ci2 starts bisection 2025-08-21 16:45:03.226370522 +0000 UTC m=+12033.501334884 bisecting fixing commit since 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 building syzkaller on 124ec9cc22064a93e87c29fb9f4fd7dc51f98195 ensuring issue is reproducible on original commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0ba74e4f6d476d837f23566b7e92823422edcf8bb40aa1b31a3d6d6b08ace2e6 all runs: crashed: general protection fault in qdisc_tree_reduce_backlog representative crash: general protection fault in qdisc_tree_reduce_backlog, types: [DoS] check whether we can drop unnecessary instrumentation disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan locking], they are not needed testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0530b7ec58533df068b038d032cf68675e6b0b85451666a7eef8654e1be71af5 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed kconfig minimization: base=4921 full=6219 leaves diff=255 split chunks (needed=false): <255> split chunk #0 of len 255 into 5 parts testing without sub-chunk 1/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan locking], they are not needed testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fb96a62c552a6b3b2d44866c1ba9346c190e08027ca752bde2802f6cbe00e59a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep hang], they are not needed testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ed6fef084a52777394e2c8c23f83b4de085a72cc8e2b6a70e337f04dd90e799f all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep hang], they are not needed testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f6723bcf9144602133205463c302a7aa8093bd0914de879f833bf1ca1216f7a all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [kasan locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c8aa31ea42f27cc521a91dc3e7987044562d80c1e704abfb969818b5cc8d11f all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [hang memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed testing commit 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 failed building 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6: net/socket.c:1191: undefined reference to `wext_handle_ioctl' net/socket.c:3390: undefined reference to `compat_wext_handle_ioctl' net/core/net-procfs.c:343: undefined reference to `wext_proc_exit' net/core/net-procfs.c:327: undefined reference to `wext_proc_init' minimized to 51 configs; suspects: [HID_ZEROPLUS USB_LINK_LAYER_TEST USB_MON USB_NET_CDC_MBIM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_DM9601 USB_NET_GL620A USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_RNDIS_HOST USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD USB_OHCI_HCD_PCI USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_PRINTER USB_SERIAL USB_SERIAL_FTDI_SIO USB_SERIAL_GENERIC USB_SERIAL_PL2303 USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_TRANCEVIBRATOR USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_WDM USB_XHCI_PCI_RENESAS WLAN WLAN_VENDOR_ATH WLAN_VENDOR_ATMEL WLAN_VENDOR_BROADCOM WLAN_VENDOR_INTERSIL WLAN_VENDOR_MARVELL WLAN_VENDOR_MEDIATEK WLAN_VENDOR_MICROCHIP WLAN_VENDOR_RALINK WLAN_VENDOR_REALTEK WLAN_VENDOR_RSI WLAN_VENDOR_ZYDAS ZEROPLUS_FF] disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning kasan locking], they are not needed testing current HEAD f32b52534f1d4df1fc1a6afe6cf4639adebf8a63 testing commit f32b52534f1d4df1fc1a6afe6cf4639adebf8a63 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ee47d5e1a828838d7487aef6521144e4f7c76154e9f5665b18c1cdf9591223fc all runs: OK false negative chance: 0.000 # git bisect start f32b52534f1d4df1fc1a6afe6cf4639adebf8a63 6b619c45dff59b8fb5abd7fa7758fb234aa06fc6 Bisecting: 45 revisions left to test after this (roughly 6 steps) [9a433cd87236ce79b09cce01dc195cb5806d9b3b] Input: xpad - support Acer NGR 200 Controller determine whether the revision contains the guilty commit checking the merge base 89950c4542652dfe435f9519a5080f7d2128764c no existing result, test the revision testing commit 89950c4542652dfe435f9519a5080f7d2128764c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4985e89d6a0d64e7a5e41d3471bbb30177e9662bbc4079403da8676ad4d2ac16 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] testing commit 9a433cd87236ce79b09cce01dc195cb5806d9b3b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ede13b3f943d5d21a22944fd7eda4ae1fcf8eeb632b2065ecdc7d31f07fb33b2 all runs: OK false negative chance: 0.000 # git bisect bad 9a433cd87236ce79b09cce01dc195cb5806d9b3b Bisecting: 22 revisions left to test after this (roughly 5 steps) [2499fa286fb010ceb289950050199f33c26667b9] aoe: avoid potential deadlock at set_capacity determine whether the revision contains the guilty commit revision 89950c4542652dfe435f9519a5080f7d2128764c