aa251bdaff2af0fc7d613fa57fa25c61faea3c2a141cead100b7c18a5a88d17ed794736a126c1bb8af7b36ac906bc85a13a5993be170c8d6ccfd34e393f3ca34dc30cac74da60ef3e862440a672eef305e6eabef9f6a44d2f269e770d459b0bdc62645bd0c470daa4c6dd1896598ef6e90f036b1cd9ec848cba0191b4e93e7baec71dc55b33f18bd4faacd1e4f37b22ff57f51c20a42a96600969d33d607b2391a843bf2f4e1fbb70eb035bdcf1fbdfd7e459265cb53bc07ce7d2b4b2cdb76181638da42a8997e291f71c91e4a967ad40d651c7c5bf9ad494add884c7766b5f65e50c13e86a5d2745b61ed62ba631bdcdf701ab031c0e63d1c6ff9c0d35d69e1c70aa203bc7090f10b8f1e26a448756f4b319800dcbb3f20ee70f7dee0dfd576370163e93e1398a3742de23ee11f9a3d61010573c8c16daca7181ee951809691b56481cd81384bfc9690466561f410047c727a272b04f318738d9567c49eac5efd3d1780e7e8cc3fe089cb1c17ba34744e8cf466914d46ffdf7901b224951bf9930592584b3015a5241298aae6d2760ae9d9ec753d041f9a5066b8ba979a08e578d58beb708a1022ebb2ed49b8ef492747171fe06d07f2c7faf1c97b2d90ce4571da6a23d2f446f82c39fe196ccadb3381998dd5599e868f6484eb870416e68196e7f37a1fcee02dfa04c0aa88b793cab7576c46"])
r6 = dup3(r2, r0, 0x0)
r7 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000000)='./binderfs/binder0\x00', 0x802, 0x0)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, r7, 0x10000000000)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r7, 0x4018620d, &(0x7f0000000040)={0x73622a85, 0x10a})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000180), 0xb6, 0x0, &(0x7f0000000280)="064ddc894c500d0c84d4112589f95ced334d88fa5878a3b898153d8446663ee5f6dbafcc1d318884b088b0d93b8a5a62679ad1fab9d98d9dad415059cd82fd8c78bab2515a1d88e7dd8cb1ec26de45ed6d037facb40fb2552fe5f43fc051115f2c6e907c8ae57c1b459bada62a157a0c2d691e5784dabdb8c5f0d236a95e5459db85e3fb5067f545e6ebe816f53def19f704c4401d4dba649da6a881fbc65602f8c8d4977c718d5bf53cdd8c3325ea49f7252c7ac4f9"})
syz_usb_connect$printer(0x0, 0x0, 0x0, 0x0)
r8 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/vm/drop_caches\x00', 0x1, 0x0)
writev(r8, &(0x7f0000000200)=[{&(0x7f0000000140)='2', 0x1}], 0x1)
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000340)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x4c, 0x0, &(0x7f0000000100)=[@transaction_sg={0x40486311, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1018, 0x0, &(0x7f0000000240)={0x30, 0x30, 0x30}}, 0x1000}], 0x0, 0x0, 0x0})
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x3000002, 0x5d031, 0xffffffffffffffff, 0x0)
openat(r6, &(0x7f0000000180)='./file0\x00', 0xc0000, 0x4)

[   84.738834][ T5326] Bluetooth: hci0: command tx timeout
[   85.625332][ T5353] syz.0.0 (5353): drop_caches: 2
[   86.677515][   T10] cfg80211: failed to load regulatory.db
[   86.752673][ T5326] Bluetooth: hci0: command tx timeout
[   87.712775][    C0] 
[   87.713823][    C0] =============================
[   87.715831][    C0] [ BUG: Invalid wait context ]
[   87.717782][    C0] 6.16.0-rc4-syzkaller-00286-gc435a4f487e8 #0 Not tainted
[   87.720671][    C0] -----------------------------
[   87.722694][    C0] kworker/u4:3/38 is trying to lock:
[   87.724839][    C0] ffffc900019f7410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0
[   87.729038][    C0] other info that might help us debug this:
[   87.731787][    C0] context-{2:2}
[   87.733360][    C0] 3 locks held by kworker/u4:3/38:
[   87.735617][    C0]  #0: ffff88803f4c4148 ((wq_completion)bat_events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0
[   87.740732][    C0]  #1: ffffc90000597bc0 ((work_completion)(&(&bat_priv->nc.work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0
[   87.746444][    C0]  #2: ffffc900019f7960 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0
[   87.750756][    C0] stack backtrace:
[   87.752558][    C0] CPU: 0 UID: 0 PID: 38 Comm: kworker/u4:3 Not tainted 6.16.0-rc4-syzkaller-00286-gc435a4f487e8 #0 PREEMPT(full) 
