=============================
WARNING: suspicious RCU usage
syzkaller #0 Not tainted
-----------------------------
net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
7 locks held by kworker/u4:9/4408:
 #0: ffff8880169cd938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x760/0x1000 kernel/workqueue.c:-1
 #1: ffffc900034bfd00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x7a3/0x1000 kernel/workqueue.c:2285
 #2: ffffffff8d22cd10 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x132/0xb80 net/core/net_namespace.c:589
 #3: ffffffff8c24d5b0 (kernfs_rwsem){++++}-{3:3}, at: kernfs_remove_by_name_ns+0x29/0x100 fs/kernfs/dir.c:1561
 #4: ffffc90000007c00 ((&q->perturb_timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:45 [inline]
 #4: ffffc90000007c00 ((&q->perturb_timer)){+.-.}-{0:0}, at: call_timer_fn+0xbb/0x530 kernel/time/timer.c:1441
 #5: ffff88805cb17908 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:364 [inline]
 #5: ffff88805cb17908 (&sch->q.lock){+.-.}-{2:2}, at: sfq_perturbation+0x12e/0x2060 net/sched/sch_sfq.c:610
 #6: ffffffff8c11c760 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:312

stack backtrace:
CPU: 0 PID: 4408 Comm: kworker/u4:9 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 qdisc_lookup+0xa6/0x650 net/sched/sch_api.c:304
 qdisc_tree_reduce_backlog+0x190/0x430 net/sched/sch_api.c:793
 sfq_rehash net/sched/sch_sfq.c:598 [inline]
 sfq_perturbation+0x1f20/0x2060 net/sched/sch_sfq.c:613
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:172 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:227 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp4+0xc/0x80 kernel/kcov.c:293
Code: 44 02 08 03 00 00 00 4a 89 7c 02 10 4a 89 74 02 18 4a 89 44 02 20 48 ff c1 48 89 0a c3 90 48 8b 04 24 65 48 8b 0d 44 a0 8a 7e <65> 8b 15 45 a0 8a 7e 81 e2 00 01 ff 00 74 11 81 fa 00 01 00 00 75
RSP: 0018:ffffc900034bf810 EFLAGS: 00000246
RAX: ffffffff81ea9bbf RBX: ffff888059035658 RCX: ffff88807f498000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: dffffc0000000000 R09: ffffed100b206acc
R10: ffffed100b206acc R11: 1ffff1100b206acb R12: 1ffffffff1ad3a18
R13: dffffc0000000000 R14: ffff888059035658 R15: dffffc0000000000
 kernfs_next_descendant_post+0x5f/0x200 fs/kernfs/dir.c:1278
 __kernfs_remove+0x23f/0xc50 fs/kernfs/dir.c:1349
 kernfs_remove_by_name_ns+0x91/0x100 fs/kernfs/dir.c:1566
 kernfs_remove_by_name include/linux/kernfs.h:598 [inline]
 remove_files fs/sysfs/group.c:28 [inline]
 sysfs_remove_group+0xf8/0x290 fs/sysfs/group.c:289
 sysfs_remove_groups+0x50/0xa0 fs/sysfs/group.c:313
 destroy_gid_attrs drivers/infiniband/core/sysfs.c:1175 [inline]
 ib_free_port_attrs+0xc1/0x3b0 drivers/infiniband/core/sysfs.c:1400
 remove_one_compat_dev drivers/infiniband/core/device.c:1010 [inline]
 rdma_dev_exit_net+0x1d5/0x330 drivers/infiniband/core/device.c:1148
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x6f0/0xb80 net/core/net_namespace.c:635
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
----------------
Code disassembly (best guess):
   0:	44 02 08             	add    (%rax),%r9b
   3:	03 00                	add    (%rax),%eax
   5:	00 00                	add    %al,(%rax)
   7:	4a 89 7c 02 10       	mov    %rdi,0x10(%rdx,%r8,1)
   c:	4a 89 74 02 18       	mov    %rsi,0x18(%rdx,%r8,1)
  11:	4a 89 44 02 20       	mov    %rax,0x20(%rdx,%r8,1)
  16:	48 ff c1             	inc    %rcx
  19:	48 89 0a             	mov    %rcx,(%rdx)
  1c:	c3                   	ret
  1d:	90                   	nop
  1e:	48 8b 04 24          	mov    (%rsp),%rax
  22:	65 48 8b 0d 44 a0 8a 	mov    %gs:0x7e8aa044(%rip),%rcx        # 0x7e8aa06e
  29:	7e
* 2a:	65 8b 15 45 a0 8a 7e 	mov    %gs:0x7e8aa045(%rip),%edx        # 0x7e8aa076 <-- trapping instruction
  31:	81 e2 00 01 ff 00    	and    $0xff0100,%edx
  37:	74 11                	je     0x4a
  39:	81 fa 00 01 00 00    	cmp    $0x100,%edx
  3f:	75                   	.byte 0x75