=============================
WARNING: suspicious RCU usage
5.15.185-syzkaller #0 Not tainted
-----------------------------
net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
6 locks held by syz.2.639/8168:
 #0: ffff888027806798 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
 #0: ffff888027806798 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: zap_pte_range mm/memory.c:1342 [inline]
 #0: ffff888027806798 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: zap_pmd_range mm/memory.c:1505 [inline]
 #0: ffff888027806798 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: zap_pud_range mm/memory.c:1534 [inline]
 #0: ffff888027806798 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: zap_p4d_range mm/memory.c:1555 [inline]
 #0: ffff888027806798 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: unmap_page_range+0x98d/0x2520 mm/memory.c:1576
 #1: ffffffff8c11bfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
 #2: ffffffff8c11bfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:312
 #3: ffff88807b7f1148 (dev->qdisc_running_key ?: &qdisc_running_key){+...}-{0:0}, at: net_tx_action+0x6bc/0x870 net/core/dev.c:5128
 #4: ffff88807b7f1108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:363 [inline]
 #4: ffff88807b7f1108 (&sch->q.lock){+.-.}-{2:2}, at: sch_direct_xmit+0x305/0x4a0 net/sched/sch_generic.c:354
 #5: ffffffff8c11bfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311

stack backtrace:
CPU: 1 PID: 8168 Comm: syz.2.639 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 qdisc_lookup+0xa6/0x650 net/sched/sch_api.c:304
 qdisc_tree_reduce_backlog+0x213/0x4e0 net/sched/sch_api.c:800
 cake_dequeue+0x1b8f/0x4aa0 net/sched/sch_cake.c:2189
 qdisc_peek_dequeued+0x6e/0x1f0 include/net/sch_generic.h:1115
 tbf_dequeue+0x7d/0xce0 net/sched/sch_tbf.c:265
 dequeue_skb net/sched/sch_generic.c:292 [inline]
 qdisc_restart net/sched/sch_generic.c:397 [inline]
 __qdisc_run+0x237/0x1480 net/sched/sch_generic.c:415
 qdisc_run+0x103/0x2f0 include/net/pkt_sched.h:132
 net_tx_action+0x6bc/0x870 net/core/dev.c:5128
 handle_softirqs+0x328/0x820 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:202
Code: 66 2e 0f 1f 84 00 00 00 00 00 53 48 89 fb e8 17 00 00 00 48 8b 3d 00 ec f0 0b 48 89 de 5b e9 47 ae 44 00 00 00 cc cc 00 00 cc <48> 8b 04 24 65 48 8b 0d 94 ad 8a 7e 65 8b 15 95 ad 8a 7e 81 e2 00
RSP: 0018:ffffc900032e7818 EFLAGS: 00000246
RAX: ffffffff81b82e17 RBX: ffffea000198b540 RCX: ffff88802709d940
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: dffffc0000000000 R09: fffff940003316a9
R10: fffff940003316a9 R11: 1ffffd40003316a8 R12: 0000000000000000
R13: ffffea000198b540 R14: 0000000000000000 R15: dffffc0000000000
 PageHuge+0x92/0x130 mm/hugetlb.c:1742
 page_remove_file_rmap mm/rmap.c:1260 [inline]
 page_remove_rmap+0x621/0x10f0 mm/rmap.c:1354
 zap_pte_range mm/memory.c:1384 [inline]
 zap_pmd_range mm/memory.c:1505 [inline]
 zap_pud_range mm/memory.c:1534 [inline]
 zap_p4d_range mm/memory.c:1555 [inline]
 unmap_page_range+0xfbc/0x2520 mm/memory.c:1576
 unmap_vmas+0x11b/0x230 mm/memory.c:1653
 exit_mmap+0x38f/0x5f0 mm/mmap.c:3204
 __mmput+0x115/0x3b0 kernel/fork.c:1127
 exit_mm+0x567/0x6c0 kernel/exit.c:550
 do_exit+0x599/0x20a0 kernel/exit.c:861
 do_group_exit+0x12e/0x300 kernel/exit.c:996
 __do_sys_exit_group kernel/exit.c:1007 [inline]
 __se_sys_exit_group kernel/exit.c:1005 [inline]
 __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1005
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f5413596929
Code: Unable to access opcode bytes at RIP 0x7f54135968ff.
RSP: 002b:00007fff114f0068 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5413596929
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fff114f00cc R08: 00000009114f015f R09: 00000000000927c0
R10: 0000000000007dc8 R11: 0000000000000246 R12: 000000000000000e
R13: 00000000000927c0 R14: 000000000003b2b4 R15: 00007fff114f0120
 </TASK>
----------------
Code disassembly (best guess):
   0:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
   7:	00 00 00
   a:	53                   	push   %rbx
   b:	48 89 fb             	mov    %rdi,%rbx
   e:	e8 17 00 00 00       	call   0x2a
  13:	48 8b 3d 00 ec f0 0b 	mov    0xbf0ec00(%rip),%rdi        # 0xbf0ec1a
  1a:	48 89 de             	mov    %rbx,%rsi
  1d:	5b                   	pop    %rbx
  1e:	e9 47 ae 44 00       	jmp    0x44ae6a
  23:	00 00                	add    %al,(%rax)
  25:	cc                   	int3
  26:	cc                   	int3
  27:	00 00                	add    %al,(%rax)
  29:	cc                   	int3
* 2a:	48 8b 04 24          	mov    (%rsp),%rax <-- trapping instruction
  2e:	65 48 8b 0d 94 ad 8a 	mov    %gs:0x7e8aad94(%rip),%rcx        # 0x7e8aadca
  35:	7e
  36:	65 8b 15 95 ad 8a 7e 	mov    %gs:0x7e8aad95(%rip),%edx        # 0x7e8aadd2
  3d:	81                   	.byte 0x81
  3e:	e2 00                	loop   0x40