=============================
WARNING: suspicious RCU usage
syzkaller #0 Not tainted
-----------------------------
net/sched/sch_api.c:304 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
7 locks held by kworker/0:21/14404:
 #0: 
ffff888016c70938
 (
(wq_completion)events
){+.+.}-{0:0}
, at: process_one_work+0x761/0x1010 kernel/workqueue.c:-1
 #1: ffffc90003877d00 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work+0x79f/0x1010 kernel/workqueue.c:2285
 #2: ffff88805ffca400 (&nsim_dev->port_list_lock#2){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x56/0xb40 drivers/net/netdevsim/dev.c:757
 #3: ffff88805ebb84e0 (&nsim_trap_data->trap_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:364 [inline]
 #3: ffff88805ebb84e0 (&nsim_trap_data->trap_lock){+.+.}-{2:2}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:707 [inline]
 #3: ffff88805ebb84e0 (&nsim_trap_data->trap_lock){+.+.}-{2:2}, at: nsim_dev_trap_report_work+0x1af/0xb40 drivers/net/netdevsim/dev.c:762
 #4: ffffc90000007c00 ((&q->perturb_timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:45 [inline]
 #4: ffffc90000007c00 ((&q->perturb_timer)){+.-.}-{0:0}, at: call_timer_fn+0xca/0x540 kernel/time/timer.c:1441
 #5: ffff88806764f908 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:364 [inline]
 #5: ffff88806764f908 (&sch->q.lock){+.-.}-{2:2}, at: sfq_perturbation+0x14d/0x20d0 net/sched/sch_sfq.c:610
 #6: ffffffff8c31eaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:312

stack backtrace:
CPU: 0 PID: 14404 Comm: kworker/0:21 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: events nsim_dev_trap_report_work
Call Trace:
 <IRQ>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 qdisc_lookup+0xa6/0x650 net/sched/sch_api.c:304
 qdisc_tree_reduce_backlog+0x190/0x430 net/sched/sch_api.c:783
 sfq_rehash net/sched/sch_sfq.c:598 [inline]
 sfq_perturbation+0x1f5e/0x20d0 net/sched/sch_sfq.c:613
 call_timer_fn+0x17b/0x540 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x53a/0x7f0 kernel/time/timer.c:1767
 handle_softirqs+0x339/0x830 kernel/softirq.c:576
 __do_softirq kernel/softirq.c:610 [inline]
 invoke_softirq kernel/softirq.c:450 [inline]
 __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:eth_random_addr include/linux/etherdevice.h:226 [inline]
RIP: 0010:nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:671 [inline]
RIP: 0010:nsim_dev_trap_report drivers/net/netdevsim/dev.c:721 [inline]
RIP: 0010:nsim_dev_trap_report_work+0x349/0xb40 drivers/net/netdevsim/dev.c:762
Code: 05 00 00 66 89 9d b6 00 00 00 48 89 ef be 0e 00 00 00 e8 5a c1 11 02 48 89 c3 be 06 00 00 00 48 89 c7 e8 6a 15 87 fe 48 89 d8 <48> c1 e8 03 42 0f b6 04 28 84 c0 0f 85 f3 04 00 00 0f b6 03 24 fc
RSP: 0018:ffffc90003877b40 EFLAGS: 00000246
RAX: ffff88807ddaa000 RBX: ffff88807ddaa000 RCX: 0000000000000000
RDX: 0000000000000040 RSI: 0000000000000000 RDI: ffffc90003877a60
RBP: ffff88805862aa00 R08: ffffc90003877a5f R09: ffffc90003877a20
R10: dffffc0000000000 R11: fffff5200070ef4c R12: ffff88805ffca470
R13: dffffc0000000000 R14: ffff88805ebb84a8 R15: ffff88805862aac8
 process_one_work+0x85f/0x1010 kernel/workqueue.c:2310
 worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
----------------
Code disassembly (best guess):
   0:	05 00 00 66 89       	add    $0x89660000,%eax
   5:	9d                   	popf
   6:	b6 00                	mov    $0x0,%dh
   8:	00 00                	add    %al,(%rax)
   a:	48 89 ef             	mov    %rbp,%rdi
   d:	be 0e 00 00 00       	mov    $0xe,%esi
  12:	e8 5a c1 11 02       	call   0x211c171
  17:	48 89 c3             	mov    %rax,%rbx
  1a:	be 06 00 00 00       	mov    $0x6,%esi
  1f:	48 89 c7             	mov    %rax,%rdi
  22:	e8 6a 15 87 fe       	call   0xfe871591
  27:	48 89 d8             	mov    %rbx,%rax
* 2a:	48 c1 e8 03          	shr    $0x3,%rax <-- trapping instruction
  2e:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
  33:	84 c0                	test   %al,%al
  35:	0f 85 f3 04 00 00    	jne    0x52e
  3b:	0f b6 03             	movzbl (%rbx),%eax
  3e:	24 fc                	and    $0xfc,%al