============================================
WARNING: possible recursive locking detected
syzkaller #0 Tainted: G             L     
--------------------------------------------
syz.5.2262/14448 is trying to acquire lock:
ffff8880586af558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline]
ffff8880586af558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: __netif_tx_lock include/linux/netdevice.h:4781 [inline]
ffff8880586af558 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: sch_direct_xmit+0x3b5/0xc60 net/sched/sch_generic.c:370

but task is already holding lock:
ffff888037d0b158 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline]
ffff888037d0b158 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: __netif_tx_lock include/linux/netdevice.h:4781 [inline]
ffff888037d0b158 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: sch_direct_xmit+0x3b5/0xc60 net/sched/sch_generic.c:370

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&qdisc_xmit_lock_key#3);
  lock(&qdisc_xmit_lock_key#3);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

13 locks held by syz.5.2262/14448:
 #0: ffff88804217c410 (sb_writers#6){.+.+}-{0:0}, at: get_signal+0x1f2a/0x21e0 kernel/signal.c:3022
 #1: ffff88805dcbd6f0 (&sb->s_type->i_mutex_key#15){++++}-{4:4}, at: inode_lock include/linux/fs.h:1029 [inline]
 #1: ffff88805dcbd6f0 (&sb->s_type->i_mutex_key#15){++++}-{4:4}, at: shmem_file_write_iter+0x86/0x140 mm/shmem.c:3468
 #2: ffffc90000648c98 ((&ndev->rs_timer)){+.-.}-{0:0}, at: call_timer_fn+0x11f/0x640 kernel/time/timer.c:1745
 #3: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #3: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #3: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: ndisc_send_skb+0x1ab/0x1bf0 net/ipv6/ndisc.c:482
 #4: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #4: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #4: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: ip6_output+0x135/0xa60 net/ipv6/ip6_output.c:234
 #5: ffffffff8e7e5480 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #5: ffffffff8e7e5480 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:891 [inline]
 #5: ffffffff8e7e5480 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x296/0x4950 net/core/dev.c:4791
 #6: ffff88802750d228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: spin_trylock include/linux/spinlock.h:354 [inline]
 #6: ffff88802750d228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: qdisc_run_begin include/net/sch_generic.h:205 [inline]
 #6: ffff88802750d228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: __dev_xmit_skb net/core/dev.c:4196 [inline]
 #6: ffff88802750d228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: __dev_queue_xmit+0x24ef/0x4950 net/core/dev.c:4831
 #7: ffff888037d0b158 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline]
 #7: ffff888037d0b158 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: __netif_tx_lock include/linux/netdevice.h:4781 [inline]
 #7: ffff888037d0b158 (&qdisc_xmit_lock_key#3){+.-.}-{3:3}, at: sch_direct_xmit+0x3b5/0xc60 net/sched/sch_generic.c:370
 #8: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #8: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #8: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: ip_output+0xb3/0xc10 net/ipv4/ip_output.c:433
 #9: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #9: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #9: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: ip_finish_output2+0x356/0x2400 net/ipv4/ip_output.c:230
 #10: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #10: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #10: ffffffff8e7e54e0 (rcu_read_lock){....}-{1:3}, at: arp_xmit+0x26/0x2e0 net/ipv4/arp.c:663
 #11: ffffffff8e7e5480 (rcu_read_lock_bh){....}-{1:3}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #11: ffffffff8e7e5480 (rcu_read_lock_bh){....}-{1:3}, at: rcu_read_lock_bh include/linux/rcupdate.h:891 [inline]
