bisecting cause commit starting from 7f376f1917d7461e05b648983e8d2aea9d0712b2 building syzkaller on 97183ed760478c5b970c8c549d99c8147a72e293 testing commit 7f376f1917d7461e05b648983e8d2aea9d0712b2 with gcc (GCC) 8.1.0 kernel signature: 2cf4fb5341f5a5057c66c70a10ff5652ad750bfb1405360af027aecf69b89d8d run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #8: crashed: INFO: task hung in reg_check_chans_work run #9: crashed: INFO: rcu detected stall in do_idle testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: ae997c81c8480492441e712d3c127e3da959156d4e937c464609e101fa84e28c run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #8: crashed: INFO: task hung in rtnetlink_rcv_msg run #9: crashed: INFO: rcu detected stall in ieee80211_iface_work testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: 564d400b258121a59fd078dbf7c8b7f09da4cfb1512f654dcb1a9f98d3676daf all runs: OK # git bisect start bbf5c979011a099af5dc76498918ed7df445635b bcf876870b95592b52519ed4aafcf9d95999bc9c Bisecting: 7841 revisions left to test after this (roughly 13 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0 kernel signature: f3b447541a8c4c017140bb0e24f5e53d83684a740ec3e02c0aba23a1d38c7502 all runs: OK # git bisect good 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 3921 revisions left to test after this (roughly 12 steps) [97d052ea3fa853b9aabcc4baca1a605cb1188611] Merge tag 'locking-urgent-2020-08-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 97d052ea3fa853b9aabcc4baca1a605cb1188611 with gcc (GCC) 8.1.0 kernel signature: c70a25af86d434b2a85389f3625c7c37ed3a674f62dd94714ba4e8c121d51b90 all runs: OK # git bisect good 97d052ea3fa853b9aabcc4baca1a605cb1188611 Bisecting: 1960 revisions left to test after this (roughly 11 steps) [df561f6688fef775baa341a0f5d960becd248b11] treewide: Use fallthrough pseudo-keyword testing commit df561f6688fef775baa341a0f5d960becd248b11 with gcc (GCC) 8.1.0 kernel signature: efaf346ca07c460a2fe4c3fea5ceac128abd5c93e42169f765b0e391e7b02095 all runs: OK # git bisect good df561f6688fef775baa341a0f5d960becd248b11 Bisecting: 982 revisions left to test after this (roughly 10 steps) [e4c26faa426c17274884f759f708bc9ee22fd59a] Merge tag 'usb-5.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit e4c26faa426c17274884f759f708bc9ee22fd59a with gcc (GCC) 8.1.0 kernel signature: 21437caecffc1ad41f3c6c37e24a93546ca53dc27e9161986b5af255f3fae9e7 all runs: OK # git bisect good e4c26faa426c17274884f759f708bc9ee22fd59a Bisecting: 491 revisions left to test after this (roughly 9 steps) [135f4b9e9340dadb78e9737bb4eb9817b9c89dac] ice: fix memory leak if register_netdev_fails testing commit 135f4b9e9340dadb78e9737bb4eb9817b9c89dac with gcc (GCC) 8.1.0 kernel signature: 003f45b0821ba914adb3ab9dceddef4c613f09f01780ff6fd6d19efdf17cf6bd all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft # git bisect bad 135f4b9e9340dadb78e9737bb4eb9817b9c89dac Bisecting: 248 revisions left to test after this (roughly 8 steps) [a31128384dfd9ca11f15ef4ea73df25e394846d1] Merge tag 'libnvdimm-fixes-5.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm testing commit a31128384dfd9ca11f15ef4ea73df25e394846d1 with gcc (GCC) 8.1.0 kernel signature: 70eca80342e15daf0eaf21e98a5c4bad18c7cdf9fc86764fa23829b94f1f9483 all runs: OK # git bisect good a31128384dfd9ca11f15ef4ea73df25e394846d1 Bisecting: 124 revisions left to test after this (roughly 7 steps) [5f6857e808a8bd078296575b417c4b9d160b9779] nfp: use correct define to return NONE fec testing commit 5f6857e808a8bd078296575b417c4b9d160b9779 with gcc (GCC) 8.1.0 kernel signature: 3ae457162f641136a8367143db59344c73e7647911971a6351c1ce6e52713bd0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft # git bisect bad 5f6857e808a8bd078296575b417c4b9d160b9779 Bisecting: 61 revisions left to test after this (roughly 6 steps) [1be107de2ee4b3f0808e2071529364cf4d9a67b9] net: Correct the comment of dst_dev_put() testing commit 1be107de2ee4b3f0808e2071529364cf4d9a67b9 with gcc (GCC) 8.1.0 kernel signature: 763d660c2cbeb487af4ac565d68f409e07070cb775e4e6074e80f916d6459068 all runs: OK # git bisect good 