program:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000340), 0x0, 0x0)
r1 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000000)='/proc/sysvipc/msg\x00', 0x0, 0x0)
openat$tun(0xffffffffffffff9c, 0x0, 0x10040, 0x0)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
ioctl$TUNSETIFF(0xffffffffffffffff, 0x400454ca, 0x0)
socketpair(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r3=>0xffffffffffffffff})
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x10, 0x4, &(0x7f0000001300)=@framed={{}, [@ldst={0x1, 0x2, 0x3, 0x0, 0x1, 0x16}]}, &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x9, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x80)
ioctl$PERF_EVENT_IOC_SET_FILTER(r3, 0x8914, &(0x7f0000000080))
perf_event_open(&(0x7f00000003c0)={0x2, 0x80, 0xa2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$SIOCSIFHWADDR(r2, 0x8914, &(0x7f0000000280)={'wlan0\x00', @multicast})
ioctl$SIOCGSTAMPNS(r1, 0x8907, &(0x7f0000000040))
r4 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0x97, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000400000/0xc00000)=nil, 0xc00000, 0x1000002, 0x59032, 0xffffffffffffffff, 0x0)
r5 = userfaultfd(0x801)
ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_REGISTER(r5, 0xc020aa00, &(0x7f0000000040)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x4})
ioctl$UFFDIO_COPY(r5, 0xc028aa03, &(0x7f0000000080)={&(0x7f0000800000/0x800000)=nil, &(0x7f0000582000/0x2000)=nil, 0x800000})
bind$alg(r1, &(0x7f0000000100)={0x26, 'hash\x00', 0x0, 0x0, 'michael_mic\x00'}, 0x58)
ioctl$KVM_XEN_HVM_CONFIG(r4, 0x4038ae7a, &(0x7f0000000240)={0x2, 0xda0, 0x0, 0x0})
ioctl$MEDIA_IOC_ENUM_LINKS(0xffffffffffffffff, 0xc0287c02, 0x0)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
syz_emit_vhci(&(0x7f0000000240)=ANY=[@ANYBLOB="02c82008"], 0x23)
ioctl$KVM_CREATE_VCPU(r4, 0xae41, 0x1)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f00000002c0)={0x5, &(0x7f0000000180)=[{0xfff7, 0x7, 0x3, 0x401}, {0xfff9, 0x8, 0x5, 0x4}, {0x8, 0x3, 0xe2, 0x1}, {0x5, 0x3, 0x1, 0x9}, {0x0, 0x8, 0xb3, 0x4}]})

[   68.899658][   T48] Bluetooth: hci0: command tx timeout
[   69.005503][ T5321] mac80211_hwsim hwsim2 wlan0: entered promiscuous mode
[   69.010551][ T5321] mac80211_hwsim hwsim2 wlan0: entered allmulticast mode
[   69.050333][   T48] Bluetooth: Frame is too long (len 30, expected len 17)
[   69.056547][ T5321] 
[   69.058116][ T5321] =============================
[   69.060168][ T5321] WARNING: suspicious RCU usage
[   69.062116][ T5321] 6.14.0-rc4-syzkaller-00212-g276f98efb64a #0 Not tainted
[   69.064891][ T5321] -----------------------------
[   69.067171][ T5321] ./include/linux/kvm_host.h:1059 suspicious rcu_dereference_check() usage!
[   69.071497][ T5321] 
[   69.071497][ T5321] other info that might help us debug this:
[   69.071497][ T5321] 
[   69.075651][ T5321] 
[   69.075651][ T5321] rcu_scheduler_active = 2, debug_locks = 1
[   69.079080][ T5321] no locks held by syz.0.0/5321.
