============================================
WARNING: possible recursive locking detected
6.8.0-rc2-syzkaller-00397-g56897d51886f #0 Not tainted
--------------------------------------------
syz-executor.3/5100 is trying to acquire lock:
ffff88801f3d44d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88801f3d44d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
ffff88801f3d44d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __dev_queue_xmit+0x1ab7/0x3ee0 net/core/dev.c:4347

but task is already holding lock:
ffff888022889cd8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff888022889cd8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
ffff888022889cd8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x337/0xc20 net/sched/sch_generic.c:340

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(_xmit_ETHER#2);
  lock(_xmit_ETHER#2);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

10 locks held by syz-executor.3/5100:
 #0: ffffffff8d8b5e50 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:635 [inline]
 #0: ffffffff8d8b5e50 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1685 [inline]
 #0: ffffffff8d8b5e50 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm kernel/fork.c:1734 [inline]
 #0: ffffffff8d8b5e50 (dup_mmap_sem){.+.+}-{0:0}, at: copy_process+0x42c3/0x97b0 kernel/fork.c:2497
 #1: ffff8880740673a0 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:124 [inline]
 #1: ffff8880740673a0 (&mm->mmap_lock){++++}-{3:3}, at: dup_mmap kernel/fork.c:636 [inline]
 #1: ffff8880740673a0 (&mm->mmap_lock){++++}-{3:3}, at: dup_mm kernel/fork.c:1685 [inline]
 #1: ffff8880740673a0 (&mm->mmap_lock){++++}-{3:3}, at: copy_mm kernel/fork.c:1734 [inline]
 #1: ffff8880740673a0 (&mm->mmap_lock){++++}-{3:3}, at: copy_process+0x42e9/0x97b0 kernel/fork.c:2497
 #2: ffff8880749c1e20 (&mm->mmap_lock/1){+.+.}-{3:3}, at: mmap_write_lock_nested include/linux/mmap_lock.h:115 [inline]
 #2: ffff8880749c1e20 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mmap kernel/fork.c:645 [inline]
 #2: ffff8880749c1e20 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mm kernel/fork.c:1685 [inline]
 #2: ffff8880749c1e20 (&mm->mmap_lock/1){+.+.}-{3:3}, at: copy_mm kernel/fork.c:1734 [inline]
 #2: ffff8880749c1e20 (&mm->mmap_lock/1){+.+.}-{3:3}, at: copy_process+0x4349/0x97b0 kernel/fork.c:2497
 #3: ffffc900001f0ce0 ((&in_dev->mr_ifc_timer)){+.-.}-{0:0}, at: call_timer_fn+0x118/0x5a0 kernel/time/timer.c:1697
 #4: ffffffff8d7b0ba0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #4: ffffffff8d7b0ba0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #4: ffffffff8d7b0ba0 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x364/0x2550 net/ipv4/ip_output.c:228
 #5: ffffffff8d7b0b40 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #5: ffffffff8d7b0b40 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
 #5: ffffffff8d7b0b40 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x244/0x3ee0 net/core/dev.c:4276
 #6: ffff88807ba78258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
 #6: ffff88807ba78258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
 #6: ffff88807ba78258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:192 [inline]
 #6: ffff88807ba78258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3763 [inline]
 #6: ffff88807ba78258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1090/0x3ee0 net/core/dev.c:4317
 #7: ffff888022889cd8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #7: ffff888022889cd8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
 #7: ffff888022889cd8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x337/0xc20 net/sched/sch_generic.c:340
 #8: ffffffff8d7b0ba0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #8: ffffffff8d7b0ba0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #8: ffffffff8d7b0ba0 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x364/0x2550 net/ipv4/ip_output.c:228
 #9: ffffffff8d7b0b40 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
 #9: ffffffff8d7b0b40 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
 #9: ffffffff8d7b0b40 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x244/0x3ee0 net/core/dev.c:4276

