ci starts bisection 2025-07-04 08:42:43.145565135 +0000 UTC m=+33078.442125366 bisecting cause commit starting from 17bbde2e1716e2ee4b997d476b48ae85c5a47671 building syzkaller on 76ad128ce0cb38f6fb253e8afcc22a3205a506ca ensuring issue is reproducible on original commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 testing commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8725c0a15b80912e3e7b94c907271ce6deefb9827d782ddaf4f5e071064b5d7c all runs: crashed: general protection fault in drr_qlen_notify representative crash: general protection fault in drr_qlen_notify, types: [DoS] check whether we can drop unnecessary instrumentation disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f923085cd8b1a36c8f6772d3110ca594f5e69b49c0e0d1eef80b56fcd191ab2e all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] the bug reproduces without the instrumentation disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep hang], they are not needed kconfig minimization: base=4089 full=8352 leaves diff=2122 split chunks (needed=false): <2122> split chunk #0 of len 2122 into 5 parts testing without sub-chunk 1/5 disabling configs for [kasan locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3483ef7e914a69a6f0a71f5d4abe62ae243f46a8ef5fc94e37e9dbe8d47077a7 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7681fade89c974fe91d77f12c599050c4a008f9e34c0dab1d4a3af51c2b8b2d8 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep hang memleak], they are not needed testing commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f91e97b26cd22576b696f474bbb9122c9c58153fea7978f5d854fdaf0690d19a all runs: OK false negative chance: 0.000 testing without sub-chunk 4/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep hang], they are not needed testing commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7f03c0fbf610e05896d536250533a0a67aa8fa0e73be5c58b2f9c48ab3aee0ad all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan locking], they are not needed testing commit 17bbde2e1716e2ee4b997d476b48ae85c5a47671 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b4ec3d4743d9c8993ff0a1804eee0bf782175546e06a3169df173dc7ce741597 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] the chunk can be dropped minimized to 425 configs; suspects: [AX25 BRIDGE BRIDGE_NETFILTER CAN CFG80211 CHECKPOINT_RESTORE DVB_CORE FB_CORE HAMRADIO HID_LOGITECH HSR INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_USER_ACCESS INPUT_JOYSTICK INPUT_MOUSE IP6_NF_RAW IPV6_MULTIPLE_TABLES IP_NF_RAW IP_SET IP_VS IP_VS_DH IP_VS_FO IP_VS_FTP IP_VS_IPV6 IP_VS_LBLC IP_VS_LBLCR IP_VS_LC IP_VS_MH IP_VS_NFCT IP_VS_NQ IP_VS_OVF IP_VS_PE_SIP IP_VS_PROTO_AH IP_VS_PROTO_AH_ESP IP_VS_PROTO_ESP IP_VS_PROTO_SCTP IP_VS_PROTO_TCP IP_VS_PROTO_UDP IP_VS_RR IP_VS_SED IP_VS_SH IP_VS_TWOS IP_VS_WLC IP_VS_WRR IRQ_BYPASS_MANAGER IRQ_POLL IR_IGORPLUGUSB IR_IGUANA IR_IMON IR_IMON_RAW IR_MCEUSB IR_REDRAT3 IR_STREAMZAP IR_TOY IR_TTUSBIR ISDN ISDN_CAPI JFFS2_CMODE_PRIORITY JFFS2_COMPRESSION_OPTIONS JFFS2_FS JFFS2_FS_POSIX_ACL JFFS2_FS_SECURITY JFFS2_FS_WRITEBUFFER JFFS2_FS_XATTR JFFS2_LZO JFFS2_RTIME JFFS2_RUBIN JFFS2_SUMMARY JFFS2_ZLIB JFS_DEBUG