sch_tbf: burst 19872 is lower than device lo mtu (65550) ! ============================= WARNING: suspicious RCU usage syzkaller #0 Not tainted ----------------------------- net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 13 locks held by syz.3.693/6881: #0: ffff888074f850e0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1744 [inline] #0: ffff888074f850e0 (sk_lock-AF_INET6){+.+.}-{0:0}, at: rawv6_sendmsg+0x11d9/0x1700 net/ipv6/raw.c:953 #1: ffffffff8c31eb20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313 #2: ffffffff8c31eb20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313 #3: ffffffff8c31eb80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313 #4: ffffffff8c31eb80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313 #5: ffff888062c82898 (_xmit_TUNNEL6#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:364 [inline] #5: ffff888062c82898 (_xmit_TUNNEL6#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4446 [inline] #5: ffff888062c82898 (_xmit_TUNNEL6#2){+.-.}-{2:2}, at: __dev_queue_xmit+0x14b5/0x2f80 net/core/dev.c:4299 #6: ffff888074f800a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: spin_trylock include/linux/spinlock.h:374 [inline] #6: ffff888074f800a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: icmpv6_xmit_lock net/ipv6/icmp.c:118 [inline] #6: ffff888074f800a0 (k-slock-AF_INET6){+.-.}-{2:2}, at: icmp6_send+0xbe3/0x1990 net/ipv6/icmp.c:551 #7: ffffffff8c31eb20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:312 #8: ffffffff8c31eb20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313 #9: ffffffff8c31eb80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313 #10: ffffffff8c31eb80 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313 #11: ffff888022ab9108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:364 [inline] #11: ffff888022ab9108 (&sch->q.lock){+.-.}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3924 [inline] #11: ffff888022ab9108 (&sch->q.lock){+.-.}-{2:2}, at: __dev_queue_xmit+0xa2a/0x2f80 net/core/dev.c:4266 #12: ffffffff8c31eb20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:312 stack backtrace: CPU: 1 PID: 6881 Comm: syz.3.693 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 Call Trace: dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106 qdisc_lookup+0xa6/0x650 net/sched/sch_api.c:304 qdisc_tree_reduce_backlog+0x190/0x430 net/sched/sch_api.c:783 sfq_enqueue+0x14ad/0x2280 net/sched/sch_sfq.c:-1 qdisc_enqueue include/net/sch_generic.h:842 [inline] tbf_enqueue+0x224/0x6e0 net/sched/sch_tbf.c:243 dev_qdisc_enqueue+0x48/0x210 net/core/dev.c:3865 __dev_xmit_skb net/core/dev.c:3949 [inline] __dev_queue_xmit+0xc25/0x2f80 net/core/dev.c:4266 neigh_hh_output include/net/neighbour.h:493 [inline] neigh_output include/net/neighbour.h:507 [inline] ip6_finish_output2+0x1051/0x1510 net/ipv6/ip6_output.c:130 ip6_send_skb+0x1b9/0x360 net/ipv6/ip6_output.c:1952 icmp6_send+0x133e/0x1990 net/ipv6/icmp.c:630 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x35/0x490 net/ipv6/route.c:2789 dst_link_failure include/net/dst.h:422 [inline] vti6_xmit net/ipv6/ip6_vti.c:548 [inline] vti6_tnl_xmit+0x10fb/0x1990 net/ipv6/ip6_vti.c:587 __netdev_start_xmit include/linux/netdevice.h:5036 [inline] netdev_start_xmit include/linux/netdevice.h:5050 [inline] xmit_one net/core/dev.c:3662 [inline] dev_hard_start_xmit+0x2a5/0x7e0 net/core/dev.c:3678 __dev_queue_xmit+0x1a9b/0x2f80 net/core/dev.c:4305 neigh_output include/net/neighbour.h:509 [inline] ip6_finish_output2+0x108c/0x1510 net/ipv6/ip6_output.c:130 ip6_fragment+0x1914/0x1ee0 net/ipv6/ip6_output.c:937 ip6_send_skb+0x1b9/0x360 net/ipv6/ip6_output.c:1952 rawv6_push_pending_frames+0x655/0x810 net/ipv6/raw.c:617 rawv6_sendmsg+0x1291/0x1700 net/ipv6/raw.c:961 sock_sendmsg_nosec net/socket.c:706 [inline] __sock_sendmsg net/socket.c:718 [inline] sock_write_iter+0x2a6/0x3a0 net/socket.c:1089 call_write_iter include/linux/fs.h:2173 [inline] new_sync_write fs/read_write.c:507 [inline] vfs_write+0x745/0xd60 fs/read_write.c:594 ksys_write+0x152/0x260 fs/read_write.c:647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x66/0xd0 RIP: 0033:0x7fb97e726dd9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb97c980028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fb97e99ffa0 RCX: 00007fb97e726dd9 RDX: 000000000000fe46 RSI: 0000200000000040 RDI: 0000000000000007 RBP: 00007fb97e7bcd69 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fb97e9a0038 R14: 00007fb97e99ffa0 R15: 00007ffecced2188