=============================
WARNING: suspicious RCU usage
5.15.189-syzkaller #0 Not tainted
-----------------------------
net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
9 locks held by syz.0.48/4419:
 #0: ffff0000d37e0120 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1694 [inline]
 #0: ffff0000d37e0120 (sk_lock-AF_INET){+.+.}-{0:0}, at: l2tp_ip_sendmsg+0x48/0x1184 net/l2tp/l2tp_ip.c:405
 #1: ffff800014341360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:311
 #2: ffff800014341360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #3: ffff800020336fc0 ((&d->timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:45 [inline]
 #3: ffff800020336fc0 ((&d->timer)){+.-.}-{0:0}, at: call_timer_fn+0xd0/0x858 kernel/time/timer.c:1441
 #4: ffff800014341360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:311
 #5: ffff8000143413c0 (rcu_read_lock_bh){....}-{1:2}, at: rcu_lock_acquire+0x18/0x54 include/linux/rcupdate.h:311
 #6: ffff0000c2c6a108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
 #6: ffff0000c2c6a108 (&sch->q.lock){+.-.}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3911 [inline]
 #6: ffff0000c2c6a108 (&sch->q.lock){+.-.}-{2:2}, at: __dev_queue_xmit+0x840/0x2800 net/core/dev.c:4253
 #7: ffff0000c2c6a148 (dev->qdisc_running_key ?: &qdisc_running_key){+...}-{0:0}, at: __dev_xmit_skb net/core/dev.c:3937 [inline]
 #7: ffff0000c2c6a148 (dev->qdisc_running_key ?: &qdisc_running_key){+...}-{0:0}, at: __dev_queue_xmit+0xfcc/0x2800 net/core/dev.c:4253
 #8: ffff800014341360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:311

stack backtrace:
CPU: 1 PID: 4419 Comm: syz.0.48 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 lockdep_rcu_suspicious+0x140/0x198 kernel/locking/lockdep.c:6574
 qdisc_lookup+0xc8/0x64c net/sched/sch_api.c:304
 qdisc_tree_reduce_backlog+0x188/0x410 net/sched/sch_api.c:793
 sfq_enqueue+0x101c/0x1ca4 net/sched/sch_sfq.c:-1
 qdisc_enqueue include/net/sch_generic.h:832 [inline]
 netem_dequeue+0xa80/0x1048 net/sched/sch_netem.c:737
 dequeue_skb net/sched/sch_generic.c:292 [inline]
 qdisc_restart net/sched/sch_generic.c:397 [inline]
 __qdisc_run+0x1bc/0x1170 net/sched/sch_generic.c:415
 __dev_xmit_skb net/core/dev.c:3942 [inline]
 __dev_queue_xmit+0xfe0/0x2800 net/core/dev.c:4253
 dev_queue_xmit+0x24/0x34 net/core/dev.c:4321
 tipc_l2_send_msg+0x298/0x358 net/tipc/bearer.c:518
 tipc_bearer_xmit_skb+0x244/0x384 net/tipc/bearer.c:577
 tipc_disc_timeout+0x4c8/0x608 net/tipc/discover.c:338
 call_timer_fn+0x19c/0x858 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x46c/0x6c4 kernel/time/timer.c:1767
 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1780
 handle_softirqs+0x344/0xbf0 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
 do_softirq+0xfc/0x1b0 kernel/softirq.c:477
 __local_bh_enable_ip+0x250/0x380 kernel/softirq.c:401
 local_bh_enable+0x28/0x1d0 include/linux/bottom_half.h:32
 rcu_read_unlock_bh include/linux/rcupdate.h:809 [inline]
 ip_finish_output2+0xe8c/0x1228 net/ipv4/ip_output.c:229
 __ip_finish_output net/ipv4/ip_output.c:-1 [inline]
 ip_finish_output+0x1b0/0x448 net/ipv4/ip_output.c:316
 NF_HOOK_COND include/linux/netfilter.h:291 [inline]
 ip_output+0x314/0x414 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:452 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 __ip_queue_xmit+0xe00/0x18f0 net/ipv4/ip_output.c:532
 ip_queue_xmit+0x5c/0x7c net/ipv4/ip_output.c:546
 l2tp_ip_sendmsg+0x4c8/0x1184 net/l2tp/l2tp_ip.c:498
 inet_sendmsg+0x154/0x284 net/ipv4/af_inet.c:834
 sock_sendmsg_nosec net/socket.c:704 [inline]
 __sock_sendmsg net/socket.c:716 [inline]
 ____sys_sendmsg+0x61c/0x920 net/socket.c:2436
 ___sys_sendmsg+0x1d0/0x240 net/socket.c:2490
 __sys_sendmmsg+0x218/0x5f0 net/socket.c:2576
 __do_sys_sendmmsg net/socket.c:2605 [inline]
 __se_sys_sendmmsg net/socket.c:2602 [inline]
 __arm64_sys_sendmmsg+0xa0/0xbc net/socket.c:2602
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
vkms_vblank_simulate: vblank timer overrun