BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:231 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 8019, name: syz.3.565 preempt_count: 10001, expected: 0 RCU nest depth: 3, expected: 3 6 locks held by syz.3.565/8019: #0: ffff88803c9c1db0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:592 [inline] #0: ffff88803c9c1db0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x194/0x9e0 mm/mmap.c:1284 #1: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #1: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #1: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x29/0x200 mm/pgtable-generic.c:290 #2: ffff888040a3ba18 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline] #2: ffff888040a3ba18 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x13d/0x210 mm/pgtable-generic.c:404 #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline] #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57 #4: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #4: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #4: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: page_table_check_clear+0x124/0x4f0 mm/page_table_check.c:77 #5: ffff88803b131ac8 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline] #5: ffff88803b131ac8 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline] #5: ffff88803b131ac8 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c6/0x9a0 arch/x86/kvm/xen.c:1817 irq event stamp: 1428 hardirqs last enabled at (1427): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline] hardirqs last enabled at (1427): [] _raw_spin_unlock_irqrestore+0x30/0x80 kernel/locking/spinlock.c:198 hardirqs last disabled at (1428): [] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1061 softirqs last enabled at (0): [] rcu_lock_acquire include/linux/rcupdate.h:300 [inline] softirqs last enabled at (0): [] rcu_read_lock include/linux/rcupdate.h:838 [inline] softirqs last enabled at (0): [] copy_process+0xd87/0x4460 kernel/fork.c:2128 softirqs last disabled at (0): [<0000000000000000>] 0x0 Preemption disabled at: [] rcu_read_lock_sched include/linux/rcupdate.h:933 [inline] [] pfn_valid+0xb3/0x480 include/linux/mmzone.h:2281 CPU: 1 UID: 0 PID: 8019 Comm: syz.3.565 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 __might_resched+0x329/0x480 kernel/sched/core.c:9162 rt_read_lock+0xa9/0x4b0 kernel/locking/spinlock_rt.c:231 kvm_xen_set_evtchn_fast+0x1fc/0x9a0 arch/x86/kvm/xen.c:1819 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140 __run_hrtimer kernel/time/hrtimer.c:1930 [inline] __hrtimer_run_queues+0x3bc/0xb10 kernel/time/hrtimer.c:1994 hrtimer_interrupt+0x455/0x950 kernel/time/hrtimer.c:2113 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] __sysvec_apic_timer_interrupt+0x102/0x430 arch/x86/kernel/apic/apic.c:1067 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline] sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:check_preemption_disabled+0x6/0xe0 lib/smp_processor_id.c:14 Code: c7 c6 40 6f ca 8b eb 1c 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 53 <65> 8b 05 a7 4f 79 07 65 8b 0d 9c 4f 79 07 f7 c1 ff ff ff 7f 74 0c RSP: 0018:ffffc90003ec7308 EFLAGS: 00000282 RAX: ffffffff823591d4 RBX: 0000000000000001 RCX: ffff8880292b3d80 RDX: 0000000000000000 RSI: ffffffff8bca6f40 RDI: ffffffff8bca6f00 RBP: ffff88801cd7af20 R08: 0000000000000000 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffed10039af5e4 R12: 0000000000000003 R13: 0000000000000001 R14: 0000000000044bc9 R15: ffffffff82358ee4 rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline] rcu_is_watching+0x15/0xb0 kernel/rcu/tree.c:752 rcu_read_unlock include/linux/rcupdate.h:867 [inline] page_table_check_clear+0x41d/0x4f0 mm/page_table_check.c:89 ptep_get_and_clear_full arch/x86/include/asm/jump_label.h:-1 [inline] clear_full_ptes include/linux/pgtable.h:905 [inline] zap_present_folio_ptes mm/memory.c:1645 [inline] zap_present_ptes mm/memory.c:1714 [inline] do_zap_pte_range mm/memory.c:1816 [inline] zap_pte_range mm/memory.c:1918 [inline] zap_pmd_range mm/memory.c:2004 [inline] zap_pud_range mm/memory.c:2032 [inline] zap_p4d_range mm/memory.c:2053 [inline] __zap_vma_range+0x332b/0x4810 mm/memory.c:2093 unmap_vmas+0x379/0x530 mm/memory.c:2162 exit_mmap+0x280/0x9e0 mm/mmap.c:1300 __mmput+0xcb/0x3e0 kernel/fork.c:1178 exit_mm+0x18e/0x250 kernel/exit.c:581 do_exit+0x6a2/0x22c0 kernel/exit.c:963 do_group_exit+0x21b/0x2d0 kernel/exit.c:1117 get_signal+0x1284/0x1330 kernel/signal.c:3037 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe5ba8dc4ab Code: Unable to access opcode bytes at 0x7fe5ba8dc481. RSP: 002b:00007fe5b8af1f50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fe5ba8dc4ab RDX: 0000000000000000 RSI: 000000000000550c RDI: 0000000000000003 RBP: 00007fe5ba972c91 R08: 0000000000000000 R09: 0000000000000040 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fe5bab56180 R15: 00007ffd1d873ef8 ============================= [ BUG: Invalid wait context ] syzkaller #0 Tainted: G W L ----------------------------- syz.3.565/8019 is trying to lock: ffff88803b1314d0 (&gpc->lock){....