WARNING: suspicious RCU usage in netem_enqueue

Hello,

syzbot found the following crash on:

HEAD commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=110da703600000
kernel config: https://syzkaller.appspot.com/x/.config?x=50b385e67c7b7cdf
dashboard link: https://syzkaller.appspot.com/bug?extid=4619b418840589d55af5
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13895703600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=164247a1600000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]

IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
netlink: 80 bytes leftover after parsing attributes in process
`syz-executor434'.
netlink: 48 bytes leftover after parsing attributes in process
`syz-executor434'.
=============================
WARNING: suspicious RCU usage
4.19.75 #0 Not tainted
-----------------------------
include/net/sch_generic.h:419 suspicious rcu_dereference_check() usage!

other info that might help us debug this:


rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syz-executor434/7662:
#0: 00000000ab3841ce (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect
include/net/lwtunnel.h:92 [inline]
#0: 00000000ab3841ce (rcu_read_lock_bh){....}, at:
ip_finish_output2+0x2b0/0x1730 net/ipv4/ip_output.c:213
#1: 00000000ab3841ce (rcu_read_lock_bh){....}, at:
__dev_queue_xmit+0x214/0x2fe0 net/core/dev.c:3777
#2: 000000001f9ccf2b (&qdisc_tx_lock){+...}, at: spin_lock
include/linux/spinlock.h:329 [inline]
#2: 000000001f9ccf2b (&qdisc_tx_lock){+...}, at: __dev_xmit_skb
net/core/dev.c:3470 [inline]
#2: 000000001f9ccf2b (&qdisc_tx_lock){+...}, at:
__dev_queue_xmit+0x147c/0x2fe0 net/core/dev.c:3811

stack backtrace:
CPU: 0 PID: 7662 Comm: syz-executor434 Not tainted 4.19.75 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:4536
qdisc_root include/net/sch_generic.h:419 [inline]
netem_enqueue+0x1ada/0x28f0 net/sched/sch_netem.c:477
__dev_xmit_skb net/core/dev.c:3495 [inline]
__dev_queue_xmit+0x153d/0x2fe0 net/core/dev.c:3811
dev_queue_xmit+0x18/0x20 net/core/dev.c:3876
neigh_hh_output include/net/neighbour.h:491 [inline]
neigh_output include/net/neighbour.h:499 [inline]
ip_finish_output2+0x1041/0x1730 net/ipv4/ip_output.c:229
ip_finish_output+0x737/0xce0 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip_mc_output+0x298/0xf50 net/ipv4/ip_output.c:390
dst_output include/net/dst.h:447 [inline]
ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:124
ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1442
udp_send_skb.isra.0+0x6bb/0x11d0 net/ipv4/udp.c:842
udp_sendmsg+0x1e04/0x25e0 net/ipv4/udp.c:1129
inet_sendmsg+0x141/0x5d0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:632
___sys_sendmsg+0x3e2/0x920 net/socket.c:2115
__sys_sendmmsg+0x1bf/0x4e0 net/socket.c:2210
__do_sys_sendmmsg net/socket.c:2239 [inline]
__se_sys_sendmmsg net/socket.c:2236 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4423a9
Code: 43 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 1b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffff4cf17f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004423a9
RDX: 04000000000001a8 RSI: 0000000020007fc0 RDI: 0000000000000005
RBP: 00007ffff4cf1820 R08: 0000000000000400 R09: 0000000000000400
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000004038e0 R14: 0000000000000000 R15: 0000000000000000


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

HEAD commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
console output: https://syzkaller.appspot.com/x/log.txt?x=17c25aa9600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb75afefe94a0801
dashboard link: https://syzkaller.appspot.com/bug?extid=9ea180ba12a5c1098b92
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175e1b6d600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11f461c5600000
Reported-by: [email protected]
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
4.14.146 #0 Not tainted
-----------------------------
./include/net/sch_generic.h:303 suspicious rcu_dereference_check() usage!
3 locks held by syz-executor107/6888:
#0: (rcu_read_lock_bh){....}, at: [<ffffffff8520d2b6>]
lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
#0: (rcu_read_lock_bh){....}, at: [<ffffffff8520d2b6>]
ip_finish_output2+0x256/0x14a0 net/ipv4/ip_output.c:213
#1: (rcu_read_lock_bh){....}, at: [<ffffffff84d51762>]
__dev_queue_xmit+0x1e2/0x25e0 net/core/dev.c:3459
#2: (&qdisc_tx_lock){+...}, at: [<ffffffff84d52740>] spin_lock
include/linux/spinlock.h:317 [inline]
#2: (&qdisc_tx_lock){+...}, at: [<ffffffff84d52740>] __dev_xmit_skb
net/core/dev.c:3204 [inline]
#2: (&qdisc_tx_lock){+...}, at: [<ffffffff84d52740>]
__dev_queue_xmit+0x11c0/0x25e0 net/core/dev.c:3493

stack backtrace:
CPU: 1 PID: 6888 Comm: syz-executor107 Not tainted 4.14.146 #0
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x138/0x197 lib/dump_stack.c:53
lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:4662
qdisc_root include/net/sch_generic.h:303 [inline]
netem_enqueue+0x79c/0x2780 net/sched/sch_netem.c:472
__dev_xmit_skb net/core/dev.c:3229 [inline]
__dev_queue_xmit+0x12da/0x25e0 net/core/dev.c:3493
dev_queue_xmit+0x18/0x20 net/core/dev.c:3558
neigh_hh_output include/net/neighbour.h:490 [inline]
neigh_output include/net/neighbour.h:498 [inline]
ip_finish_output2+0xddc/0x14a0 net/ipv4/ip_output.c:229
ip_finish_output+0x56d/0xc60 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:239 [inline]
ip_mc_output+0x24a/0xd40 net/ipv4/ip_output.c:390
dst_output include/net/dst.h:462 [inline]
ip_local_out+0x97/0x170 net/ipv4/ip_output.c:124
ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1418
udp_send_skb+0x616/0xb90 net/ipv4/udp.c:833
udp_sendmsg+0x16df/0x1da0 net/ipv4/udp.c:1057
inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xce/0x110 net/socket.c:656
___sys_sendmsg+0x349/0x840 net/socket.c:2062
__sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
SYSC_sendmmsg net/socket.c:2183 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2178
do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4423e9
RSP: 002b:00007ffc6e5516f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004423e9
RBP: 735f656764697262 R08: 0000000000000000 R09: 0000000000000000
R13: 0000000000403340 R14: 0000000000000000 R15: 0000000000000000
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
nla_parse: 398 callbacks suppressed
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
`syz-executor107'.
nla_parse: 436 callbacks suppressed
`syz-executor107'.
`syz-executor107'.

syzbot suspects this bug was fixed by commit:

commit 195a3ea494d21721805959d3bfa0925167631ca5
Author: Cong Wang <[email protected]>
Date: Wed Sep 18 23:24:12 2019 +0000

net_sched: add max len check for TCA_KIND

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10aba42ae00000
start commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
If the result looks correct, please mark the bug fixed by replying with:

#syz fix: net_sched: add max len check for TCA_KIND

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

commit 6f492e8010338dc2584a711b0cae388fd36120a5
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=109c0cfae00000
start commit: f6e27dbb Linux 4.14.146
git tree: linux-4.14.y
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=116e7143600000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ef72eb600000