=============================
WARNING: suspicious RCU usage
5.15.189-syzkaller #0 Not tainted
-----------------------------
net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
7 locks held by kworker/u4:12/5796:
#0: ffff88802c7a0938 ((wq_completion)bat_events){+.+.}-{0:0}, at: process_one_work+0x760/0x1000 kernel/workqueue.c:-1
#1: ffffc90002fbfd00 ((work_completion)(&(&bat_priv->nc.work)->work)){+.+.}-{0:0}, at: process_one_work+0x7a3/0x1000 kernel/workqueue.c:2285
#2: ffffffff8c11c360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
#3: ffffffff8c11c360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:312
#4: ffff888025778148 (dev->qdisc_running_key ?: &qdisc_running_key){+...}-{0:0}, at: net_tx_action+0x6bc/0x870 net/core/dev.c:5128
#5: ffff888025778108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
#5: ffff888025778108 (&sch->q.lock){+.-.}-{2:2}, at: sch_direct_xmit+0x305/0x4a0 net/sched/sch_generic.c:354
#6: ffffffff8c11c360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
stack backtrace:
CPU: 0 PID: 5796 Comm: kworker/u4:12 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: bat_events batadv_nc_worker
Call Trace:
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
qdisc_lookup+0xa6/0x650 net/sched/sch_api.c:304
qdisc_tree_reduce_backlog+0x190/0x430 net/sched/sch_api.c:793
fq_codel_dequeue+0x28ee/0x2b30 net/sched/sch_fq_codel.c:321
qdisc_peek_dequeued+0x6e/0x1f0 include/net/sch_generic.h:1115
tbf_dequeue+0x7d/0xce0 net/sched/sch_tbf.c:265
dequeue_skb net/sched/sch_generic.c:292 [inline]
qdisc_restart net/sched/sch_generic.c:397 [inline]
__qdisc_run+0x237/0x1480 net/sched/sch_generic.c:415
qdisc_run+0x103/0x2f0 include/net/pkt_sched.h:132
net_tx_action+0x6bc/0x870 net/core/dev.c:5128
handle_softirqs+0x328/0x820 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:413 [inline]
RIP: 0010:batadv_nc_worker+0x15c/0x5c0 net/batman-adv/network-coding.c:723
Code: be e5 02 00 00 48 c7 c2 e0 a1 1f 8b e8 3d 03 20 00 4c 89 e8 48 c1 e8 03 80 3c 18 00 74 08 4c 89 ef e8 f8 a4 3e f8 4d 8b 6d 00 <4d> 85 ed 0f 94 c0 49 81 c5 38 fe ff ff 0f 94 c1 08 c1 74 07 e8 9b
RSP: 0018:ffffc90002fbfbe0 EFLAGS: 00000246
RAX: 1ffff1100f37f120 RBX: dffffc0000000000 RCX: ffff8880297d0000
RDX: 0000000000000000 RSI: ffffffff8a599320 RDI: ffffffff8a5992e0
RBP: 0000000000000001 R08: dffffc0000000000 R09: fffffbfff1ff6e19
R10: fffffbfff1ff6e19 R11: 1ffffffff1ff6e18 R12: 0000000000000120
R13: 0000000000000000 R14: ffff888051544c80 R15: ffff888022e85410
process_one_work+0x863/0x1000 kernel/workqueue.c:2310
worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
kthread+0x436/0x520 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
vkms_vblank_simulate: vblank timer overrun
----------------
Code disassembly (best guess):
0: be e5 02 00 00 mov $0x2e5,%esi
5: 48 c7 c2 e0 a1 1f 8b mov $0xffffffff8b1fa1e0,%rdx
c: e8 3d 03 20 00 call 0x20034e
11: 4c 89 e8 mov %r13,%rax
14: 48 c1 e8 03 shr $0x3,%rax
18: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1)
1c: 74 08 je 0x26
1e: 4c 89 ef mov %r13,%rdi
21: e8 f8 a4 3e f8 call 0xf83ea51e
26: 4d 8b 6d 00 mov 0x0(%r13),%r13
* 2a: 4d 85 ed test %r13,%r13 <-- trapping instruction
2d: 0f 94 c0 sete %al
30: 49 81 c5 38 fe ff ff add $0xfffffffffffffe38,%r13
37: 0f 94 c1 sete %cl
3a: 08 c1 or %al,%cl
3c: 74 07 je 0x45
3e: e8 .byte 0xe8
3f: 9b fwait