bisecting cause commit starting from e4fb79c771fbe2e6fcb3cffa87d5823a9bbf3f10
building syzkaller on 92390980c13f2571a66bfdca5802d55b137f0ccc
testing commit e4fb79c771fbe2e6fcb3cffa87d5823a9bbf3f10 with gcc (GCC) 8.1.0
kernel signature: 53a7c83e24da4dbdbe27bdf833110b2385a3109ae0f46f40dfe8239c58b09cef
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: a63db54334688df37851a26a695d92f594b39c4d2b861a43cc1b0c8653b19e0a
all runs: OK
# git bisect start e4fb79c771fbe2e6fcb3cffa87d5823a9bbf3f10 bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 15077 revisions left to test after this (roughly 14 steps)
[e4c26faa426c17274884f759f708bc9ee22fd59a] Merge tag 'usb-5.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
testing commit e4c26faa426c17274884f759f708bc9ee22fd59a with gcc (GCC) 8.1.0
kernel signature: b297a4962775d8dda365f0904239254a881c06f18a54483d0082f705494abaf3
all runs: OK
# git bisect good e4c26faa426c17274884f759f708bc9ee22fd59a
Bisecting: 7144 revisions left to test after this (roughly 13 steps)
[5641b9b83dcbb2a6ba0b6ab3af4f9fdde9b51e2a] Merge remote-tracking branch 'net-next/master' into master
testing commit 5641b9b83dcbb2a6ba0b6ab3af4f9fdde9b51e2a with gcc (GCC) 8.1.0
kernel signature: 90c0ff105c27b1bed8e0a4b2a4f03f0c48d567af702fb2280a456a5562870839
all runs: OK
# git bisect good 5641b9b83dcbb2a6ba0b6ab3af4f9fdde9b51e2a
Bisecting: 3712 revisions left to test after this (roughly 12 steps)
[2e0875030433296633cddf8af18268a6c46627ca] Merge remote-tracking branch 'spi/for-next' into master
testing commit 2e0875030433296633cddf8af18268a6c46627ca with gcc (GCC) 8.1.0
kernel signature: d3b3655aef652f6222b2653f9479fcd5513e34ea8bdb43339237768f5c2322da
all runs: OK
# git bisect good 2e0875030433296633cddf8af18268a6c46627ca
Bisecting: 1712 revisions left to test after this (roughly 11 steps)
[c7834d999d3f2e6d3c2829d55e17fb5e07e38242] Merge remote-tracking branch 'char-misc/char-misc-next' into master
testing commit c7834d999d3f2e6d3c2829d55e17fb5e07e38242 with gcc (GCC) 8.1.0
kernel signature: 20d029946cbde94d9d408f0261667d0890b25e14b49f73a74c53231cdc3448a8
all runs: OK
# git bisect good c7834d999d3f2e6d3c2829d55e17fb5e07e38242
Bisecting: 857 revisions left to test after this (roughly 10 steps)
[8ae2f3f250e08637f3ce120293ba05b35f4cd089] Merge remote-tracking branch 'scsi-mkp/for-next' into master
testing commit 8ae2f3f250e08637f3ce120293ba05b35f4cd089 with gcc (GCC) 8.1.0
kernel signature: 2b5139b5090aaeb26e3014a61503c9043474e6006a42b5a18f6bf4d16bee2133
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
# git bisect bad 8ae2f3f250e08637f3ce120293ba05b35f4cd089
Bisecting: 427 revisions left to test after this (roughly 9 steps)
[c8283ba8e28c6863d0b8703a4e567d6555c43ac2] iio: buffer: Kconfig: add title for IIO_TRIGGERED_BUFFER symbol
testing commit c8283ba8e28c6863d0b8703a4e567d6555c43ac2 with gcc (GCC) 8.1.0
kernel signature: ce719b8f67e7d7d871ce8d855ca5ab923168f1fe8699c8df8826c4b0585007fb
all runs: OK
# git bisect good c8283ba8e28c6863d0b8703a4e567d6555c43ac2
Bisecting: 213 revisions left to test after this (roughly 8 steps)
[a3b73c96b4aed11658245c258802941641d8048f] scsi: sni_53c710: Use module_platform_driver to simplify the code
testing commit a3b73c96b4aed11658245c258802941641d8048f with gcc (GCC) 8.1.0
kernel signature: f8383e4d65ef23be1c372ca47d123ee0cf34e1c805347cb3c60731f66f79e97a
all runs: OK
# git bisect good a3b73c96b4aed11658245c258802941641d8048f
Bisecting: 111 revisions left to test after this (roughly 7 steps)
[b1839e7c2a42ccd9a0587c0092e880c7a213ee2a] dmaengine: xilinx: dpdma: convert tasklets to use new tasklet_setup() API