1be107de2ee4b3f0808e2071529364cf4d9a67b9 Bisecting: 30 revisions left to test after this (roughly 5 steps) [ad7b27c9e64afce4ad69020329a3e89f6df4f382] Merge branch 'net-improve-vxlan-option-process-in-net_sched-and-lwtunnel' testing commit ad7b27c9e64afce4ad69020329a3e89f6df4f382 with gcc (GCC) 8.1.0 kernel signature: b2f48a83809af27623df9c3c895e93a09610c4c627c3d308f7cc7df8c5a63ea1 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft # git bisect bad ad7b27c9e64afce4ad69020329a3e89f6df4f382 Bisecting: 15 revisions left to test after this (roughly 4 steps) [53467ecb6f38d7cbd86359ff1c8958b8b568dc57] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue testing commit 53467ecb6f38d7cbd86359ff1c8958b8b568dc57 with gcc (GCC) 8.1.0 kernel signature: c04137fd153021bac2351f58917d121e942ed23bfb7f786648ea69da19d2a61d all runs: OK # git bisect good 53467ecb6f38d7cbd86359ff1c8958b8b568dc57 Bisecting: 7 revisions left to test after this (roughly 3 steps) [c582a7fea9dad4d309437d1a7e22e6d2cb380e2e] net: lantiq: Use napi_complete_done() testing commit c582a7fea9dad4d309437d1a7e22e6d2cb380e2e with gcc (GCC) 8.1.0 kernel signature: f5a19f949286a5f283e6d8b2d6ff12641ca1f94ad1fda69b96ce7a67d34ff1ea run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft run #9: crashed: INFO: rcu detected stall in corrupted # git bisect bad c582a7fea9dad4d309437d1a7e22e6d2cb380e2e Bisecting: 3 revisions left to test after this (roughly 2 steps) [5760d9acbe9514eec68eb70821d6fa5764f57042] net: ethernet: ti: cpsw_new: fix suspend/resume testing commit 5760d9acbe9514eec68eb70821d6fa5764f57042 with gcc (GCC) 8.1.0 kernel signature: 036c50b8bd6910ee96a7037f09ea927a48e72c046419587965582846170e42d3 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft # git bisect bad 5760d9acbe9514eec68eb70821d6fa5764f57042 Bisecting: 1 revision left to test after this (roughly 1 step) [a1b80e0143a1b878f8e21d82fd55f3f46f0014be] hinic: fix rewaking txq after netif_tx_disable testing commit a1b80e0143a1b878f8e21d82fd55f3f46f0014be with gcc (GCC) 8.1.0 kernel signature: 036c50b8bd6910ee96a7037f09ea927a48e72c046419587965582846170e42d3 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft # git bisect bad a1b80e0143a1b878f8e21d82fd55f3f46f0014be Bisecting: 0 revisions left to test after this (roughly 0 steps) [b5b73b26b3ca34574124ed7ae9c5ba8391a7f176] taprio: Fix allowing too small intervals testing commit b5b73b26b3ca34574124ed7ae9c5ba8391a7f176 with gcc (GCC) 8.1.0 kernel signature: 036c50b8bd6910ee96a7037f09ea927a48e72c046419587965582846170e42d3 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft # git bisect bad b5b73b26b3ca34574124ed7ae9c5ba8391a7f176 b5b73b26b3ca34574124ed7ae9c5ba8391a7f176 is the first bad commit commit b5b73b26b3ca34574124ed7ae9c5ba8391a7f176 Author: Vinicius Costa Gomes Date: Wed Sep 9 17:03:11 2020 -0700 taprio: Fix allowing too small intervals It's possible that the user specifies an interval that couldn't allow any packet to be transmitted. This also avoids the issue of the hrtimer handler starving the other threads because it's running too often. The solution is to reject interval sizes that according to the current link speed wouldn't allow any packet to be transmitted. Reported-by: syzbot+8267241609ae8c23b248@syzkaller.appspotmail.com Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") Signed-off-by: Vinicius Costa Gomes Signed-off-by: David S. Miller net/sched/sch_taprio.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) culprit signature: 036c50b8bd6910ee96a7037f09ea927a48e72c046419587965582846170e42d3 parent signature: c04137fd153021bac2351f58917d121e942ed23bfb7f786648ea69da19d2a61d revisions tested: 17, total time: 3h31m8.189586682s (build: 1h15m47.733391174s, test: 2h13m34.19876826s) first bad commit: b5b73b26b3ca34574124ed7ae9c5ba8391a7f176 taprio: Fix allowing too small intervals recipients (to): ["davem@davemloft.net" "davem@davemloft.net" "jhs@mojatatu.com" "jiri@resnulli.us" "kuba@kernel.org" "netdev@vger.kernel.org" "vinicius.gomes@intel.com" "xiyou.wangcong@gmail.