=============================
WARNING: suspicious RCU usage
syzkaller #0 Not tainted
-----------------------------
net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
5 locks held by udevd/3561:
 #0: ffffc90000dd0be0 ((&d->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:45 [inline]
 #0: ffffc90000dd0be0 ((&d->timer)){+.-.}-{0:0}, at: call_timer_fn+0xbb/0x530 kernel/time/timer.c:1441
 #1: ffffffff8c11c660 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
 #2: ffffffff8c11c6c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:312
 #3: ffff88807e39b908 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
 #3: ffff88807e39b908 (&sch->q.lock){+.-.}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3911 [inline]
 #3: ffff88807e39b908 (&sch->q.lock){+.-.}-{2:2}, at: __dev_queue_xmit+0xb8a/0x2ed0 net/core/dev.c:4253
 #4: ffffffff8c11c660 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311

stack backtrace:
CPU: 1 PID: 3561 Comm: udevd Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 qdisc_lookup+0xa6/0x650 net/sched/sch_api.c:304
 qdisc_tree_reduce_backlog+0x190/0x430 net/sched/sch_api.c:793
 cake_drop net/sched/sch_cake.c:1611 [inline]
 cake_enqueue+0x3889/0x7bb0 net/sched/sch_cake.c:1948
 cbs_child_enqueue net/sched/sch_cbs.c:95 [inline]
 cbs_enqueue_soft+0x1a8/0x270 net/sched/sch_cbs.c:128
 dev_qdisc_enqueue+0x48/0x210 net/core/dev.c:3852
 __dev_xmit_skb net/core/dev.c:3936 [inline]
 __dev_queue_xmit+0xd7e/0x2ed0 net/core/dev.c:4253
 tipc_l2_send_msg+0x30a/0x3c0 net/tipc/bearer.c:518
 tipc_bearer_xmit_skb+0x292/0x3c0 net/tipc/bearer.c:577
 tipc_disc_timeout+0x568/0x6b0 net/tipc/discover.c:338
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:unwind_next_frame+0x6f0/0x1d90 arch/x86/kernel/unwind_orc.c:471
Code: 07 38 c1 0f 8c e0 01 00 00 be 02 00 00 00 48 89 7c 24 08 4c 89 ff e8 af b4 87 00 e9 fd 14 00 00 48 8b 44 24 40 42 80 3c 28 00 <4c> 8b 74 24 38 74 0c 4c 89 f7 e8 d1 b3 87 00 48 8b 14 24 49 8b 3e
RSP: 0018:ffffc90002ddf888 EFLAGS: 00000246
RAX: 1ffff920005bbf30 RBX: ffffc90002ddf948 RCX: ffffffff8dd9f12c
RDX: ffffffff8e769eec RSI: ffffffff8e769ece RDI: ffffffff8134790c
RBP: ffffffff89a8fa65 R08: 000000000000000e R09: 000000000000000a
R10: fffff520005bbf35 R11: 1ffff920005bbf33 R12: 1ffffffff1ced3de
R13: dffffc0000000000 R14: ffffffff8e769ef0 R15: 0000000000000005
 arch_stack_walk+0x10c/0x140 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x98/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4564
 kernfs_fop_release+0x1d9/0x2b0 fs/kernfs/file.c:760
 __fput+0x234/0x930 fs/file_table.c:311
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop+0x10f/0x130 kernel/entry/common.c:181
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f15c730aa67
Code: 44 00 00 48 83 ec 10 48 63 ff 45 31 c9 45 31 c0 6a 01 31 c9 e8 ca 19 f9 ff 48 83 c4 18 c3 0f 1f 44 00 00 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 61 b3 0d 00 f7 d8 64 89 02 b8
RSP: 002b:00007fff928d44d8 EFLAGS: 00000297 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000562887f0eec0 RCX: 00007f15c730aa67
RDX: 00007f15c73e4ea0 RSI: 0000562887ef9a00 RDI: 000000000000000c
RBP: 00007f15c73e4ff0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000000
R13: 3d45505954564544 R14: 3d5845444e494649 R15: 3d454d414e564544
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	38 c1                	cmp    %al,%cl
   2:	0f 8c e0 01 00 00    	jl     0x1e8
   8:	be 02 00 00 00       	mov    $0x2,%esi
   d:	48 89 7c 24 08       	mov    %rdi,0x8(%rsp)
  12:	4c 89 ff             	mov    %r15,%rdi
  15:	e8 af b4 87 00       	call   0x87b4c9
  1a:	e9 fd 14 00 00       	jmp    0x151c
  1f:	48 8b 44 24 40       	mov    0x40(%rsp),%rax
  24:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
* 29:	4c 8b 74 24 38       	mov    0x38(%rsp),%r14 <-- trapping instruction
  2e:	74 0c                	je     0x3c
  30:	4c 89 f7             	mov    %r14,%rdi
  33:	e8 d1 b3 87 00       	call   0x87b409
  38:	48 8b 14 24          	mov    (%rsp),%rdx
  3c:	49 8b 3e             	mov    (%r14),%rdi