=============================
WARNING: suspicious RCU usage
6.9.0-syzkaller-12116-g782471db6c72 #0 Not tainted
-----------------------------
net/bridge/br_private.h:1599 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
7 locks held by syz-executor.1/15908:
 #0: ffffffff8f5d9bd0 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c6/0x7b0 net/core/net_namespace.c:504
 #1: ffffffff8f37a3f0 (devices_rwsem){++++}-{3:3}, at: rdma_dev_init_net+0x198/0x280 drivers/infiniband/core/device.c:1179
 #2: ffffffff8f37a5b0 (rdma_nets_rwsem){++++}-{3:3}, at: rdma_dev_init_net+0x1e6/0x280 drivers/infiniband/core/device.c:1184
 #3: ffff88807b040f30 (&device->compat_devs_mutex){+.+.}-{3:3}, at: add_one_compat_dev+0x10d/0x710 drivers/infiniband/core/device.c:943
 #4: ffffc90000007c00 ((&p->forward_delay_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x650 kernel/time/timer.c:1789
 #5: ffff88802bce4cb8 (&br->lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #5: ffff88802bce4cb8 (&br->lock){+.-.}-{2:2}, at: br_forward_delay_timer_expired+0x50/0x440 net/bridge/br_stp_timer.c:86
 #6: ffffffff8e333e60 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #6: ffffffff8e333e60 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #6: ffffffff8e333e60 (rcu_read_lock){....}-{1:2}, at: br_mst_set_state+0x171/0x7a0 net/bridge/br_mst.c:105

stack backtrace:
CPU: 0 PID: 15908 Comm: syz-executor.1 Not tainted 6.9.0-syzkaller-12116-g782471db6c72 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
 nbp_vlan_group net/bridge/br_private.h:1599 [inline]
 br_mst_set_state+0x29e/0x7a0 net/bridge/br_mst.c:106
 br_set_state+0x28a/0x7b0 net/bridge/br_stp.c:47
 br_forward_delay_timer_expired+0x176/0x440 net/bridge/br_stp_timer.c:88
 call_timer_fn+0x18e/0x650 kernel/time/timer.c:1792
 expire_timers kernel/time/timer.c:1843 [inline]
 __run_timers kernel/time/timer.c:2417 [inline]
 __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2428
 run_timer_base kernel/time/timer.c:2437 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2447
 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__sanitizer_cov_trace_cmp4+0x81/0x90 kernel/kcov.c:279
Code: 8d 42 28 4c 39 c8 77 22 89 f8 89 f6 49 ff c2 4c 89 11 48 c7 44 0a 08 04 00 00 00 48 89 44 0a 10 48 89 74 0a 18 4c 89 44 0a 20 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0018:ffffc900031d6ea0 EFLAGS: 00000297
RAX: 0000000000000002 RBX: 00000000000ac000 RCX: 00000000000ac001
RDX: ffff888023375a00 RSI: 0000000000077f81 RDI: 00000000000ac000
RBP: 0000000000077f81 R08: ffffffff8140e1a4 R09: ffffc900031d7070
R10: 0000000000000003 R11: ffffffff8181cdd0 R12: ffffc900031d6f80
R13: 00000000000ac001 R14: ffffffff8bc00000 R15: ffffffff887f81ae
 orc_find arch/x86/kernel/unwind_orc.c:211 [inline]
 unwind_next_frame+0x244/0x2a00 arch/x86/kernel/unwind_orc.c:494
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3940 [inline]
 slab_alloc_node mm/slub.c:4000 [inline]
 kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4007
 __kernfs_new_node+0xd8/0x870 fs/kernfs/dir.c:624
----------------
Code disassembly (best guess):
   0:	8d 42 28             	lea    0x28(%rdx),%eax
   3:	4c 39 c8             	cmp    %r9,%rax
   6:	77 22                	ja     0x2a
   8:	89 f8                	mov    %edi,%eax
   a:	89 f6                	mov    %esi,%esi
   c:	49 ff c2             	inc    %r10
   f:	4c 89 11             	mov    %r10,(%rcx)
  12:	48 c7 44 0a 08 04 00 	movq   $0x4,0x8(%rdx,%rcx,1)
  19:	00 00
  1b:	48 89 44 0a 10       	mov    %rax,0x10(%rdx,%rcx,1)
  20:	48 89 74 0a 18       	mov    %rsi,0x18(%rdx,%rcx,1)
  25:	4c 89 44 0a 20       	mov    %r8,0x20(%rdx,%rcx,1)
* 2a:	c3                   	ret <-- trapping instruction
  2b:	cc                   	int3
  2c:	cc                   	int3
  2d:	cc                   	int3
  2e:	cc                   	int3
  2f:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  36:	00 00 00
  39:	90                   	nop
  3a:	90                   	nop
  3b:	90                   	nop
  3c:	90                   	nop
  3d:	90                   	nop
  3e:	90                   	nop
  3f:	90                   	nop