=============================
WARNING: suspicious RCU usage
5.15.189-syzkaller #0 Not tainted
-----------------------------
net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
9 locks held by kworker/0:6/4275:
 #0: ffff888016872138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x760/0x1000 kernel/workqueue.c:-1
 #1: ffffc9000307fd00 ((work_completion)(&(&ssp->work)->work)){+.+.}-{0:0}, at: process_one_work+0x7a3/0x1000 kernel/workqueue.c:2285
 #2: ffffffff96128740 (&ssp->srcu_gp_mutex){+.+.}-{3:3}, at: srcu_advance_state kernel/rcu/srcutree.c:1177 [inline]
 #2: ffffffff96128740 (&ssp->srcu_gp_mutex){+.+.}-{3:3}, at: process_srcu+0x2f/0xc10 kernel/rcu/srcutree.c:1325
 #3: ffffc90000007be0 ((&d->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:45 [inline]
 #3: ffffc90000007be0 ((&d->timer)){+.-.}-{0:0}, at: call_timer_fn+0xbb/0x530 kernel/time/timer.c:1441
 #4: ffffffff8c11c360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
 #5: ffffffff8c11c3c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:312
 #6: ffff88807b175108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
 #6: ffff88807b175108 (&sch->q.lock){+.-.}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3911 [inline]
 #6: ffff88807b175108 (&sch->q.lock){+.-.}-{2:2}, at: __dev_queue_xmit+0xb8a/0x2ed0 net/core/dev.c:4253
 #7: ffff88807b175148 (dev->qdisc_running_key ?: &qdisc_running_key){+...}-{0:0}, at: tipc_l2_send_msg+0x30a/0x3c0 net/tipc/bearer.c:518
 #8: ffffffff8c11c360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311

stack backtrace:
CPU: 0 PID: 4275 Comm: kworker/0:6 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: rcu_gp process_srcu
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 qdisc_lookup+0xa6/0x650 net/sched/sch_api.c:304
 qdisc_tree_reduce_backlog+0x190/0x430 net/sched/sch_api.c:793
 cake_drop net/sched/sch_cake.c:1611 [inline]
 cake_enqueue+0x3769/0x7ee0 net/sched/sch_cake.c:1945
 qdisc_enqueue include/net/sch_generic.h:832 [inline]
 netem_dequeue+0xd39/0x1400 net/sched/sch_netem.c:737
 dequeue_skb net/sched/sch_generic.c:292 [inline]
 qdisc_restart net/sched/sch_generic.c:397 [inline]
 __qdisc_run+0x237/0x1480 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3942 [inline]
 __dev_queue_xmit+0xeb9/0x2ed0 net/core/dev.c:4253
 tipc_l2_send_msg+0x30a/0x3c0 net/tipc/bearer.c:518
 tipc_bearer_xmit_skb+0x292/0x3c0 net/tipc/bearer.c:577
 tipc_disc_timeout+0x568/0x6b0 net/tipc/discover.c:338
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:preempt_count_add+0x2/0x190 kernel/sched/core.c:5480
Code: e1 07 80 c1 03 38 c1 7c 97 48 8b 3c 24 e8 d6 b8 6a 00 eb 8c e9 f5 fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 <41> 56 53 49 bf 00 00 00 00 00 fc ff df 48 c7 c0 60 df 0b 96 48 c1
RSP: 0018:ffffc9000307fab0 EFLAGS: 00000286
RAX: 0000000080000000 RBX: 0000000000002afa RCX: 0000000000000000
RDX: 0000000000000027 RSI: ffffffff8a599320 RDI: 0000000000000001
RBP: 0000000000000000 R08: dffffc0000000000 R09: fffff5200060ff25
R10: fffff5200060ff25 R11: 1ffff9200060ff24 R12: dffffc0000000000
R13: ffffffff96128780 R14: 000000270f0d9cd8 R15: 000000000000211c
 delay_tsc+0x61/0xc0 arch/x86/lib/delay.c:79
 try_check_zero+0x2c7/0x340 kernel/rcu/srcutree.c:702
 srcu_advance_state kernel/rcu/srcutree.c:1227 [inline]
 process_srcu+0x195/0xc10 kernel/rcu/srcutree.c:1325
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
----------------
Code disassembly (best guess):
   0:	e1 07                	loope  0x9
   2:	80 c1 03             	add    $0x3,%cl
   5:	38 c1                	cmp    %al,%cl
   7:	7c 97                	jl     0xffffffa0
   9:	48 8b 3c 24          	mov    (%rsp),%rdi
   d:	e8 d6 b8 6a 00       	call   0x6ab8e8
  12:	eb 8c                	jmp    0xffffffa0
  14:	e9 f5 fe ff ff       	jmp    0xffffff0e
  19:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  20:	00 00 00
  23:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  28:	41 57                	push   %r15
* 2a:	41 56                	push   %r14 <-- trapping instruction
  2c:	53                   	push   %rbx
  2d:	49 bf 00 00 00 00 00 	movabs $0xdffffc0000000000,%r15
  34:	fc ff df
  37:	48 c7 c0 60 df 0b 96 	mov    $0xffffffff960bdf60,%rax
  3e:	48                   	rex.W
  3f:	c1                   	.byte 0xc1