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: BUG: unable to handle kernel NULL pointer dereference in taprio_dequeue_soft BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 4880 Comm: systemd-udevd Not tainted 5.9.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:taprio_dequeue_soft+0xa7/0x2d0 net/sched/sch_taprio.c:544 Code: 45 8b 74 24 28 45 85 f6 0f 84 0d 01 00 00 41 8b 85 08 04 00 00 45 31 ff 85 c0 0f 84 fb 00 00 00 48 8b 93 c0 02 00 00 49 63 c7 <48> 8b 3c c2 48 85 ff 48 89 7d d0 0f 84 cf 00 00 00 f6 83 d0 02 00 RSP: 0018:ffffc90000003eb0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811d375800 RCX: ffff888134d10000 RDX: 0000000000000000 RSI: ffffffff84b0eea0 RDI: ffff888134d10960 RBP: ffffc90000003ee8 R08: 0000000000000001 R09: 0000000000000000 R10: ffff888134d10000 R11: 0000000000000246 R12: ffff88811ba85640 R13: ffff88811e4b3000 R14: 0000000000000401 R15: 0000000000000000 FS: 00007faf87c568c0(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000133515000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dequeue_skb net/sched/sch_generic.c:263 [inline] qdisc_restart net/sched/sch_generic.c:366 [inline] __qdisc_run+0x75/0x5d0 net/sched/sch_generic.c:384 qdisc_run include/net/pkt_sched.h:134 [inline] net_tx_action+0x18d/0x430 net/core/dev.c:4899 __do_softirq+0xd8/0x579 kernel/softirq.c:298 asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:706 __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline] do_softirq_own_stack+0x73/0x90 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0xbb/0xe0 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x57/0xe0 arch/x86/kernel/apic/apic.c:1091 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:581 RIP: 0010:tomoyo_domain_quota_is_ok+0x39/0xe0 security/tomoyo/util.c:1037 Code: 67 10 4d 85 e4 0f 84 82 00 00 00 49 8b 74 24 10 4d 8d 44 24 10 31 db 49 39 f0 75 0a eb 42 48 8b 36 4c 39 c6 74 3a 80 7e 18 00 <75> f2 80 7e 19 08 77 6f 0f b6 46 19 ff 24 c5 48 60 b8 83 0f b6 56 RSP: 0018:ffffc90000d83b50 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 000000000000001f RCX: 0000000000000010 RDX: 0000000000000022 RSI: ffff88813354b580 RDI: ffffc90000d83cc8 RBP: ffffc90000d83c58 R08: ffff888134d4b0d0 R09: 0000000000000000 R10: ffffc90000d83b85 R11: 0000000000000046 R12: ffff888134d4b0c0 R13: ffffffff84525600 R14: 0000000000000000 R15: 0000000000000001 tomoyo_supervisor+0x125/0x620 security/tomoyo/common.c:2089 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission+0x91/0xd0 security/tomoyo/file.c:587 tomoyo_path_perm+0x196/0x260 security/tomoyo/file.c:838 security_inode_getattr+0x25/0x40 security/security.c:1278 vfs_getattr+0x17/0x40 fs/stat.c:121 vfs_statx+0x8c/0x110 fs/stat.c:206 vfs_lstat include/linux/fs.h:3178 [inline] __do_sys_newlstat+0x39/0x70 fs/stat.c:374 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7faf86ac9335 Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89 RSP: 002b:00007ffe55398b08 EFLAGS: 00000246 ORIG_RAX: 0000000000000006 RAX: ffffffffffffffda RBX: 000055bde49f2b80 RCX: 00007faf86ac9335 RDX: 00007ffe55398b40 RSI: 00007ffe55398b40 RDI: 000055bde49f1b80 RBP: 00007ffe55398c00 R08: 00007faf86d88198 R09: 0000000000001010 R10: 0000000000000020 R11: 0000000000000246 R12: 000055bde49f1b80 R13: 000055bde49f1ba7 R14: 000055bde49e2581 R15: 000055bde49e2587 Modules linked in: CR2: 0000000000000000 ---[ end trace 20ef2161079893e1 ]--- RIP: 0010:taprio_dequeue_soft+0xa7/0x2d0 net/sched/sch_taprio.c:544 Code: 45 8b 74 24 28 45 85 f6 0f 84 0d 01 00 00 41 8b 85 08 04 00 00 45 31 ff 85 c0 0f 84 fb 00 00 00 48 8b 93 c0 02 00 00 49 63 c7 <48> 8b 3c c2 48 85 ff 48 89 7d d0 0f 84 cf 00 00 00 f6 83 d0 02 00 RSP: 0018:ffffc90000003eb0 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811d375800 RCX: ffff888134d10000 RDX: 0000000000000000 RSI: ffffffff84b0eea0 RDI: ffff888134d10960 RBP: ffffc90000003ee8 R08: 0000000000000001 R09: 0000000000000000 R10: ffff888134d10000 R11: 0000000000000246 R12: ffff88811ba85640 R13: ffff88811e4b3000 R14: 0000000000000401 R15: 0000000000000000 FS: 00007faf87c568c0(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000133515000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400