[   69.081370][ T5321] 
[   69.081370][ T5321] stack backtrace:
[   69.083748][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.14.0-rc4-syzkaller-00212-g276f98efb64a #0
[   69.083769][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.083779][ T5321] Call Trace:
[   69.083787][ T5321]  <TASK>
[   69.083794][ T5321]  dump_stack_lvl+0x241/0x360
[   69.083911][ T5321]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.083926][ T5321]  ? __pfx__printk+0x10/0x10
[   69.083945][ T5321]  lockdep_rcu_suspicious+0x226/0x340
[   69.083961][ T5321]  kvm_vcpu_gfn_to_memslot+0x429/0x4c0
[   69.083980][ T5321]  kvm_vcpu_write_guest+0x7c/0x130
[   69.083991][ T5321]  kvm_xen_write_hypercall_page+0x50a/0x5f0
[   69.084012][ T5321]  ? __pfx_kvm_xen_write_hypercall_page+0x10/0x10
[   69.084031][ T5321]  kvm_set_msr_common+0x154/0x3b10
[   69.084043][ T5321]  ? kvm_clear_async_pf_completion_queue+0x3a7/0x3f0
[   69.084059][ T5321]  ? __pfx_lock_release+0x10/0x10
[   69.084080][ T5321]  ? __pfx_kvm_set_msr_common+0x10/0x10
[   69.084098][ T5321]  ? do_raw_spin_unlock+0x58/0x8b0
[   69.084119][ T5321]  vmx_set_msr+0x151d/0x26f0
[   69.084126][ T5321]  ? _raw_spin_unlock+0x28/0x50
[   69.084162][ T5321]  ? kvm_clear_async_pf_completion_queue+0x3a7/0x3f0
[   69.084175][ T5321]  kvm_vcpu_reset+0xbea/0x1740
[   69.084189][ T5321]  ? __pfx_kvm_vcpu_reset+0x10/0x10
[   69.084198][ T5321]  ? __raw_spin_lock_init+0x45/0x100
[   69.084212][ T5321]  kvm_arch_vcpu_create+0x8f4/0xa80
[   69.084224][ T5321]  kvm_vm_ioctl_create_vcpu+0x3d8/0x8b0
[   69.084244][ T5321]  kvm_vm_ioctl+0x7be/0xd50
[   69.084258][ T5321]  ? mark_lock+0x9a/0x360
[   69.084269][ T5321]  ? __pfx_kvm_vm_ioctl+0x10/0x10
[   69.084287][ T5321]  ? tomoyo_path_number_perm+0x209/0x770
[   69.084335][ T5321]  ? __pfx_lock_release+0x10/0x10
[   69.084359][ T5321]  ? tomoyo_path_number_perm+0x5dd/0x770
[   69.084374][ T5321]  ? tomoyo_path_number_perm+0x5dd/0x770
[   69.084389][ T5321]  ? tomoyo_path_number_perm+0x65d/0x770
[   69.084405][ T5321]  ? __lock_acquire+0x1397/0x2100
[   69.084422][ T5321]  ? tomoyo_path_number_perm+0x209/0x770
[   69.084437][ T5321]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   69.084472][ T5321]  ? __fget_files+0x2a/0x410
[   69.084491][ T5321]  ? __fget_files+0x2a/0x410
[   69.084508][ T5321]  ? __pfx_kvm_vm_ioctl+0x10/0x10
[   69.084523][ T5321]  __se_sys_ioctl+0xf5/0x170
[   69.084539][ T5321]  do_syscall_64+0xf3/0x230
[   69.084556][ T5321]  ? clear_bhb_loop+0x35/0x90
[   69.084573][ T5321]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.084591][ T5321] RIP: 0033:0x7f480618d169
[   69.084605][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   69.084613][ T5321] RSP: 002b:00007f4806ffc038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   69.084628][ T5321] RAX: ffffffffffffffda RBX: 00007f48063a5fa0 RCX: 00007f480618d169
[   69.084636][ T5321] RDX: 0000000000000001 RSI: 000000000000ae41 RDI: 000000000000000a
[   69.084642][ T5321] RBP: 00007f480620e2a0 R08: 0000000000000000 R09: 0000000000000000
[   69.084648][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   69.084655][ T5321] R13: 0000000000000000 R14: 00007f48063a5fa0 R15: 00007ffd91596928
[   69.084669][ T5321]  </TASK>
[   69.283282][ T5321] syz.0.0 (5321) used greatest stack depth: 19344 bytes left