crashed and is reachable testing commit 2499fa286fb010ceb289950050199f33c26667b9 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3e71ccb8dbda12500c11e4edc8d5fb059be560e90c416ec74bec762e20c2cb5c all runs: OK false negative chance: 0.000 # git bisect bad 2499fa286fb010ceb289950050199f33c26667b9 Bisecting: 10 revisions left to test after this (roughly 4 steps) [66f9065c1c7d911e00df2e09d34d29799af0274c] net: phy: smsc: Fix link failure in forced mode with Auto-MDIX determine whether the revision contains the guilty commit revision 89950c4542652dfe435f9519a5080f7d2128764c crashed and is reachable testing commit 66f9065c1c7d911e00df2e09d34d29799af0274c gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 41e0b901862430c13283a1e30d5dfc0891a8f5b9cfa570cde86336d107ef9e74 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] # git bisect good 66f9065c1c7d911e00df2e09d34d29799af0274c Bisecting: 5 revisions left to test after this (roughly 3 steps) [25452638f133ac19d75af3f928327d8016952c8e] net/sched: Abort __tc_modify_qdisc if parent class does not exist determine whether the revision contains the guilty commit revision 66f9065c1c7d911e00df2e09d34d29799af0274c crashed and is reachable testing commit 25452638f133ac19d75af3f928327d8016952c8e gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f143e29bec21bbe18427f9f2a4b383ecfbd3ca4e2080b4ffd45bb52401ca693a all runs: OK false negative chance: 0.000 # git bisect bad 25452638f133ac19d75af3f928327d8016952c8e Bisecting: 2 revisions left to test after this (roughly 1 step) [1c075e88d5859a2c6b43b27e0e46fb281cef8039] atm: clip: Fix memory leak of struct clip_vcc. determine whether the revision contains the guilty commit revision 89950c4542652dfe435f9519a5080f7d2128764c crashed and is reachable testing commit 1c075e88d5859a2c6b43b27e0e46fb281cef8039 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 16f44df11e1772bb9e5e04f10e438bd70c612ffabbce23ded405b760f76a3c6c all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] # git bisect good 1c075e88d5859a2c6b43b27e0e46fb281cef8039 Bisecting: 0 revisions left to test after this (roughly 1 step) [7f1cad84ac1a6af42d9d57e879de47ce37995024] atm: clip: Fix NULL pointer dereference in vcc_sendmsg() determine whether the revision contains the guilty commit revision 1c075e88d5859a2c6b43b27e0e46fb281cef8039 crashed and is reachable testing commit 7f1cad84ac1a6af42d9d57e879de47ce37995024 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5e112583113581a0d78ad74e610ca4335e2bc164d37990bd9ab92ff4c241e895 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog representative crash: BUG: unable to handle kernel NULL pointer dereference in qdisc_tree_reduce_backlog, types: [NULL-POINTER-DEREFERENCE] # git bisect good 7f1cad84ac1a6af42d9d57e879de47ce37995024 25452638f133ac19d75af3f928327d8016952c8e is the first bad commit commit 25452638f133ac19d75af3f928327d8016952c8e Author: Victor Nogueira Date: Mon Jul 7 18:08:01 2025 -0300 net/sched: Abort __tc_modify_qdisc if parent class does not exist [ Upstream commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 ] Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ Fixes: 5e50da01d0ce ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs") Reported-by: syzbot+d8b58d7b0ad89a678a16@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68663c93.a70a0220.5d25f.0857.GAE@google.com/ Reported-by: syzbot+5eccb463fa89309d8bdc@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68663c94.a70a0220.5d25f.0858.GAE@google.com/ Reported-by: syzbot+1261670bbdefc5485a06@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0013.GAE@google.com/ Reported-by: syzbot+15b96fc3aac35468fe77@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0014.GAE@google.com/ Reported-by: syzbot+4dadc5aecf80324d5a51@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68679e81.a70a0220.29cf51.0016.GAE@google.com/ Acked-by: Jamal Hadi Salim Reviewed-by: Cong Wang Signed-off-by: Victor Nogueira Link: https://patch.msgid.link/20250707210801.372995-1-victor@mojatatu.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin net/sched/sch_api.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) accumulated error probability: 0.00 culprit signature: f143e29bec21bbe18427f9f2a4b383ecfbd3ca4e2080b4ffd45bb52401ca693a parent signature: 5e112583113581a0d78ad74e610ca4335e2bc164d37990bd9ab92ff4c241e895 revisions tested: 14, total time: 4h30m17.065743063s (build: 2h33m49.469471067s, test: 1h50m14.624345818s) first good commit: 25452638f133ac19d75af3f928327d8016952c8e net/sched: Abort __tc_modify_qdisc if parent class does not exist recipients (to): ["jhs@mojatatu.com" "kuba@kernel.org" "sashal@kernel.org" "victor@mojatatu.com" "xiyou.wangcong@gmail.com"] recipients (cc): []