Re: [syzbot] [net?] WARNING in qdisc_tree_reduce_backlog (2)

[Jiayuan Chen <jiayuan.chen@linux.dev>]

On 5/11/26 2:23 PM, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    5862221fdded Merge tag 'parisc-for-7.1-rc3' of git://git.k..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12a4bb26580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=f2e8ebfec4636d32
> dashboard link: https://syzkaller.appspot.com/bug?extid=9744ccaabe337c6fb123
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/cd9aba7e59bf/disk-5862221f.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/29af9d57e9af/vmlinux-5862221f.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/02749594fd1e/bzImage-5862221f.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9744ccaabe337c6fb123@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> parentid != TC_H_ROOT
> WARNING: net/sched/sch_api.c:797 at qdisc_tree_reduce_backlog+0x3d9/0x480 net/sched/sch_api.c:797, CPU#1: ktimers/1/29
> Modules linked in:
> CPU: 1 UID: 0 PID: 29 Comm: ktimers/1 Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)}
> Tainted: [L]=SOFTLOCKUP
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
> RIP: 0010:qdisc_tree_reduce_backlog+0x3d9/0x480 net/sched/sch_api.c:797
> Code: ff ff 4c 89 ef e8 b7 85 12 f9 e9 42 ff ff ff e8 4d 7c ab f8 eb 17 e8 46 7c ab f8 eb 10 e8 3f 7c ab f8 eb 09 e8 38 7c ab f8 90 <0f> 0b 90 e8 7f 72 03 02 89 c3 31 ff 89 c6 e8 d4 80 ab f8 85 db 74
> RSP: 0018:ffffc90000a3f768 EFLAGS: 00010246
> RAX: ffffffff8918f818 RBX: 0000000000000008 RCX: ffff88801daa3d80
> RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
> RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000100
> R10: 0000000000000100 R11: 00000000ffffffff R12: 00000000000affe0
> R13: dffffc0000000000 R14: ffffc90000a3f8e0 R15: ffff88803d0a7800
> FS:  0000000000000000(0000) GS:ffff888126279000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055558bcbda38 CR3: 00000000403d8000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000003e4f
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Call Trace:
>   <TASK>
>   sfq_rehash net/sched/sch_sfq.c:598 [inline]
>   sfq_perturbation+0x205d/0x22d0 net/sched/sch_sfq.c:615
>   call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748
>   expire_timers kernel/time/timer.c:1799 [inline]
>   __run_timers kernel/time/timer.c:2374 [inline]
>   __run_timer_base+0x6a3/0x9f0 kernel/time/timer.c:2386
>   run_timer_base kernel/time/timer.c:2395 [inline]
>   run_timer_softirq+0x103/0x170 kernel/time/timer.c:2406
>   handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622
>   __do_softirq kernel/softirq.c:656 [inline]
>   run_ktimerd+0x69/0x100 kernel/softirq.c:1151
>   smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
>   kthread+0x388/0x470 kernel/kthread.c:436
>   ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
>   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>   </TASK>


I think the issue is that before commit 47e8dbb6e763 ("net/sched: do not 
reset queues in graft operations"),
dev_deactivate() reset the per-tx-queue of lower leaf qdiscs (including 
any sfq) before dev->qdisc was swapped.

After 47e8dbb6e763, dev_deactivate(dev, false) skips that reset. The 
leaf will be drained much later, inside __qdisc_destroy(leaf).
But the timer sfq_perturbation may be fired between 
rcu_assign_pointer(dev->qdisc, new) and __qdisc_destroy, and dev->qdisc 
already
points at the new root.

May be the simplest way is adding test_bit(__QDISC_STATE_DEACTIVATED, 
&sch->state) at the start of sfq_perturbation.