 #11: ffffffff8e7e5480 (rcu_read_lock_bh){....}-{1:3}, at: __dev_queue_xmit+0x296/0x4950 net/core/dev.c:4791
 #12: ffff88805e186228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: spin_trylock include/linux/spinlock.h:354 [inline]
 #12: ffff88805e186228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: qdisc_run_begin include/net/sch_generic.h:205 [inline]
 #12: ffff88805e186228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: __dev_xmit_skb net/core/dev.c:4196 [inline]
 #12: ffff88805e186228 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#5){+...}-{3:3}, at: __dev_queue_xmit+0x24ef/0x4950 net/core/dev.c:4831

stack backtrace:
CPU: 2 UID: 0 PID: 14448 Comm: syz.5.2262 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 print_deadlock_bug.cold+0xbd/0xca kernel/locking/lockdep.c:3041
 check_deadlock kernel/locking/lockdep.c:3093 [inline]
 validate_chain kernel/locking/lockdep.c:3895 [inline]
 __lock_acquire+0x12bb/0x2630 kernel/locking/lockdep.c:5237
 lock_acquire kernel/locking/lockdep.c:5868 [inline]
 lock_acquire+0x1b1/0x370 kernel/locking/lockdep.c:5825
 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:158
 spin_lock include/linux/spinlock.h:342 [inline]
 __netif_tx_lock include/linux/netdevice.h:4781 [inline]
 sch_direct_xmit+0x3b5/0xc60 net/sched/sch_generic.c:370
 __dev_xmit_skb net/core/dev.c:4209 [inline]
 __dev_queue_xmit+0x2794/0x4950 net/core/dev.c:4831
 dev_queue_xmit include/linux/netdevice.h:3418 [inline]
 arp_xmit_finish net/ipv4/arp.c:655 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 NF_HOOK include/linux/netfilter.h:312 [inline]
 arp_xmit+0x106/0x2e0 net/ipv4/arp.c:665
 arp_send_dst net/ipv4/arp.c:320 [inline]
 arp_send_dst+0x200/0x280 net/ipv4/arp.c:301
 arp_solicit+0x672/0x1070 net/ipv4/arp.c:392
 neigh_probe+0xce/0x110 net/core/neighbour.c:1096
 __neigh_event_send+0xacf/0x13f0 net/core/neighbour.c:1276
 neigh_event_send_probe include/net/neighbour.h:480 [inline]
 neigh_event_send include/net/neighbour.h:486 [inline]
 neigh_event_send include/net/neighbour.h:484 [inline]
 neigh_resolve_output+0x550/0x8f0 net/core/neighbour.c:1603
 neigh_output include/net/neighbour.h:556 [inline]
 ip_finish_output2+0x851/0x2400 net/ipv4/ip_output.c:237
 __ip_finish_output.part.0+0x444/0x6f0 net/ipv4/ip_output.c:315
 __ip_finish_output net/ipv4/ip_output.c:303 [inline]
 ip_finish_output net/ipv4/ip_output.c:325 [inline]
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip_output+0x39b/0xc10 net/ipv4/ip_output.c:438
 dst_output include/net/dst.h:470 [inline]
 ip_local_out+0x193/0x1f0 net/ipv4/ip_output.c:131
 iptunnel_xmit+0x722/0xd20 net/ipv4/ip_tunnel_core.c:97
 ip_tunnel_xmit+0x1b85/0x3200 net/ipv4/ip_tunnel.c:845
 __gre_xmit+0x820/0xb20 net/ipv4/ip_gre.c:491
 erspan_xmit+0x55a/0x1ec0 net/ipv4/ip_gre.c:750
 __netdev_start_xmit include/linux/netdevice.h:5368 [inline]
 netdev_start_xmit include/linux/netdevice.h:5377 [inline]
 xmit_one net/core/dev.c:3888 [inline]
 dev_hard_start_xmit+0x128/0x7a0 net/core/dev.c:3904
 sch_direct_xmit+0x1b2/0xc60 net/sched/sch_generic.c:372
 __dev_xmit_skb net/core/dev.c:4209 [inline]
 __dev_queue_xmit+0x2794/0x4950 net/core/dev.c:4831
 dev_queue_xmit include/linux/netdevice.h:3418 [inline]
 neigh_resolve_output net/core/neighbour.c:1619 [inline]
 neigh_resolve_output+0x51f/0x8f0 net/core/neighbour.c:1599
 neigh_output include/net/neighbour.h:556 [inline]
 ip6_finish_output2+0xb0f/0x1ce0 net/ipv6/ip6_output.c:136
 __ip6_finish_output+0x357/0xdf0 net/ipv6/ip6_output.c:208
 ip6_finish_output net/ipv6/ip6_output.c:219 [inline]
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x2aa/0xa60 net/ipv6/ip6_output.c:246
 dst_output include/net/dst.h:470 [inline]
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ndisc_send_skb+0xa85/0x1bf0 net/ipv6/ndisc.c:512
 ndisc_send_rs+0x129/0x680 net/ipv6/ndisc.c:723
 addrconf_rs_timer+0x424/0x880 net/ipv6/addrconf.c:4049
 call_timer_fn+0x19a/0x640 kernel/time/timer.c:1748
 expire_timers kernel/time/timer.c:1799 [inline]