testing commit b1839e7c2a42ccd9a0587c0092e880c7a213ee2a with gcc (GCC) 8.1.0
kernel signature: 6ddb2d477f1b9f8d4f0a5ead4f24264e6886c9068a2f3f25afe408f5e0be8040
all runs: OK
# git bisect good b1839e7c2a42ccd9a0587c0092e880c7a213ee2a
Bisecting: 62 revisions left to test after this (roughly 6 steps)
[14dbb1c7b7d81a3b255e9d03e341e2cf5bf3acfa] Merge remote-tracking branch 'cgroup/for-next' into master
testing commit 14dbb1c7b7d81a3b255e9d03e341e2cf5bf3acfa with gcc (GCC) 8.1.0
kernel signature: 2254d65a2ab1d214fce4bbc2ca38efc5e1e439dc265b9d1349254332a44c9fa9
all runs: OK
# git bisect good 14dbb1c7b7d81a3b255e9d03e341e2cf5bf3acfa
Bisecting: 31 revisions left to test after this (roughly 5 steps)
[4b217e015b753c83418cc548acf9fac97961e0a3] scsi: target: rd: Drop double zeroing
testing commit 4b217e015b753c83418cc548acf9fac97961e0a3 with gcc (GCC) 8.1.0
kernel signature: 48c0d2793c62b92a6b7586cd166e4b8618eb8c026f6c7190142abd7b2a6dc672
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
# git bisect bad 4b217e015b753c83418cc548acf9fac97961e0a3
Bisecting: 15 revisions left to test after this (roughly 4 steps)
[3a8dc5bbc8c04db2646ed0842118b0f66659a3db] scsi: core: Remove scsi_init_cmd_errh
testing commit 3a8dc5bbc8c04db2646ed0842118b0f66659a3db with gcc (GCC) 8.1.0
kernel signature: fff26d3a5d0aa424ef733e169b101ac96cc54cf962031e95f5973d0a07b91299
all runs: OK
# git bisect good 3a8dc5bbc8c04db2646ed0842118b0f66659a3db
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[75c31c80a77d673062684d4d58260bae337c6934] scsi: dc395x: Use module_pci_driver() to simplify the code
testing commit 75c31c80a77d673062684d4d58260bae337c6934 with gcc (GCC) 8.1.0
kernel signature: 44f2940d7bf5502eb757953366e3d079f2ba2b18dd1356a370365a38c70dfaf3
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
# git bisect bad 75c31c80a77d673062684d4d58260bae337c6934
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[5843cc3d5acd8e6654eb2477f3e48c30e3a2e4f7] scsi: core: Rename scsi_mq_prep_fn() to scsi_prepare_cmd()
testing commit 5843cc3d5acd8e6654eb2477f3e48c30e3a2e4f7 with gcc (GCC) 8.1.0
kernel signature: 87d400614c92c2ff965f5441f5c2fc73f579632d26b03d22bd69ec8586d3bf28
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
# git bisect bad 5843cc3d5acd8e6654eb2477f3e48c30e3a2e4f7
Bisecting: 1 revision left to test after this (roughly 1 step)
[40b93836a136a46d7240aa13840c87fb239c865c] scsi: core: Use rq_dma_dir in scsi_setup_cmnd()
testing commit 40b93836a136a46d7240aa13840c87fb239c865c with gcc (GCC) 8.1.0
kernel signature: a68be7575ad3c9d1c180afafff7113c047111283d9db2baba5c444d8bbd43e5d
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
# git bisect bad 40b93836a136a46d7240aa13840c87fb239c865c
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[2ceda20f0a99a74a82b78870f3b3e5fa93087a7f] scsi: core: Move command size detection out of the fast path
testing commit 2ceda20f0a99a74a82b78870f3b3e5fa93087a7f with gcc (GCC) 8.1.0
kernel signature: aca62895ab60ded16583864c798f9f551af006de59b3d79e35bf3b550d2b580b
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
# git bisect bad 2ceda20f0a99a74a82b78870f3b3e5fa93087a7f
2ceda20f0a99a74a82b78870f3b3e5fa93087a7f is the first bad commit
commit 2ceda20f0a99a74a82b78870f3b3e5fa93087a7f
Author: Christoph Hellwig <hch@lst.de>
Date:   Mon Oct 5 10:41:23 2020 +0200

    scsi: core: Move command size detection out of the fast path
    
    We only need to detect the command size for ioctl request from userspace,
    which is limited to the passthrough path.  Move the check there instead of
    doing it for all queuecommand invocations.
