syzbot


WARNING: suspicious RCU usage in netem_enqueue

Status: fixed on 2019/12/10 20:49
Reported-by: syzbot+4619b418840589d55af5@syzkaller.appspotmail.com
Fix commit: 195a3ea494d2 net_sched: add max len check for TCA_KIND
First crash: 1012d, last: 1008d

Fix bisection: fixed by (bisect log) :
commit 195a3ea494d21721805959d3bfa0925167631ca5
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date: Wed Sep 18 23:24:12 2019 +0000

  net_sched: add max len check for TCA_KIND

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING: suspicious RCU usage in netem_enqueue C done 16 1009d 1023d 14/22 fixed on 2019/10/15 23:40
linux-4.14 WARNING: suspicious RCU usage in netem_enqueue C done 3 986d 1009d 1/1 fixed on 2019/12/13 05:27

Sample crash report:
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
netlink: 80 bytes leftover after parsing attributes in process `syz-executor151'.
netlink: 48 bytes leftover after parsing attributes in process `syz-executor151'.
=============================
WARNING: suspicious RCU usage
4.19.75 #0 Not tainted
-----------------------------
include/net/sch_generic.h:419 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syz-executor151/7601:
 #0: 00000000c3202c35 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
 #0: 00000000c3202c35 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2b0/0x1730 net/ipv4/ip_output.c:213
 #1: 00000000c3202c35 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x214/0x2fe0 net/core/dev.c:3777
 #2: 000000003b4632a0 (&qdisc_tx_lock){+...}, at: spin_lock include/linux/spinlock.h:329 [inline]
 #2: 000000003b4632a0 (&qdisc_tx_lock){+...}, at: __dev_xmit_skb net/core/dev.c:3470 [inline]
 #2: 000000003b4632a0 (&qdisc_tx_lock){+...}, at: __dev_queue_xmit+0x147c/0x2fe0 net/core/dev.c:3811

stack backtrace:
CPU: 1 PID: 7601 Comm: syz-executor151 Not tainted 4.19.75 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:4536
 qdisc_root include/net/sch_generic.h:419 [inline]
 netem_enqueue+0x1ada/0x28f0 net/sched/sch_netem.c:477
 __dev_xmit_skb net/core/dev.c:3495 [inline]
 __dev_queue_xmit+0x153d/0x2fe0 net/core/dev.c:3811
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3876
 neigh_hh_output include/net/neighbour.h:491 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip_finish_output2+0x1041/0x1730 net/ipv4/ip_output.c:229
 ip_finish_output+0x737/0xce0 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_mc_output+0x298/0xf50 net/ipv4/ip_output.c:390
 dst_output include/net/dst.h:447 [inline]
 ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:124
 ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1442
 udp_send_skb.isra.0+0x6bb/0x11d0 net/ipv4/udp.c:842
 udp_sendmsg+0x1e04/0x25e0 net/ipv4/udp.c:1129
 inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:632
 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2115
 __sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210
 __do_sys_sendmmsg net/socket.c:2239 [inline]
 __se_sys_sendmmsg net/socket.c:2236 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x442259
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc62c080b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442259
RDX: 04000000000001a8 RSI: 0000000020007fc0 RDI: 0000000000000005
RBP: 00007ffc62c080e0 R08: 0000000000000400 R09: 0000000000000400
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004037f0 R14: 0000000000000000 R15: 0000000000000000

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2019/09/29 02:39 linux-4.19.y d573e8a79f70 eb6b9855 .config log report syz C
ci2-linux-4-19 2019/09/24 08:37 linux-4.19.y d573e8a79f70 c68252d2 .config log report syz C