[   87.752572][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.752579][    C0] Workqueue: bat_events batadv_nc_worker
[   87.752647][    C0] Call Trace:
[   87.752655][    C0]  <IRQ>
[   87.752660][    C0]  dump_stack_lvl+0x189/0x250
[   87.752675][    C0]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.752686][    C0]  ? __pfx__printk+0x10/0x10
[   87.752698][    C0]  ? print_lock_name+0xde/0x100
[   87.752711][    C0]  __lock_acquire+0xbcb/0xd20
[   87.752723][    C0]  ? kvm_xen_set_evtchn_fast+0x1fb/0x9b0
[   87.752733][    C0]  lock_acquire+0x120/0x360
[   87.752742][    C0]  ? kvm_xen_set_evtchn_fast+0x1fb/0x9b0
[   87.752754][    C0]  _raw_read_lock_irqsave+0xaf/0x100
[   87.752769][    C0]  ? kvm_xen_set_evtchn_fast+0x1fb/0x9b0
[   87.752780][    C0]  ? __pfx__raw_read_lock_irqsave+0x10/0x10
[   87.752792][    C0]  ? xa_load+0x1ea/0x210
[   87.752803][    C0]  kvm_xen_set_evtchn_fast+0x1fb/0x9b0
[   87.752811][    C0]  ? do_raw_spin_unlock+0x4d/0x240
[   87.752824][    C0]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   87.752837][    C0]  ? kvm_xen_set_evtchn_fast+0x1c3/0x9b0
[   87.752847][    C0]  xen_timer_callback+0x109/0x220
[   87.752857][    C0]  ? __pfx_xen_timer_callback+0x10/0x10
[   87.752867][    C0]  __hrtimer_run_queues+0x4e0/0xc60
[   87.752918][    C0]  ? __pfx___hrtimer_run_queues+0x10/0x10
[   87.752930][    C0]  hrtimer_interrupt+0x45b/0xaa0
[   87.752945][    C0]  __sysvec_apic_timer_interrupt+0x10b/0x410
[   87.752957][    C0]  sysvec_apic_timer_interrupt+0xa1/0xc0
[   87.752972][    C0]  </IRQ>
[   87.752975][    C0]  <TASK>
[   87.752979][    C0]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   87.752991][    C0] RIP: 0010:__local_bh_enable_ip+0x135/0x1c0
[   87.753004][    C0] Code: 8b e8 6f c1 e9 09 65 66 8b 05 7f 9e 1a 11 66 85 c0 75 5a bf 01 00 00 00 e8 a8 32 0b 00 e8 f3 48 42 00 fb 65 8b 05 5b 9e 1a 11 <85> c0 75 05 e8 92 04 ae ff 48 c7 04 24 0e 36 e0 45 4b c7 04 37 00
[   87.753012][    C0] RSP: 0018:ffffc900005978e0 EFLAGS: 00000282
[   87.753021][    C0] RAX: 0000000080000000 RBX: 0000000000000201 RCX: 7988a73a409ce800
[   87.753028][    C0] RDX: 0000000000000006 RSI: ffffffff8d9979f6 RDI: ffffffff8be29680
[   87.753033][    C0] RBP: ffffc90000597978 R08: ffffffff8fa1e7f7 R09: 1ffffffff1f43cfe
[   87.753037][    C0] R10: dffffc0000000000 R11: fffffbfff1f43cff R12: ffffffff8b3d7c28
[   87.753041][    C0] R13: dffffc0000000000 R14: dffffc0000000000 R15: 1ffff920000b2f1c
[   87.753046][    C0]  ? batadv_nc_purge_paths+0x318/0x3b0
[   87.753058][    C0]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   87.753066][    C0]  ? do_raw_spin_unlock+0x4d/0x240
[   87.753074][    C0]  ? batadv_nc_purge_paths+0x318/0x3b0
[   87.753082][    C0]  ? __pfx_batadv_nc_to_purge_nc_path_coding+0x10/0x10
[   87.753092][    C0]  batadv_nc_purge_paths+0x318/0x3b0
[   87.753108][    C0]  batadv_nc_worker+0x328/0x610
[   87.753121][    C0]  ? process_scheduled_works+0x9ef/0x17b0
[   87.753132][    C0]  process_scheduled_works+0xade/0x17b0
[   87.753148][    C0]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.753162][    C0]  worker_thread+0x8a0/0xda0
[   87.753174][    C0]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   87.753264][    C0]  ? __kthread_parkme+0x7b/0x200
[   87.753278][    C0]  kthread+0x70e/0x8a0
[   87.753292][    C0]  ? __pfx_worker_thread+0x10/0x10
[   87.753302][    C0]  ? __pfx_kthread+0x10/0x10
[   87.753313][    C0]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.753325][    C0]  ? lockdep_hardirqs_on+0x9c/0x150
[   87.753334][    C0]  ? __pfx_kthread+0x10/0x10
[   87.753347][    C0]  ret_from_fork+0x3fc/0x770
[   87.753359][    C0]  ? __pfx_ret_from_fork+0x10/0x10
[   87.753370][    C0]  ? __pfx_kthread+0x10/0x10
[   87.753419][    C0]  ret_from_fork_asm+0x1a/0x30
[   87.753440][    C0]  </TASK>