 __run_timers+0x75f/0xaf0 kernel/time/timer.c:2374
 __run_timer_base kernel/time/timer.c:2386 [inline]
 __run_timer_base kernel/time/timer.c:2378 [inline]
 run_timer_base+0x114/0x190 kernel/time/timer.c:2395
 run_timer_softirq+0x1a/0x50 kernel/time/timer.c:2405
 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x162/0x210 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1061
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_release+0x19e/0x310 kernel/locking/lockdep.c:5893
Code: ff 65 0f c1 05 9b 3e 26 12 83 f8 01 0f 85 28 01 00 00 9c 58 f6 c4 02 0f 85 13 01 00 00 41 f7 c6 00 02 00 00 0f 85 c0 00 00 00 <48> 8b 44 24 10 65 48 2b 05 ed f6 25 12 0f 85 4e 01 00 00 48 83 c4
RSP: 0018:ffffc900056f66e8 EFLAGS: 00000206
RAX: 0000000000000046 RBX: ffff88806a641158 RCX: ffffc900056f66f4
RDX: 0000000000000002 RSI: ffffffff8def932e RDI: ffffffff8c1c3480
RBP: ffffffff82685a98 R08: 0000000000000001 R09: fffff94000096826
R10: ffffea00004b4137 R11: ffff88807ffd7900 R12: ffff88803f938000
R13: ffffea00004b4100 R14: 0000000000000206 R15: 0000000000000003
 __raw_spin_unlock include/linux/spinlock_api_smp.h:167 [inline]
 _raw_spin_unlock+0x16/0x50 kernel/locking/spinlock.c:190
 spin_unlock include/linux/spinlock.h:390 [inline]
 rmqueue_pcplist mm/page_alloc.c:3373 [inline]
 rmqueue mm/page_alloc.c:3402 [inline]
 get_page_from_freelist+0x458/0x33b0 mm/page_alloc.c:3943
 __alloc_frozen_pages_noprof+0x27c/0x2bc0 mm/page_alloc.c:5226
 alloc_pages_mpol+0x1fb/0x540 mm/mempolicy.c:2490
 folio_alloc_mpol_noprof+0x36/0x260 mm/mempolicy.c:2509
 shmem_alloc_folio+0x135/0x160 mm/shmem.c:1933
 shmem_alloc_and_add_folio+0x371/0xd40 mm/shmem.c:1975
 shmem_get_folio_gfp+0x6ab/0x1900 mm/shmem.c:2564
 shmem_get_folio mm/shmem.c:2670 [inline]
 shmem_write_begin+0x1a4/0x420 mm/shmem.c:3303
 generic_perform_write+0x292/0xa40 mm/filemap.c:4325
 shmem_file_write_iter+0x10e/0x140 mm/shmem.c:3478
 __kernel_write_iter+0x2ac/0x920 fs/read_write.c:621
 dump_emit_page fs/coredump.c:1304 [inline]
 dump_user_range+0x3f9/0xad0 fs/coredump.c:1378
 elf_core_dump+0x2d5f/0x3d10 fs/binfmt_elf.c:2109
 coredump_write fs/coredump.c:1053 [inline]
 do_coredump fs/coredump.c:1132 [inline]
 vfs_coredump+0x29a0/0x5770 fs/coredump.c:1206
 get_signal+0x1f2a/0x21e0 kernel/signal.c:3022
 arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:98 [inline]
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:252 [inline]
 irqentry_exit_to_user_mode include/linux/irq-entry-common.h:323 [inline]
 irqentry_exit+0x403/0x790 kernel/entry/common.c:162
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7fc7caf9cdd9
Code: Unable to access opcode bytes at 0x7fc7caf9cdaf.
RSP: 002b:00007fc7cbe32fd8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: 00007fc7cb215fa0 RCX: 00007fc7caf9cdd9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020002000
RBP: 00007fc7cb032d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00007fc7cb216038 R14: 00007fc7cb215fa0 R15: 00007ffc815152b8
 </TASK>
----------------
Code disassembly (best guess):
   0:	ff 65 0f             	jmp    *0xf(%rbp)
   3:	c1 05 9b 3e 26 12 83 	roll   $0x83,0x12263e9b(%rip)        # 0x12263ea5
   a:	f8                   	clc
   b:	01 0f                	add    %ecx,(%rdi)
   d:	85 28                	test   %ebp,(%rax)
   f:	01 00                	add    %eax,(%rax)
  11:	00 9c 58 f6 c4 02 0f 	add    %bl,0xf02c4f6(%rax,%rbx,2)
  18:	85 13                	test   %edx,(%rbx)
  1a:	01 00                	add    %eax,(%rax)
  1c:	00 41 f7             	add    %al,-0x9(%rcx)
  1f:	c6 00 02             	movb   $0x2,(%rax)
  22:	00 00                	add    %al,(%rax)
  24:	0f 85 c0 00 00 00    	jne    0xea
* 2a:	48 8b 44 24 10       	mov    0x10(%rsp),%rax <-- trapping instruction
  2f:	65 48 2b 05 ed f6 25 	sub    %gs:0x1225f6ed(%rip),%rax        # 0x1225f724
  36:	12
  37:	0f 85 4e 01 00 00    	jne    0x18b
  3d:	48                   	rex.W
  3e:	83                   	.byte 0x83
  3f:	c4                   	.byte 0xc4