ci2 starts bisection 2025-10-10 04:53:58.03974827 +0000 UTC m=+17636.818214787 bisecting fixing commit since 82186ba3101043228ba7894fdb0c729f99453b60 building syzkaller on 5d8c2ac2627b33cf6ef92f3618f3350e28ae5118 ensuring issue is reproducible on original commit 82186ba3101043228ba7894fdb0c729f99453b60 testing commit 82186ba3101043228ba7894fdb0c729f99453b60 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 40c03b3360ef4d4c6c457221b31e8f9254f5aa7456ffe5af0b573ec52944091c all runs: crashed: general protection fault in qdisc_tree_reduce_backlog representative crash: general protection fault in qdisc_tree_reduce_backlog, types: [DoS] check whether we can drop unnecessary instrumentation disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak ubsan], they are not needed testing commit 82186ba3101043228ba7894fdb0c729f99453b60 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 0a909f7a086a726d25fab9858684fc0da511ed8d83a37943880cbca519704d68 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the bug reproduces without the instrumentation disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep hang], they are not needed kconfig minimization: base=5186 full=6556 leaves diff=265 split chunks (needed=false): <265> split chunk #0 of len 265 into 5 parts testing without sub-chunk 1/5 disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 82186ba3101043228ba7894fdb0c729f99453b60 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: b5e1786df952172442aeddb2adf93067532e7187ce066238b7e3f32e209244fc all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 82186ba3101043228ba7894fdb0c729f99453b60 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 791f702c3140ed5d0fa9596ff87e4c47f6ef0aef7bf592ef20c0893453396a87 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed testing commit 82186ba3101043228ba7894fdb0c729f99453b60 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e4ea7f7234f42bf8f74d1c82b85d687999427d68e49cf192d7c3a6d1dd1dd279 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning kasan], they are not needed testing commit 82186ba3101043228ba7894fdb0c729f99453b60 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: fe4d240d99d3c5ee9947cc2f41d6a5226c403ccb720612bace6c335a4c125550 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 82186ba3101043228ba7894fdb0c729f99453b60 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 failed building 82186ba3101043228ba7894fdb0c729f99453b60: ld.lld: error: undefined symbol: wext_proc_init ld.lld: error: undefined symbol: wext_proc_exit ld.lld: error: undefined symbol: wext_handle_ioctl ld.lld: error: undefined symbol: compat_wext_handle_ioctl minimized to 53 configs; suspects: [HID_ZEROPLUS USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM V4L2_ASYNC V4L2_FWNODE VIDEO_CAMERA_SENSOR WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_PURELIFI WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_SILABS WLAN_VENDOR_ZYDAS ZEROPLUS_FF] disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan locking], they are not needed testing current HEAD 1257aa4519ee5d49e465b0dcc85cc7e4a24619d5 testing commit 1257aa4519ee5d49e465b0dcc85cc7e4a24619d5 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 5d8512b737810b6280f5135fb3f234b0af372065c7ca914dd876f3dcbc9926a2 all runs: OK false negative chance: 0.000 # git bisect start 1257aa4519ee5d49e465b0dcc85cc7e4a24619d5 82186ba3101043228ba7894fdb0c729f99453b60 Bisecting: 594 revisions left to test after this (roughly 9 steps) [1fc8b74dc540cf5fa8dd6d9ed6def9270bb3c76e] vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page determine whether the revision contains the guilty commit checking the merge base f2198ea7eb3e7a0575505c7ce38d76841d98aa36 no existing result, test the revision testing commit f2198ea7eb3e7a0575505c7ce38d76841d98aa36 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 2049ef11e305bb41e86bdb454ffcd8812d79825d343d386568406cd733feadff all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] testing commit 1fc8b74dc540cf5fa8dd6d9ed6def9270bb3c76e gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 03d114b52361f74c8a21158a0805c67cbae3c48217946306add0f6c9c29d539e all runs: OK false negative chance: 0.000 # git bisect bad 1fc8b74dc540cf5fa8dd6d9ed6def9270bb3c76e Bisecting: 296 revisions left to test after this (roughly 8 steps) [1c38196defef951a129c081360d02e459623ac8d] kcsan: test: Initialize dummy variable determine whether the revision contains the guilty commit revision f2198ea7eb3e7a0575505c7ce38d76841d98aa36 crashed and is reachable testing commit 1c38196defef951a129c081360d02e459623ac8d gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e10dcad65bea2dd56df7af73d9ad0608642f7ca403e14e98c13fff19b934c2d1 all runs: OK false negative chance: 0.000 # git bisect bad 1c38196defef951a129c081360d02e459623ac8d Bisecting: 148 revisions left to test after this (roughly 7 steps) [a47ef874189d47f934d0809ae738886307c0ea22] netfilter: nf_conntrack: fix crash due to removal of uninitialised entry determine whether the revision contains the guilty commit revision f2198ea7eb3e7a0575505c7ce38d76841d98aa36 crashed and is reachable testing commit a47ef874189d47f934d0809ae738886307c0ea22 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 1438a0ab86e9bbaf56a0b17c46f09cd90b72b159661b34054b435de8fa30bd7f all runs: OK false negative chance: 0.000 # git bisect bad a47ef874189d47f934d0809ae738886307c0ea22 Bisecting: 73 revisions left to test after this (roughly 6 steps) [2144955e96abbb0b95d8e051827d77ee33347cf9] ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic determine whether the revision contains the guilty commit revision f2198ea7eb3e7a0575505c7ce38d76841d98aa36 crashed