}-{3:3}, at: kvm_xen_set_evtchn_fast+0x1fc/0x9a0 arch/x86/kvm/xen.c:1819 other info that might help us debug this: context-{2:2} 6 locks held by syz.3.565/8019: #0: ffff88803c9c1db0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:592 [inline] #0: ffff88803c9c1db0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x194/0x9e0 mm/mmap.c:1284 #1: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #1: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #1: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x29/0x200 mm/pgtable-generic.c:290 #2: ffff888040a3ba18 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline] #2: ffff888040a3ba18 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x13d/0x210 mm/pgtable-generic.c:404 #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline] #3: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57 #4: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #4: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #4: ffffffff8e3c81c0 (rcu_read_lock){....}-{1:3}, at: page_table_check_clear+0x124/0x4f0 mm/page_table_check.c:77 #5: ffff88803b131ac8 (&kvm->srcu){.?.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline] #5: ffff88803b131ac8 (&kvm->srcu){.?.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline] #5: ffff88803b131ac8 (&kvm->srcu){.?.+}-{0:0}, at: kvm_xen_set_evtchn_fast+0x1c6/0x9a0 arch/x86/kvm/xen.c:1817 stack backtrace: CPU: 1 UID: 0 PID: 8019 Comm: syz.3.565 Tainted: G W L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [W]=WARN, [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_lock_invalid_wait_context kernel/locking/lockdep.c:4832 [inline] check_wait_context kernel/locking/lockdep.c:4904 [inline] __lock_acquire+0xec1/0x2cf0 kernel/locking/lockdep.c:5189 lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5870 rt_read_lock+0xcc/0x4b0 kernel/locking/spinlock_rt.c:232 kvm_xen_set_evtchn_fast+0x1fc/0x9a0 arch/x86/kvm/xen.c:1819 xen_timer_callback+0x109/0x220 arch/x86/kvm/xen.c:140 __run_hrtimer kernel/time/hrtimer.c:1930 [inline] __hrtimer_run_queues+0x3bc/0xb10 kernel/time/hrtimer.c:1994 hrtimer_interrupt+0x455/0x950 kernel/time/hrtimer.c:2113 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] __sysvec_apic_timer_interrupt+0x102/0x430 arch/x86/kernel/apic/apic.c:1067 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline] sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:check_preemption_disabled+0x6/0xe0 lib/smp_processor_id.c:14 Code: c7 c6 40 6f ca 8b eb 1c 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 53 <65> 8b 05 a7 4f 79 07 65 8b 0d 9c 4f 79 07 f7 c1 ff ff ff 7f 74 0c RSP: 0018:ffffc90003ec7308 EFLAGS: 00000282 RAX: ffffffff823591d4 RBX: 0000000000000001 RCX: ffff8880292b3d80 RDX: 0000000000000000 RSI: ffffffff8bca6f40 RDI: ffffffff8bca6f00 RBP: ffff88801cd7af20 R08: 0000000000000000 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffed10039af5e4 R12: 0000000000000003 R13: 0000000000000001 R14: 0000000000044bc9 R15: ffffffff82358ee4 rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline] rcu_is_watching+0x15/0xb0 kernel/rcu/tree.c:752 rcu_read_unlock include/linux/rcupdate.h:867 [inline] page_table_check_clear+0x41d/0x4f0 mm/page_table_check.c:89 ptep_get_and_clear_full arch/x86/include/asm/jump_label.h:-1 [inline] clear_full_ptes include/linux/pgtable.h:905 [inline] zap_present_folio_ptes mm/memory.c:1645 [inline] zap_present_ptes mm/memory.c:1714 [inline] do_zap_pte_range mm/memory.c:1816 [inline] zap_pte_range mm/memory.c:1918 [inline] zap_pmd_range mm/memory.c:2004 [inline] zap_pud_range mm/memory.c:2032 [inline] zap_p4d_range mm/memory.c:2053 [inline] __zap_vma_range+0x332b/0x4810 mm/memory.c:2093 unmap_vmas+0x379/0x530 mm/memory.c:2162 exit_mmap+0x280/0x9e0 mm/mmap.c:1300 __mmput+0xcb/0x3e0 kernel/fork.c:1178 exit_mm+0x18e/0x250 kernel/exit.c:581 do_exit+0x6a2/0x22c0 kernel/exit.c:963 do_group_exit+0x21b/0x2d0 kernel/exit.c:1117 get_signal+0x1284/0x1330 kernel/signal.c:3037 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe5ba8dc4ab Code: Unable to access opcode bytes at 0x7fe5ba8dc481. RSP: 002b:00007fe5b8af1f50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007fe5ba8dc4ab RDX: 0000000000000000 RSI: 000000000000550c RDI: 0000000000000003 RBP: 00007fe5ba972c91 R08: 0000000000000000 R09: 0000000000000040 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fe5bab56180 R15: 00007ffd1d873ef8 ---------------- Code disassembly (best guess): 0: c7 c6 40 6f ca 8b mov $0x8bca6f40,%esi 6: eb 1c jmp 0x24 8: 66 66 66 2e 0f 1f 84 data16 data16 cs nopw 0x0(%rax,%rax,1) f: 00 00 00 00 00 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: 90 nop 1c: 90 nop 1d: 90 nop 1e: 90 nop 1f: 90 nop 20: 90 nop 21: 90 nop 22: 90 nop 23: 90 nop 24: 55 push %rbp 25: 41 57 push %r15 27: 41 56 push %r14 29: 53 push %rbx * 2a: 65 8b 05 a7 4f 79 07 mov %gs:0x7794fa7(%rip),%eax # 0x7794fd8 <-- trapping instruction 31: 65 8b 0d 9c 4f 79 07 mov %gs:0x7794f9c(%rip),%ecx # 0x7794fd4 38: f7 c1 ff ff ff 7f test $0x7fffffff,%ecx 3e: 74 0c je 0x4c