    
    Link: https://lore.kernel.org/r/20201005084130.143273-4-hch@lst.de
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

 drivers/scsi/scsi_lib.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
culprit signature: aca62895ab60ded16583864c798f9f551af006de59b3d79e35bf3b550d2b580b
parent  signature: fff26d3a5d0aa424ef733e169b101ac96cc54cf962031e95f5973d0a07b91299
revisions tested: 17, total time: 3h36m9.931417612s (build: 1h28m4.26634027s, test: 2h6m1.682518008s)
first bad commit: 2ceda20f0a99a74a82b78870f3b3e5fa93087a7f scsi: core: Move command size detection out of the fast path
recipients (to): ["hare@suse.de" "hch@lst.de" "martin.petersen@oracle.com"]
recipients (cc): []
crash: BUG: unable to handle kernel NULL pointer dereference in scsi_queue_rq
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 10e33e067 P4D 10e33e067 PUD 10e33f067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 8338 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:scsi_command_size include/scsi/scsi_common.h:24 [inline]
RIP: 0010:scsi_setup_scsi_cmnd drivers/scsi/scsi_lib.c:1185 [inline]
RIP: 0010:scsi_setup_cmnd drivers/scsi/scsi_lib.c:1226 [inline]
RIP: 0010:scsi_mq_prep_fn drivers/scsi/scsi_lib.c:1604 [inline]
RIP: 0010:scsi_queue_rq+0x6aa/0xc10 drivers/scsi/scsi_lib.c:1682
Code: 0f 85 93 fc ff ff 41 8b 54 24 28 41 0f b7 84 24 40 01 00 00 66 41 89 84 24 4c 02 00 00 66 85 c0 75 29 49 8b 8c 24 58 02 00 00 <0f> b6 01 3c 7f 0f 84 15 04 00 00 c0 e8 05 83 e0 07 0f b6 80 40 78
RSP: 0018:ffffc90002edfaf0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8881281ce000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88810ebd7e40
RBP: ffff88812938c000 R08: ffff888127f53400 R09: 0000000000000000
R10: 0000000000000001 R11: 9296e02e597a92e7 R12: ffff888127f53400
R13: ffff888129390180 R14: ffffc90002edfba0 R15: 0000000000000000
FS:  00007f4964400700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010e33d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 blk_mq_dispatch_rq_list+0x104/0x700 block/blk-mq.c:1387
 __blk_mq_sched_dispatch_requests+0xc2/0x170 block/blk-mq-sched.c:314
 blk_mq_sched_dispatch_requests+0x2b/0x50 block/blk-mq-sched.c:347
 __blk_mq_run_hw_queue+0x68/0x110 block/blk-mq.c:1525
 __blk_mq_delay_run_hw_queue+0x1a7/0x1e0 block/blk-mq.c:1602
 blk_mq_run_hw_queue+0x81/0xd0 block/blk-mq.c:1655
 blk_mq_sched_insert_request+0x10f/0x190 block/blk-mq-sched.c:567
 blk_execute_rq+0x64/0xb0 block/blk-exec.c:86
 sg_io+0x2b7/0x430 block/scsi_ioctl.c:370
 scsi_cmd_ioctl+0x253/0x2f0 block/scsi_ioctl.c:818
 sd_ioctl+0x11/0x40 drivers/scsi/sd.c:1758
 __blkdev_driver_ioctl block/ioctl.c:224 [inline]
 blkdev_ioctl+0x1c6/0x2b0 block/ioctl.c:620
 block_ioctl+0x3a/0x40 fs/block_dev.c:1871
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x7c/0xb0 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45de29
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f49643ffc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000014f40 RCX: 000000000045de29
RDX: 00000000200046c0 RSI: 0000000000002285 RDI: 0000000000000004
RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
R13: 00007ffdddd4d65f R14: 00007f49644009c0 R15: 000000000118bf2c
Modules linked in:
CR2: 0000000000000000
---[ end trace 7f3819a53e3251f5 ]---
RIP: 0010:scsi_command_size include/scsi/scsi_common.h:24 [inline]
RIP: 0010:scsi_setup_scsi_cmnd drivers/scsi/scsi_lib.c:1185 [inline]
RIP: 0010:scsi_setup_cmnd drivers/scsi/scsi_lib.c:1226 [inline]
RIP: 0010:scsi_mq_prep_fn drivers/scsi/scsi_lib.c:1604 [inline]
RIP: 0010:scsi_queue_rq+0x6aa/0xc10 drivers/scsi/scsi_lib.c:1682
Code: 0f 85 93 fc ff ff 41 8b 54 24 28 41 0f b7 84 24 40 01 00 00 66 41 89 84 24 4c 02 00 00 66 85 c0 75 29 49 8b 8c 24 58 02 00 00 <0f> b6 01 3c 7f 0f 84 15 04 00 00 c0 e8 05 83 e0 07 0f b6 80 40 78
RSP: 0018:ffffc90002edfaf0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8881281ce000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff88810ebd7e40
RBP: ffff88812938c000 R08: ffff888127f53400 R09: 0000000000000000
R10: 0000000000000001 R11: 9296e02e597a92e7 R12: ffff888127f53400
R13: ffff888129390180 R14: ffffc90002edfba0 R15: 0000000000000000
FS:  00007f4964400700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010e33d000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400