and is reachable testing commit 2144955e96abbb0b95d8e051827d77ee33347cf9 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: e5620818ba874f3d0ef18880f57f2f47f5cbd900a6b0e29bf5d2618c89e530ad all runs: OK false negative chance: 0.000 # git bisect bad 2144955e96abbb0b95d8e051827d77ee33347cf9 Bisecting: 36 revisions left to test after this (roughly 5 steps) [7837fb8e97fc5b10461fc95278ff535697f52efc] kallsyms: fix build without execinfo determine whether the revision contains the guilty commit revision f2198ea7eb3e7a0575505c7ce38d76841d98aa36 crashed and is reachable testing commit 7837fb8e97fc5b10461fc95278ff535697f52efc gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 80584c2b2989349d40b1fd7a1f2536b432e21c9bb1fba749fa75f1c1e242de78 all runs: OK false negative chance: 0.000 # git bisect bad 7837fb8e97fc5b10461fc95278ff535697f52efc Bisecting: 18 revisions left to test after this (roughly 4 steps) [23c165dde88eac405eebb59051ea1fe139a45803] net/sched: Abort __tc_modify_qdisc if parent class does not exist determine whether the revision contains the guilty commit revision f2198ea7eb3e7a0575505c7ce38d76841d98aa36 crashed and is reachable testing commit 23c165dde88eac405eebb59051ea1fe139a45803 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 42478f9cda231688419c16db81c957cdf67891286f0bb975eee2f7fe405a0756 all runs: OK false negative chance: 0.000 # git bisect bad 23c165dde88eac405eebb59051ea1fe139a45803 Bisecting: 8 revisions left to test after this (roughly 3 steps) [5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17] vsock: Fix transport_{g2h,h2g} TOCTOU determine whether the revision contains the guilty commit revision f2198ea7eb3e7a0575505c7ce38d76841d98aa36 crashed and is reachable testing commit 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 3d16f47a72d378d59d5129f81f9ed7cb69922b1b6d32cf7799956441bfdf4643 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] # git bisect good 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17 Bisecting: 4 revisions left to test after this (roughly 2 steps) [d823d21de698098dcac18023fcb3e1e546c54553] net: phy: smsc: Fix link failure in forced mode with Auto-MDIX determine whether the revision contains the guilty commit revision 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17 crashed and is reachable testing commit d823d21de698098dcac18023fcb3e1e546c54553 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8281f886a03dff2b2b8b4b7f82b3e2b267ef0917644fba758a806c11dc1d0e82 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] # git bisect good d823d21de698098dcac18023fcb3e1e546c54553 Bisecting: 2 revisions left to test after this (roughly 1 step) [0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90] atm: clip: Fix memory leak of struct clip_vcc. determine whether the revision contains the guilty commit revision d823d21de698098dcac18023fcb3e1e546c54553 crashed and is reachable testing commit 0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 2e4a7b83bda7ef06b580c9cf649553b396dffd8b68d2b7ebae0fa6ddbef041dc all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] # git bisect good 0c17ff462d98c997d707ee5cf4e4a9b1b52b9d90 Bisecting: 0 revisions left to test after this (roughly 1 step) [27b5bb7ea1a8fa7b8c4cfde4d2bf8650cca2e8e8] atm: clip: Fix NULL pointer dereference in vcc_sendmsg() determine whether the revision contains the guilty commit revision d823d21de698098dcac18023fcb3e1e546c54553 crashed and is reachable testing commit 27b5bb7ea1a8fa7b8c4cfde4d2bf8650cca2e8e8 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 4e949edb9d0913142e01c9790aabfc55cede1c8e78fa57812923f529cf11d087 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] # git bisect good 27b5bb7ea1a8fa7b8c4cfde4d2bf8650cca2e8e8 23c165dde88eac405eebb59051ea1fe139a45803 is the first bad commit commit 23c165dde88eac405eebb59051ea1fe139a45803 Author: Victor Nogueira Date: Mon Jul 7 18:08:01 2025 -0300 net/sched: Abort __tc_modify_qdisc if parent class does not exist [ Upstream commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 ] Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ Fixes: 5e50da01d0ce ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs") Reported-by: syzbot+d8b58d7b0ad89a678a16@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68663c93.a70a0220.5d25f.0857.GAE@google.com/ Reported-by: syzbot+5eccb463fa89309d8bdc@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68663c94.a70a0220.5d25f.0858.GAE@google.com/ Reported-by: syzbot+1261670bbdefc5485a06@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0013.GAE@google.com/ Reported-by: syzbot+15b96fc3aac35468fe77@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0014.GAE@google.com/ Reported-by: syzbot+4dadc5aecf80324d5a51@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68679e81.a70a0220.29cf51.0016.GAE@google.com/ Acked-by: Jamal Hadi Salim Reviewed-by: Cong Wang Signed-off-by: Victor Nogueira Link: https://patch.msgid.link/20250707210801.372995-1-victor@mojatatu.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin net/sched/sch_api.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) accumulated error probability: 0.00 culprit signature: 42478f9cda231688419c16db81c957cdf67891286f0bb975eee2f7fe405a0756 parent signature: 4e949edb9d0913142e01c9790aabfc55cede1c8e78fa57812923f529cf11d087 revisions tested: 18, total time: 4h29m19.749841361s (build: 1h53m4.239580462s, test: 2h28m39.688347609s) first good commit: 23c165dde88eac405eebb59051ea1fe139a45803 net/sched: Abort __tc_modify_qdisc if parent class does not exist recipients (to): ["jhs@mojatatu.com" "kuba@kernel.org" "sashal@kernel.org" "victor@mojatatu.com" "xiyou.wangcong@gmail.com"] recipients (cc): []