JFS_FS JFS_POSIX_ACL JFS_SECURITY JOYSTICK_IFORCE JOYSTICK_IFORCE_USB JOYSTICK_PXRC JOYSTICK_XPAD JOYSTICK_XPAD_FF JOYSTICK_XPAD_LEDS KARMA_PARTITION KCOV KCOV_ENABLE_COMPARISONS KCOV_INSTRUMENT_ALL KEYS_REQUEST_CACHE KEY_DH_OPERATIONS KEY_NOTIFICATIONS KSM KVM KVM_AMD KVM_ASYNC_PF KVM_COMMON KVM_COMPAT KVM_ELIDE_TLB_FLUSH_IF_YOUNG KVM_GENERIC_DIRTYLOG_READ_PROTECT KVM_GENERIC_HARDWARE_ENABLING KVM_GENERIC_MEMORY_ATTRIBUTES KVM_GENERIC_MMU_NOTIFIER KVM_GENERIC_PRE_FAULT_MEMORY KVM_GENERIC_PRIVATE_MEM KVM_HYPERV KVM_MMIO KVM_MMU_LOCKLESS_AGING KVM_PRIVATE_MEM KVM_PROVE_MMU KVM_SW_PROTECTED_VM KVM_VFIO KVM_X86 KVM_XEN KVM_XFER_TO_GUEST_WORK L2TP L2TP_ETH L2TP_IP L2TP_V3 LAPB LAPBETHER LDM_PARTITION LEDS_CLASS_MULTICOLOR LEGACY_PTYS LIBNVDIMM LINEAR_RANGES LLC LLC2 LOGIG940_FF LOGIRUMBLEPAD2_FF LOGITECH_FF LOGIWHEELS_FF LOGO LOGO_LINUX_MONO LOGO_LINUX_VGA16 LPC_ICH LWTUNNEL LWTUNNEL_BPF LZ4HC_COMPRESS LZ4_COMPRESS MAC80211 MAC80211_HAS_RC MAC80211_HWSIM MAC80211_MESH MAC80211_RC_DEFAULT_MINSTREL MAC80211_RC_MINSTREL MACSEC MACVLAN MACVTAP MAC_PARTITION MAPPING_DIRTY_HELPERS MCTP MDIO_MVUSB MD_RAID0 MD_RAID1 MD_RAID10 MD_RAID456 MEDIA_ANALOG_TV_SUPPORT MEDIA_ATTACH MEDIA_CONTROLLER MEDIA_CONTROLLER_DVB MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_SUPPORT_FILTER MEDIA_TUNER MEDIA_TUNER_MSI001 MEMORY_BALLOON MEMORY_HOTPLUG MEMORY_ISOLATION MEMREGION MEMSTICK MEMSTICK_REALTEK_USB MEM_SOFT_DIRTY MFD_CORE MFD_SYSCON MHI_BUS MHI_WWAN_CTRL MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO MHP_MEMMAP_ON_MEMORY MICROCHIP_PHY MINIX_FS MINIX_SUBPARTITION MIN_HEAP MISC_RTSX MISC_RTSX_USB MISDN MISDN_DSP MISDN_HFCUSB MISDN_L1OIP MKISS MLX4_CORE MLX4_INFINIBAND MMC MMC_REALTEK_USB MMC_USHC MMC_VUB300 MM_ID MODULE_SRCVERSION_ALL MOST MOST_USB_HDM MOUSE_APPLETOUCH MOUSE_BCM5974 MOUSE_PS2 MOUSE_PS2_ALPS MOUSE_PS2_BYD MOUSE_PS2_CYPRESS MOUSE_PS2_FOCALTECH MOUSE_PS2_LIFEBOOK MOUSE_PS2_LOGIPS2PP MOUSE_PS2_SMBUS MOUSE_PS2_SYNAPTICS MOUSE_PS2_SYNAPTICS_SMBUS MOUSE_PS2_TRACKPOINT MOUSE_SYNAPTICS_USB MPLS MPLS_IPTUNNEL MPLS_ROUTING MPTCP MPTCP_IPV6 MRP MTD MTD_BLKDEVS MTD_BLOCK MTD_BLOCK2MTD MTD_CFI_I1 MTD_CFI_I2 MTD_MAP_BANK_WIDTH_1 MTD_MAP_BANK_WIDTH_2 MTD_MAP_BANK_WIDTH_4 MTD_MTDRAM MTD_PHRAM MTD_SLRAM MUSB_PIO_ONLY ND_BTT ND_CLAIM ND_PFN NETDEVSIM NETFILTER_ADVANCED NETFILTER_BPF_LINK NETFILTER_FAMILY_ARP NETFILTER_FAMILY_BRIDGE NETFILTER_NETLINK_ACCT NETFILTER_NETLINK_GLUE_CT NETFILTER_NETLINK_OSF NETFILTER_NETLINK_QUEUE NETFILTER_SYNPROXY NETFILTER_XTABLES_COMPAT NETFILTER_XT_CONNMARK NETFILTER_XT_MATCH_BPF NETFILTER_XT_MATCH_CGROUP NETFILTER_XT_MATCH_CLUSTER NETFILTER_XT_MATCH_COMMENT NETFILTER_XT_MATCH_CONNBYTES NETFILTER_XT_MATCH_CONNLABEL NETFILTER_XT_MATCH_CONNLIMIT NETFILTER_XT_MATCH_CONNMARK NETFILTER_XT_MATCH_CPU NETFILTER_XT_MATCH_DCCP NETFILTER_XT_MATCH_DEVGROUP NETFILTER_XT_MATCH_DSCP NETFILTER_XT_MATCH_ECN NETFILTER_XT_MATCH_ESP NETFILTER_XT_MATCH_HASHLIMIT NETFILTER_XT_MATCH_HELPER NETFILTER_XT_MATCH_HL NETFILTER_XT_MATCH_IPCOMP NETFILTER_XT_MATCH_IPRANGE NETFILTER_XT_MATCH_IPVS NETFILTER_XT_MATCH_L2TP NETFILTER_XT_MATCH_LENGTH NETFILTER_XT_MATCH_LIMIT NETFILTER_XT_MATCH_MAC