=============================
[ BUG: Invalid wait context ]
6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 Not tainted
-----------------------------
kworker/0:5/5322 is trying to lock:
ffffc900019cf410 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
other info that might help us debug this:
context-{2:2}
5 locks held by kworker/0:5/5322:
 #0: ffff88803e9b5148 ((wq_completion)mld){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88803e9b5148 ((wq_completion)mld){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 kernel/workqueue.c:3321
 #1: ffffc9000d567bc0 ((work_completion)(&(&idev->mc_dad_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc9000d567bc0 ((work_completion)(&(&idev->mc_dad_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 kernel/workqueue.c:3321
 #2: ffff888052dc3538 (&idev->mc_lock){+.+.}-{4:4}, at: mld_dad_work+0x3d/0x520 net/ipv6/mcast.c:2307
 #3: ffffffff8e13ee60 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #3: ffffffff8e13ee60 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #3: ffffffff8e13ee60 (rcu_read_lock){....}-{1:3}, at: mld_sendpack+0x1de/0xd80 net/ipv6/mcast.c:1840
 #4: ffffc900019cf960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #4: ffffc900019cf960 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #4: ffffc900019cf960 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c3/0x9b0 arch/x86/kvm/xen.c:1818
stack backtrace:
CPU: 0 UID: 0 PID: 5322 Comm: kworker/0:5 Not tainted 6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: mld mld_dad_work
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4833 [inline]
 check_wait_context kernel/locking/lockdep.c:4905 [inline]
 __lock_acquire+0xbcb/0xd20 kernel/locking/lockdep.c:5190
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5871
 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:160 [inline]
 _raw_read_lock_irqsave+0xaf/0x100 kernel/locking/spinlock.c:236
 kvm_xen_set_evtchn_fast+0x1fb/0x9b0 arch/x86/kvm/xen.c:1820
 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x4e0/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1887
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
 __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1056
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 fb a3 5e f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> d3 8e 27 f6 65 8b 05 bc ba 33 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc9000d567440 EFLAGS: 00000206
RAX: b39208c900fb3200 RBX: 0000000000000a06 RCX: b39208c900fb3200
RDX: 0000000000000006 RSI: ffffffff8d98234b RDI: 0000000000000001
RBP: ffffc9000d5674d0 R08: ffffffff8fa10bf7 R09: 1ffffffff1f4217e
R10: dffffc0000000000 R11: fffffbfff1f4217f R12: dffffc0000000000
R13: 0000000000000003 R14: ffff88801a440480 R15: 1ffff92001aace88
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 get_partial_node+0x389/0x400 mm/slub.c:2901
 get_partial mm/slub.c:2981 [inline]
 ___slab_alloc+0xb50/0x1480 mm/slub.c:3839
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __kmalloc_cache_noprof+0x296/0x3d0 mm/slub.c:4354
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 ref_tracker_alloc+0x133/0x460 lib/ref_tracker.c:203
 __netdev_tracker_alloc include/linux/netdevice.h:4341 [inline]
 netdev_hold include/linux/netdevice.h:4370 [inline]
 dst_init+0xd9/0x450 net/core/dst.c:52
 dst_alloc+0x12a/0x170 net/core/dst.c:93
 ip6_dst_alloc net/ipv6/route.c:342 [inline]
 icmp6_dst_alloc+0x75/0x420 net/ipv6/route.c:3324
 mld_sendpack+0x678/0xd80 net/ipv6/mcast.c:1857
 mld_dad_work+0x45/0x520 net/ipv6/mcast.c:2308
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 fb a3 5e f6       	call   0xf65ea402
   7:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   e:	00 00
  10:	9c                   	pushf
  11:	8f 44 24 20          	pop    0x20(%rsp)
  15:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  1a:	75 4f                	jne    0x6b
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 d3 8e 27 f6       	call   0xf6278f02 <-- trapping instruction
  2f:	65 8b 05 bc ba 33 07 	mov    %gs:0x733babc(%rip),%eax        # 0x733baf2
  36:	85 c0                	test   %eax,%eax
  38:	74 40                	je     0x7a
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss