WARNING: suspicious RCU usage in netem_enqueue

Status: fixed on 2019/10/15 23:40
Fix commit: 159d2c7d8106 net-backports: sch_netem: fix rcu splat in netem_enqueue()
First crash: 1025d, last: 1011d

Cause bisection: introduced by (bisect log) :
commit c667186f1c01ca8970c785888868b7ffd74e51ee
Author: Marc Zyngier <>
Date: Thu Apr 27 18:06:48 2017 +0000

  arm64: KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses

Crash: WARNING in br_fdb_find (log)
Repro: C syz .config
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 WARNING: suspicious RCU usage in netem_enqueue C done 2 1009d 1014d 1/1 fixed on 2019/12/10 20:49
linux-4.14 WARNING: suspicious RCU usage in netem_enqueue C done 3 988d 1011d 1/1 fixed on 2019/12/13 05:27

Sample crash report:
8021q: adding VLAN 0 to HW filter on device batadv0
netlink: 80 bytes leftover after parsing attributes in process `syz-executor490'.
netlink: 48 bytes leftover after parsing attributes in process `syz-executor490'.
WARNING: suspicious RCU usage
5.3.0+ #0 Not tainted
include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syz-executor490/9142:
 #0: ffffffff88fab2c0 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
 #0: ffffffff88fab2c0 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214
 #1: ffffffff88fab2c0 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x20a/0x36f0 net/core/dev.c:3808
 #2: ffff88808985e700 (&(&sch->q.lock)->rlock){+...}, at: spin_lock include/linux/spinlock.h:338 [inline]
 #2: ffff88808985e700 (&(&sch->q.lock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3506 [inline]
 #2: ffff88808985e700 (&(&sch->q.lock)->rlock){+...}, at: __dev_queue_xmit+0x14b0/0x36f0 net/core/dev.c:3842

stack backtrace:
CPU: 0 PID: 9142 Comm: syz-executor490 Not tainted 5.3.0+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5438
 qdisc_root include/net/sch_generic.h:492 [inline]
 netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479
 __dev_xmit_skb net/core/dev.c:3531 [inline]
 __dev_queue_xmit+0x157e/0x36f0 net/core/dev.c:3842
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3906
 neigh_hh_output include/net/neighbour.h:500 [inline]
 neigh_output include/net/neighbour.h:509 [inline]
 ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290
 ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417
 dst_output include/net/dst.h:436 [inline]
 ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125
 ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555
 udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:888
 udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1175
 inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:657
 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg net/socket.c:2439 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
RIP: 0033:0x441b59
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffcc63a6f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000315f6576616c RCX: 0000000000441b59
RDX: 04000000000001a8 RSI: 0000000020007fc0 RDI: 0000000000000005
RBP: 735f656764697262 R08: 0000000001bbbbbb R09: 0000000001bbbbbb
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004030f0 R14: 0000000000000000 R15: 0000000000000000

Crashes (16):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2019/09/24 20:53 upstream 4c07e2ddab5b 0942eab8 .config log report syz C
ci-upstream-kasan-gce-root 2019/09/24 09:47 upstream e94f8ccde471 c68252d2 .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/09/23 06:41 upstream 619e17cf75dd d96e88f3 .config log report syz C
ci-upstream-kasan-gce 2019/09/21 20:38 upstream 227c3e9eb5cf d96e88f3 .config log report syz C
ci-upstream-kasan-gce-root 2019/09/20 03:39 upstream 3c2edc36a774 4d3ae0b7 .config log report syz C
ci-upstream-kasan-gce-386 2019/09/21 00:53 upstream 574cc4539762 d96e88f3 .config log report syz C
ci-upstream-net-kasan-gce 2019/09/20 22:38 net-next b41dae061bbd d96e88f3 .config log report syz C
ci-upstream-net-kasan-gce 2019/09/18 08:09 net-next 1bab8d4c488b 03e0d245 .config log report syz C
ci-upstream-net-kasan-gce 2019/09/15 21:48 net-next a3d3c74da49c 32d59357 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/09/23 20:26 linux-next b5b3bd898ba9 1e9788a0 .config log report syz C
ci-upstream-net-this-kasan-gce 2019/09/20 01:04 net 280ceaed79f1 4d3ae0b7 .config log report
ci-upstream-net-kasan-gce 2019/09/27 15:58 net-next b41dae061bbd d8074e0b .config log report
ci-upstream-net-kasan-gce 2019/09/23 11:41 net-next b41dae061bbd d96e88f3 .config log report
ci-upstream-net-kasan-gce 2019/09/20 02:46 net-next b41dae061bbd 4d3ae0b7 .config log report
ci-upstream-net-kasan-gce 2019/09/15 20:27 net-next a3d3c74da49c 32d59357 .config log report
ci-upstream-net-kasan-gce 2019/09/13 16:52 net-next 022c10d6c73b 40fa42bc .config log report