NETFILTER_XT_MATCH_MARK NETFILTER_XT_MATCH_MULTIPORT NETFILTER_XT_MATCH_NFACCT NETFILTER_XT_MATCH_OSF NETFILTER_XT_MATCH_OWNER NETFILTER_XT_MATCH_PHYSDEV NETFILTER_XT_MATCH_PKTTYPE NETFILTER_XT_MATCH_QUOTA NETFILTER_XT_MATCH_RATEEST NETFILTER_XT_MATCH_REALM NETFILTER_XT_MATCH_RECENT NETFILTER_XT_MATCH_SCTP NETFILTER_XT_MATCH_SOCKET NETFILTER_XT_MATCH_STATISTIC NETFILTER_XT_MATCH_STRING NETFILTER_XT_MATCH_TCPMSS NETFILTER_XT_MATCH_TIME NETFILTER_XT_MATCH_U32 NETFILTER_XT_SET NETFILTER_XT_TARGET_AUDIT NETFILTER_XT_TARGET_CHECKSUM NETFILTER_XT_TARGET_CLASSIFY NETFILTER_XT_TARGET_CONNMARK NETFILTER_XT_TARGET_CT NETFILTER_XT_TARGET_DSCP NETFILTER_XT_TARGET_HL NETFILTER_XT_TARGET_HMARK NETFILTER_XT_TARGET_IDLETIMER NETFILTER_XT_TARGET_LED NETFILTER_XT_TARGET_MARK NETFILTER_XT_TARGET_NETMAP NETFILTER_XT_TARGET_NFQUEUE NETFILTER_XT_TARGET_NOTRACK NETFILTER_XT_TARGET_RATEEST NETFILTER_XT_TARGET_REDIRECT NETFILTER_XT_TARGET_TCPOPTSTRIP NETFILTER_XT_TARGET_TEE NETFILTER_XT_TARGET_TPROXY NETFILTER_XT_TARGET_TRACE NETLABEL NETLINK_DIAG NETROM NET_9P_RDMA NET_ACT_BPF NET_ACT_CONNMARK NET_ACT_CSUM NET_ACT_CT NET_ACT_CTINFO NET_ACT_GATE NET_ACT_IFE NET_ACT_MPLS NET_ACT_NAT NET_ACT_PEDIT NET_ACT_POLICE NET_ACT_SAMPLE NET_ACT_SIMP NET_ACT_SKBEDIT NET_ACT_SKBMOD NET_ACT_TUNNEL_KEY NET_ACT_VLAN NET_CLS_BASIC NET_CLS_BPF NET_CLS_FLOW NET_CLS_FLOWER NET_CLS_FW NET_CLS_MATCHALL NET_CLS_ROUTE4 NET_CRC32C NET_DEVLINK NET_DEVMEM NET_DROP_MONITOR NET_DSA NET_DSA_TAG_BRCM NET_DSA_TAG_BRCM_COMMON NET_DSA_TAG_BRCM_PREPEND NET_DSA_TAG_MTK NET_DSA_TAG_QCA NET_DSA_TAG_RTL4_A NET_EMATCH_CANID NET_EMATCH_CMP NET_EMATCH_IPSET NET_EMATCH_IPT NET_EMATCH_META NET_EMATCH_NBYTE NET_EMATCH_TEXT NET_EMATCH_U32 NET_FC NET_FOU NET_FOU_IP_TUNNELS NET_IFE NET_IFE_SKBMARK NET_IFE_SKBPRIO NET_IFE_SKBTCINDEX NET_IPGRE NET_IPGRE_BROADCAST NET_IPGRE_DEMUX NET_IPIP NET_IPVTI NET_KEY NET_KEY_MIGRATE NET_L3_MASTER_DEV NET_MPLS_GSO NET_NCSI NET_NSH NET_REDIRECT NET_SCH_CAKE NET_SCH_CBS NET_SCH_CHOKE NET_SCH_CODEL NET_SCH_DRR NET_SCH_ETF NET_SCH_ETS NET_SCH_FQ NET_SCH_FQ_CODEL NET_SCH_FQ_PIE NET_SCH_GRED NET_SCH_HFSC NET_SCH_HHF NET_SCH_HTB NET_SCH_INGRESS NET_SCH_MQPRIO NET_SCH_MQPRIO_LIB NET_SCH_MULTIQ NET_SCH_NETEM NET_SCH_PIE NET_SCH_PLUG NET_SCH_PRIO NET_SCH_QFQ NET_SCH_RED NET_SCH_SFB NET_SCH_SFQ NET_SCH_SKBPRIO NET_SCH_TAPRIO NET_SCH_TBF NET_SCH_TEQL NET_SHAPER NET_SOCK_MSG NET_SWITCHDEV NET_TC_SKB_EXT NET_TEAM NET_TEAM_MODE_ACTIVEBACKUP NET_TEAM_MODE_BROADCAST NET_TEAM_MODE_LOADBALANCE NET_TEAM_MODE_RANDOM NET_TEAM_MODE_ROUNDROBIN NET_UDP_TUNNEL NET_VRF NFC NFC_DIGITAL NFC_FDP NFC_HCI NFC_MRVL NFC_MRVL_USB NFC_NCI NFC_NCI_UART NFC_PN533 NFC_PN533_USB NFC_PORT100 NFC_SHDLC NFC_SIM NFC_VIRTUAL_NCI NFSD NFSD_BLOCKLAYOUT NFSD_FLEXFILELAYOUT NFSD_PNFS NFSD_SCSILAYOUT NFSD_V3_ACL NFSD_V4 NFSD_V4_2_INTER_SSC NFSD_V4_SECURITY_LABEL NFS_FSCACHE NFS_V4_1 NFS_V4_2 NFS_V4_2_READ_PLUS NFS_V4_2_SSC_HELPER NFS_V4_SECURITY_LABEL NFT_BRIDGE_META NFT_BRIDGE_REJECT NFT_COMPAT NFT_CONNLIMIT NFT_CT NFT_DUP_IPV4 NFT_DUP_IPV6 NFT_DUP_NETDEV NFT_FIB NFT_FIB_INET NFT_FIB_IPV4 NFT_FIB_IPV6 NFT_FIB_NETDEV NFT_FLOW_OFFLOAD NFT_HASH NFT_LIMIT NFT_LOG NFT_MASQ NFT_NAT