------------[ cut here ]------------
WARNING: CPU: 2 PID: 59 at drivers/block/floppy.c:1000 schedule_bh+0x5f/0x70 drivers/block/floppy.c:1000
Modules linked in:
CPU: 2 PID: 59 Comm: kworker/u17:2 Not tainted 5.15.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:schedule_bh+0x5f/0x70 drivers/block/floppy.c:1000
Code: e7 36 05 fd 48 89 2d 30 b2 e7 0b 5b 48 c7 c2 e0 0a 4a 8c 48 8b 35 01 b7 e7 0b bf 08 00 00 00 5d e9 b6 ba d9 fc e8 c1 36 05 fd <0f> 0b eb d1 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 e8 ab 36 05 fd
RSP: 0018:ffffc90000780dd0 EFLAGS: 00010046
RAX: 0000000080010001 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff8880146120c0 RSI: ffffffff8471c92f RDI: 0000000000000003
RBP: ffffffff8471ee40 R08: 0000000000000000 R09: ffffffff8c4a0ae7
R10: ffffffff8471c8ff R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff8471ee40 R14: 0000000000000000 R15: ffff888010de5000
FS:  0000000000000000(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f034545be08 CR3: 000000000b68e000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 floppy_interrupt+0x228/0x340 drivers/block/floppy.c:1766
 floppy_hardint+0x1a7/0x200 arch/x86/include/asm/floppy.h:66
 __handle_irq_event_percpu+0x303/0x8f0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:198 [inline]
 handle_irq_event+0x102/0x280 kernel/irq/handle.c:215
 handle_edge_irq+0x25f/0xd00 kernel/irq/chip.c:822
 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
 handle_irq arch/x86/kernel/irq.c:231 [inline]
 __common_interrupt+0x9d/0x210 arch/x86/kernel/irq.c:250
 common_interrupt+0xa4/0xc0 arch/x86/kernel/irq.c:240
 </IRQ>
 <TASK>
 asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629
RIP: 0010:kvm_smp_send_call_func_ipi+0x106/0x170 arch/x86/kernel/kvm.c:574
Code: fc ff df 48 89 da 48 c1 ea 03 0f b6 14 02 48 89 d8 83 e0 07 83 c0 01 38 d0 7c 04 84 d2 75 4b 0f b7 1b b8 0b 00 00 00 0f 01 c1 <48> 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 64 b1 70 8d
RSP: 0018:ffffc900009b79b8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff83f4b579 RDI: ffffffff8b3528a8
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffffff8d70af73
R10: ffffffff83f4b554 R11: 0000000000000000 R12: ffff88802cc3ac10
R13: fffffbfff1ae162c R14: dffffc0000000000 R15: ffffffff8b7f7c38
 arch_send_call_function_ipi_mask arch/x86/include/asm/smp.h:124 [inline]
 smp_call_function_many_cond+0x98c/0xc20 kernel/smp.c:951
 on_each_cpu_cond_mask+0x56/0xa0 kernel/smp.c:1135
 on_each_cpu include/linux/smp.h:71 [inline]
 text_poke_sync arch/x86/kernel/alternative.c:1112 [inline]
 text_poke_bp_batch+0x47d/0x560 arch/x86/kernel/alternative.c:1366
 text_poke_flush arch/x86/kernel/alternative.c:1451 [inline]
 text_poke_flush arch/x86/kernel/alternative.c:1448 [inline]
 text_poke_finish+0x16/0x30 arch/x86/kernel/alternative.c:1458
 arch_jump_label_transform_apply+0x13/0x20 arch/x86/kernel/jump_label.c:146
 jump_label_update+0x1d5/0x430 kernel/jump_label.c:830
 static_key_enable_cpuslocked+0x1b1/0x260 kernel/jump_label.c:177
 static_key_enable+0x16/0x20 kernel/jump_label.c:190
 toggle_allocation_gate mm/kfence/core.c:732 [inline]
 toggle_allocation_gate+0x100/0x390 mm/kfence/core.c:724
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	48 89 da             	mov    %rbx,%rdx
   3:	48 c1 ea 03          	shr    $0x3,%rdx
   7:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
   b:	48 89 d8             	mov    %rbx,%rax
   e:	83 e0 07             	and    $0x7,%eax
  11:	83 c0 01             	add    $0x1,%eax
  14:	38 d0                	cmp    %dl,%al
  16:	7c 04                	jl     0x1c
  18:	84 d2                	test   %dl,%dl
  1a:	75 4b                	jne    0x67
  1c:	0f b7 1b             	movzwl (%rbx),%ebx
  1f:	b8 0b 00 00 00       	mov    $0xb,%eax
  24:	0f 01 c1             	vmcall
* 27:	48 83 c4 08          	add    $0x8,%rsp <-- trapping instruction
  2b:	5b                   	pop    %rbx
  2c:	5d                   	pop    %rbp
  2d:	41 5c                	pop    %r12
  2f:	41 5d                	pop    %r13
  31:	41 5e                	pop    %r14
  33:	41 5f                	pop    %r15
  35:	c3                   	retq
  36:	48 c7 c7 64 b1 70 8d 	mov    $0xffffffff8d70b164,%rdi