stack backtrace:
CPU: 1 PID: 5100 Comm: syz-executor.3 Not tainted 6.8.0-rc2-syzkaller-00397-g56897d51886f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 check_deadlock kernel/locking/lockdep.c:3062 [inline]
 validate_chain kernel/locking/lockdep.c:3856 [inline]
 __lock_acquire+0x2111/0x3b40 kernel/locking/lockdep.c:5137
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 __netif_tx_lock include/linux/netdevice.h:4452 [inline]
 __dev_queue_xmit+0x1ab7/0x3ee0 net/core/dev.c:4347
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip_finish_output2+0x169f/0x2550 net/ipv4/ip_output.c:235
 __ip_finish_output net/ipv4/ip_output.c:313 [inline]
 __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:295
 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
 dst_output include/net/dst.h:451 [inline]
 ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:129
 iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1dbc/0x33d0 net/ipv4/ip_tunnel.c:831
 erspan_xmit+0x523/0x1bf0 net/ipv4/ip_gre.c:720
 __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
 netdev_start_xmit include/linux/netdevice.h:5003 [inline]
 xmit_one net/core/dev.c:3547 [inline]
 dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3563
 sch_direct_xmit+0x1ac/0xc20 net/sched/sch_generic.c:342
 __dev_xmit_skb net/core/dev.c:3776 [inline]
 __dev_queue_xmit+0x12b4/0x3ee0 net/core/dev.c:4317
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 neigh_resolve_output net/core/neighbour.c:1563 [inline]
 neigh_resolve_output+0x587/0x900 net/core/neighbour.c:1543
 neigh_output include/net/neighbour.h:542 [inline]
 ip_finish_output2+0x830/0x2550 net/ipv4/ip_output.c:235
 __ip_finish_output net/ipv4/ip_output.c:313 [inline]
 __ip_finish_output+0x49e/0x950 net/ipv4/ip_output.c:295
 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323
 NF_HOOK_COND include/linux/netfilter.h:303 [inline]
 ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433
 dst_output include/net/dst.h:451 [inline]
 ip_local_out+0x33e/0x4a0 net/ipv4/ip_output.c:129
 igmpv3_send_cr net/ipv4/igmp.c:723 [inline]
 igmp_ifc_timer_expire+0x781/0x1050 net/ipv4/igmp.c:813
 call_timer_fn+0x196/0x5a0 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x75d/0xaa0 kernel/time/timer.c:2038
 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2051
 __do_softirq+0x21f/0x8e7 kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:ma_slots lib/maple_tree.c:760 [inline]
RIP: 0010:mas_dup_alloc lib/maple_tree.c:6599 [inline]
RIP: 0010:mas_dup_build.constprop.0+0xab0/0x1640 lib/maple_tree.c:6665
Code: c8 5b 8c c6 05 72 0d d6 04 01 e8 bb 72 b9 f6 e9 82 fe ff ff e8 c1 a2 da f6 49 8d 7e 18 be ff ff ff ff e9 6b ff ff ff 83 fd 03 <0f> 85 1e 04 00 00 e8 a5 a2 da f6 49 8d 45 50 48 8d bb f0 00 00 00
RSP: 0018:ffffc900046a78c8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff8880297a9e00 RCX: ffffffff8ab1c3d8
RDX: ffff888029f08000 RSI: 0000000000000003 RDI: 0000000000000005
RBP: 0000000000000003 R08: 0000000000000005 R09: 0000000000000003
R10: 0000000000000003 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88802404c600 R14: 0000000000000002 R15: ffffc900046a7980
 __mt_dup+0xde/0x1e0 lib/maple_tree.c:6729
 dup_mmap kernel/fork.c:661 [inline]
 dup_mm kernel/fork.c:1685 [inline]
 copy_mm kernel/fork.c:1734 [inline]
 copy_process+0x473a/0x97b0 kernel/fork.c:2497
 kernel_clone+0xfd/0x930 kernel/fork.c:2902
 __do_sys_clone+0xba/0x100 kernel/fork.c:3045
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd8/0x270 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7effff07add3
Code: 1f 84 00 00 00 00 00 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00
RSP: 002b:00007fff1a2f2708 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007effff07add3
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000555556209750 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	c6 05 72 0d d6 04 01 	movb   $0x1,0x4d60d72(%rip)        # 0x4d60d79
   7:	e8 bb 72 b9 f6       	call   0xf6b972c7
   c:	e9 82 fe ff ff       	jmp    0xfffffe93
  11:	e8 c1 a2 da f6       	call   0xf6daa2d7
  16:	49 8d 7e 18          	lea    0x18(%r14),%rdi
  1a:	be ff ff ff ff       	mov    $0xffffffff,%esi
  1f:	e9 6b ff ff ff       	jmp    0xffffff8f
  24:	83 fd 03             	cmp    $0x3,%ebp
* 27:	0f 85 1e 04 00 00    	jne    0x44b <-- trapping instruction
  2d:	e8 a5 a2 da f6       	call   0xf6daa2d7
  32:	49 8d 45 50          	lea    0x50(%r13),%rax
  36:	48 8d bb f0 00 00 00 	lea    0xf0(%rbx),%rdi