NFT_NUMGEN NFT_OSF NFT_QUEUE NFT_QUOTA NFT_REDIR NFT_REJECT NFT_REJECT_INET NFT_REJECT_IPV4 NFT_REJECT_IPV6 NFT_REJECT_NETDEV NFT_SOCKET NFT_SYNPROXY NFT_TPROXY NFT_TUNNEL NFT_XFRM NF_CONNTRACK_AMANDA NF_CONNTRACK_BRIDGE NF_CONNTRACK_BROADCAST NF_CONNTRACK_EVENTS NF_CONNTRACK_H323 NF_CONNTRACK_LABELS NF_CONNTRACK_MARK NF_CONNTRACK_NETBIOS_NS NF_CONNTRACK_OVS NF_CONNTRACK_PPTP NF_CONNTRACK_SANE NF_CONNTRACK_SNMP NF_CONNTRACK_TFTP NF_CONNTRACK_TIMEOUT NF_CONNTRACK_TIMESTAMP NF_CONNTRACK_ZONES NF_CT_NETLINK_HELPER NF_CT_NETLINK_TIMEOUT NF_CT_PROTO_DCCP NF_CT_PROTO_GRE NF_CT_PROTO_SCTP NF_CT_PROTO_UDPLITE NF_DUP_IPV4 NF_DUP_IPV6 NF_DUP_NETDEV NF_FLOW_TABLE NF_FLOW_TABLE_INET NF_NAT_AMANDA NF_NAT_H323 NF_NAT_OVS NF_NAT_PPTP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_BRIDGE NF_TABLES_INET NF_TABLES_IPV4 NF_TABLES_IPV6 NF_TABLES_NETDEV NF_TPROXY_IPV4 NF_TPROXY_IPV6 PAGE_POOL PARTITION_ADVANCED PSAMPLE RC_CORE RC_DEVICES RFKILL SPI USB_GADGET USB_MUSB_HDRC VIDEO_DEV WAN WATCH_QUEUE WIRELESS WLAN WWAN X25 X86_X32_ABI] disabling configs for [bug_or_warning kasan locking atomic_sleep hang memleak ubsan], they are not needed picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ec9ead187a12da4d69a58ab6c69e3786a117ff419982b9d63265d8a2899a4287 all runs: OK false negative chance: 0.000 # git bisect start 17bbde2e1716e2ee4b997d476b48ae85c5a47671 0ff41df1cb268fc69e703a08a57ee14ae967d0ca Bisecting: 7265 revisions left to test after this (roughly 13 steps) [1b98f357dadd6ea613a435fbaef1a5dd7b35fd21] Merge tag 'net-next-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7982cb8454ea9a4ad0dd693cfb89b307d3d835a3ded86d38ab27634ce1906a69 all runs: OK false negative chance: 0.000 # git bisect good 1b98f357dadd6ea613a435fbaef1a5dd7b35fd21 Bisecting: 3609 revisions left to test after this (roughly 12 steps) [76c21d225469780a005140037b6248e648f41ae4] Merge tag 'hwmon-for-v6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging testing commit 76c21d225469780a005140037b6248e648f41ae4 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 34623b66c5fe281ba7273dd14db093c0e8558fafed409e845161b0fd7c77cfff run #0: ignore: lost connection to test machine run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect good 76c21d225469780a005140037b6248e648f41ae4 Bisecting: 1690 revisions left to test after this (roughly 11 steps) [c26f4fbd58375bd6ef74f95eb73d61762ad97c59] Merge tag 'char-misc-6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc testing commit c26f4fbd58375bd6ef74f95eb73d61762ad97c59 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b4b53618e1a1c8e4bee7a77278cb1e0bc681291c758ae9c2c1fac40f2206766b all runs: OK false negative chance: 0.000 # git bisect good c26f4fbd58375bd6ef74f95eb73d61762ad97c59 Bisecting: 843 revisions left to test after this (roughly 10 steps) [f713ffa3639cd57673754a5e83aedebf50dce332] Merge tag 'block-6.16-20250614' of git://git.kernel.dk/linux testing commit f713ffa3639cd57673754a5e83aedebf50dce332 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e8a3e44b56c8aa88be0f69ecf660590c53eb46e8594c0957628c81a761abdca0 all runs: OK false negative chance: 0.000 # git bisect good f713ffa3639cd57673754a5e83aedebf50dce332 Bisecting: 418 revisions left to test after this (roughly 9 steps) [5ca7fe213ba3113dde19c4cd46347c16d9e69f81] Merge tag 'for-6.16-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 5ca7fe213ba3113dde19c4cd46347c16d9e69f81 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1623a8b0f583c4e30510d6193a512e2f56f3ed64e1f1d4d43806f5d8c5240840 run #0: ignore: lost connection to test machine run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK false negative chance: 0.000 # git bisect good 5ca7fe213ba3113dde19c4cd46347c16d9e69f81 Bisecting: 212 revisions left to test after this (roughly 8 steps) [26fd9f7b7ff3794c5de0e6ae538cead53118b4c3] Merge tag 'cxl-fixes-6.16-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl testing commit 26fd9f7b7ff3794c5de0e6ae538cead53118b4c3 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d2b4b26b72b7de985dba25c7ca639a94a78b3e158d7a6bb4be296e7217389f3d all runs: OK false negative chance: 0.000 # git bisect good 26fd9f7b7ff3794c5de0e6ae538cead53118b4c3 Bisecting: 107 revisions left to test after this (roughly 7 steps) [d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af] Linux 6.16-rc4 testing commit d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6631ae28eb65f329a6e7699e16bd6f48960b9b1cbc2035758cb83248a79a8ab8 all runs: OK false negative chance: 0.000 # git bisect good d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af Bisecting: 58 revisions left to test after this (roughly 6 steps) [b4911fb0b060899e4eebca0151eb56deb86921ec] Merge tag 'mmc-v6.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit b4911fb0b060899e4eebca0151eb56deb86921ec gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3c1aa52bf09891095e372592bf97ad9f80642d6a7d8a75f6b44272db08856b67 all runs: OK false negative chance: 0.000 # git bisect good b4911fb0b060899e4eebca0151eb56deb86921ec Bisecting: 29 revisions left to test after this (roughly 5 steps) [315dbdd7cdf6aa533829774caaf4d25f1fd20e73] virtio-net: ensure the received length does not exceed allocated size testing commit 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 38594864ae07099281138eede36dd87278fb436c234b7b6cf87495f3e6f32d2b all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] # git bisect bad 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Bisecting: 13 revisions left to test after this (roughly 4 steps) [72fb83735c71e3f6f025ab7f5dbfec7c9e26b6cc] Merge tag 'for-net-2025-06-27' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth testing commit 72fb83735c71e3f6f025ab7f5dbfec7c9e26b6cc gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5976bdba80adaabe91bd5a69e9060cef98b1bfa03be5aab7b0f059e8dd9064cf all runs: OK false negative chance: 0.000 # git bisect good 72fb83735c71e3f6f025ab7f5dbfec7c9e26b6cc Bisecting: 6 revisions left to test after this (roughly 3 steps) [16ceda2ef683a50cd0783006c0504e1931cd8879] amd-xgbe: do not double read link status testing commit 16ceda2ef683a50cd0783006c0504e1931cd8879 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 42ddbd2334479cd8c2ca42dde8907bad62c13535ef70673e7698b13ceb50bed4 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] # git bisect bad 16ceda2ef683a50cd0783006c0504e1931cd8879 Bisecting: 3 revisions left to test after this (roughly 2 steps) [aaf2b2480375099c022a82023e1cd772bf1c6a5d] enic: fix incorrect MTU comparison in enic_change_mtu() testing commit aaf2b2480375099c022a82023e1cd772bf1c6a5d gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 081b889433cea945c35fbe47f13b42af1b4f6bf6f8a747026434b3b3a287378c all runs: OK false negative chance: 0.000 # git bisect good aaf2b2480375099c022a82023e1cd772bf1c6a5d Bisecting: 1 revision left to test after this (roughly 1 step) [561aa0e22b70a5e7246b73d62a824b3aef3fc375] nui: Fix dma_mapping_error() check testing commit 561aa0e22b70a5e7246b73d62a824b3aef3fc375 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9ee448245abb5de8bb4eda0269c641a9275348885198b9058e38b37df07cfe7c all runs: OK false negative chance: 0.000 # git bisect good 561aa0e22b70a5e7246b73d62a824b3aef3fc375 Bisecting: 0 revisions left to test after this (roughly 0 steps) [103406b38c600fec1fe375a77b27d87e314aea09] net/sched: Always pass notifications when child class becomes empty testing commit 103406b38c600fec1fe375a77b27d87e314aea09 gcc compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 758d72efd7d3c52344d20bae2a11ee7d0ba8f25f85cd187ae84042c77f21811b all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify representative crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify, types: [UNKNOWN] # git bisect bad 103406b38c600fec1fe375a77b27d87e314aea09 103406b38c600fec1fe375a77b27d87e314aea09 is the first bad commit commit 103406b38c600fec1fe375a77b27d87e314aea09 Author: Lion Ackermann Date: Mon Jun 30 15:27:30 2025 +0200 net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent. Fixes: 3f981138109f ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()") Signed-off-by: Lion Ackermann Reviewed-by: Jamal Hadi Salim Acked-by: Cong Wang Acked-by: Jamal Hadi Salim Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com Signed-off-by: Jakub Kicinski net/sched/sch_api.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) accumulated error probability: 0.00 culprit signature: 758d72efd7d3c52344d20bae2a11ee7d0ba8f25f85cd187ae84042c77f21811b parent signature: 9ee448245abb5de8bb4eda0269c641a9275348885198b9058e38b37df07cfe7c revisions tested: 22, total time: 8h46m41.758910058s (build: 5h47m45.982203329s, test: 2h27m27.27561439s) first bad commit: 103406b38c600fec1fe375a77b27d87e314aea09 net/sched: Always pass notifications when child class becomes empty recipients (to): ["jhs@mojatatu.com" "kuba@kernel.org" "nnamrec@gmail.com" "xiyou.wangcong@gmail.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in drr_qlen_notify BUG: kernel NULL pointer dereference, address: 0000000000000050 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1165db067 P4D 1165db067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 4812 Comm: syz.2.16 Not tainted 6.16.0-rc3-syzkaller #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:__list_del_entry_valid_or_report+0x8/0x100 lib/list_debug.c:50 Code: ff 90 0f 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 54 55 53 <48> 8b 2f 48 89 fb 4c 8b 67 08 48 85 ed 74 41 4d 85 e4 74 4e 48 b8 RSP: 0018:ffffc90001aa77e8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8280198d RDX: ffff88811a378000 RSI: ffffffff82800d94 RDI: 0000000000000050 RBP: 00000000000a0000 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000000a0000 R11: 00000000c002eb3c R12: 0000000000000050 R13: 0000000000000000 R14: ffff888123dcd000 R15: 0000000000000000 FS: 00007fb700b7f6c0(0000) GS:ffff8882b2c40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000050 CR3: 0000000120ce7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] drr_qlen_notify+0x1c/0x60 net/sched/sch_drr.c:238 qdisc_tree_reduce_backlog+0xbc/0x1d0 net/sched/sch_api.c:811 pie_change+0x2e5/0x3a0 net/sched/sch_pie.c:204 pie_init+0x10b/0x150 net/sched/sch_pie.c:456 qdisc_create+0x1f9/0x770 net/sched/sch_api.c:1324 __tc_modify_qdisc net/sched/sch_api.c:1749 [inline] tc_modify_qdisc+0x6c8/0xec0 net/sched/sch_api.c:1813 rtnetlink_rcv_msg+0x26f/0x6d0 net/core/rtnetlink.c:6953 netlink_rcv_skb+0x93/0x1d0 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x42c/0x550 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x335/0x6a0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0x508/0x540 net/socket.c:2566 ___sys_sendmsg+0xc8/0x130 net/socket.c:2620 __sys_sendmsg+0xc7/0x140 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x6d/0x310 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb70110e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb700b7f038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fb701335fa0 RCX: 00007fb70110e929 RDX: 0000000000004000 RSI: 0000200000000280 RDI: 0000000000000006 RBP: 00007fb701190b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fb701335fa0 R15: 00007fff73909588 Modules linked in: CR2: 0000000000000050 ---[ end trace 0000000000000000 ]--- RIP: 0010:__list_del_entry_valid_or_report+0x8/0x100 lib/list_debug.c:50 Code: ff 90 0f 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 54 55 53 <48> 8b 2f 48 89 fb 4c 8b 67 08 48 85 ed 74 41 4d 85 e4 74 4e 48 b8 RSP: 0018:ffffc90001aa77e8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8280198d RDX: ffff88811a378000 RSI: ffffffff82800d94 RDI: 0000000000000050 RBP: 00000000000a0000 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000000a0000 R11: 00000000c002eb3c R12: 0000000000000050 R13: 0000000000000000 R14: ffff888123dcd000 R15: 0000000000000000 FS: 00007fb700b7f6c0(0000) GS:ffff8882b2c40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000050 CR3: 0000000120ce7000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: ff 90 0f 0b 66 66 call *0x66660b0f(%rax) 6: 2e 0f 1f 84 00 00 00 cs nopl 0x0(%rax,%rax,1) d: 00 00 f: 0f 1f 00 nopl (%rax) 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: 90 nop 1c: 90 nop 1d: 90 nop 1e: 90 nop 1f: 90 nop 20: 90 nop 21: 90 nop 22: f3 0f 1e fa endbr64 26: 41 54 push %r12 28: 55 push %rbp 29: 53 push %rbx * 2a: 48 8b 2f mov (%rdi),%rbp <-- trapping instruction 2d: 48 89 fb mov %rdi,%rbx 30: 4c 8b 67 08 mov 0x8(%rdi),%r12 34: 48 85 ed test %rbp,%rbp 37: 74 41 je 0x7a 39: 4d 85 e4 test %r12,%r12 3c: 74 4e je 0x8c 3e: 48 rex.W 3f: b8 .byte 0xb8