bisecting cause commit starting from 7a6956579ce6950890ea706f6fcf7874a7981f50
building syzkaller on abf9ba4fc75d9b29af15625d44dcfc1360fad3b7
testing commit 7a6956579ce6950890ea706f6fcf7874a7981f50 with gcc (GCC) 8.1.0
kernel signature: d1eb54ce3d6bf9dfd5eb058f4798b0275c043d0f298fba7ed4d18f06a618ea8a
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in percpu_ref_exit
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: b214f01bf8a411ffe2af6030354d8f0acdbf1ef52ff8a62271da705e7c82bb02
all runs: OK
# git bisect start 7a6956579ce6950890ea706f6fcf7874a7981f50 bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 9659 revisions left to test after this (roughly 13 steps)
[9ad3826575abd1c096cf678a87dd860395c46d78] mm/debug: switch dump_page to get_kernel_nofault
testing commit 9ad3826575abd1c096cf678a87dd860395c46d78 with gcc (GCC) 8.1.0
kernel signature: 965ac8ad9e01236ddb0f9e3928bc5abb24f1519a51b6b84f69990224f28a7f4b
all runs: OK
# git bisect good 9ad3826575abd1c096cf678a87dd860395c46d78
Bisecting: 4829 revisions left to test after this (roughly 12 steps)
[150f29f5e6ea55d8a7d368b162a4e9947a95d2f5] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
testing commit 150f29f5e6ea55d8a7d368b162a4e9947a95d2f5 with gcc (GCC) 8.1.0
kernel signature: 98793828d760fce286c67004faf8e23b62a5ffccb3ade9ffd87e67b82bc6884b
all runs: OK
# git bisect good 150f29f5e6ea55d8a7d368b162a4e9947a95d2f5
Bisecting: 2316 revisions left to test after this (roughly 11 steps)
[46cfe9a9880f7f1bfdd0cd0f0b03079dad8ee6e2] Merge remote-tracking branch 'wireless-drivers-next/master' into master
testing commit 46cfe9a9880f7f1bfdd0cd0f0b03079dad8ee6e2 with gcc (GCC) 8.1.0
kernel signature: ed09279bc7effef8290e8f0eccefc1d41212b2b1abbdb5971855b92711f8b3c7
all runs: OK
# git bisect good 46cfe9a9880f7f1bfdd0cd0f0b03079dad8ee6e2
Bisecting: 1170 revisions left to test after this (roughly 10 steps)
[99674f13653b5d6ae0dde6783c8beea014e6a37d] Merge remote-tracking branch 'mfd/for-mfd-next' into master
testing commit 99674f13653b5d6ae0dde6783c8beea014e6a37d with gcc (GCC) 8.1.0
kernel signature: b8cfa233eae888b380526f1f0a375ab5916746a8f59e95ba7b8cd668608cb161
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in percpu_ref_exit
# git bisect bad 99674f13653b5d6ae0dde6783c8beea014e6a37d
Bisecting: 415 revisions left to test after this (roughly 9 steps)
[9b7647d21db12612c3ef3e5494d313d175c05424] Merge remote-tracking branch 'amdgpu/drm-next' into master
testing commit 9b7647d21db12612c3ef3e5494d313d175c05424 with gcc (GCC) 8.1.0
kernel signature: 00df017095ceb7e96ec9a2971d4d3962cddd2781aeea928a5e0e100939f707ee
all runs: OK
# git bisect good 9b7647d21db12612c3ef3e5494d313d175c05424
Bisecting: 237 revisions left to test after this (roughly 8 steps)
[f7770456493da8beafcb77da09e92ee088d9510a] Merge remote-tracking branch 'asoc/for-5.10' into asoc-next
testing commit f7770456493da8beafcb77da09e92ee088d9510a with gcc (GCC) 8.1.0
kernel signature: 8ef5b2406b90d22f9fa998326784e744a20a54f72ba698c6890481af0413bd94
all runs: OK
# git bisect good f7770456493da8beafcb77da09e92ee088d9510a
Bisecting: 138 revisions left to test after this (roughly 7 steps)
[c703761969a7c24552b277fc398dd84850a4f192] Merge remote-tracking branch 'input/next' into master
testing commit c703761969a7c24552b277fc398dd84850a4f192 with gcc (GCC) 8.1.0
kernel signature: 9c57faad4be222919df6bc313003f3ada666499b4e3b4f1b851dba5d0d9abebe
all runs: OK
# git bisect good c703761969a7c24552b277fc398dd84850a4f192
Bisecting: 69 revisions left to test after this (roughly 6 steps)
[a7863b3423fd5d1ab82161654ba83973764b570b] blk-iocost: update iocost_monitor.py
testing commit a7863b3423fd5d1ab82161654ba83973764b570b with gcc (GCC) 8.1.0
kernel signature: ce8648c9a46e2bc660d958b1b62904fa16e7f8f652174a36bac6da630fab9b73
all runs: OK
# git bisect good a7863b3423fd5d1ab82161654ba83973764b570b
Bisecting: 34 revisions left to test after this (roughly 5 steps)
[3aff06857ef63ae43a59550131899e3df1c1b19c] mmc: sdhci-iproc: Enable eMMC DDR 3.3V support for bcm2711
testing commit 3aff06857ef63ae43a59550131899e3df1c1b19c with gcc (GCC) 8.1.0
kernel signature: 4f1dc858f05c1dc5aecc3e29da27d0431b8aee733814bf07829069376cfe5b68
all runs: OK
# git bisect good 3aff06857ef63ae43a59550131899e3df1c1b19c
Bisecting: 19 revisions left to test after this (roughly 4 steps)
[83a85498974b0d73b7a1f5a5e4d22796687dcb3f] block: move 'q_usage_counter' into front of 'request_queue'
testing commit 83a85498974b0d73b7a1f5a5e4d22796687dcb3f with gcc (GCC) 8.1.0
kernel signature: 9924f994e3d56c305721e5e9c6c986d1654617e8255044284c25097e45a675ba
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in percpu_ref_exit
# git bisect bad 83a85498974b0d73b7a1f5a5e4d22796687dcb3f
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[f4ad06f2bb8476548b08f89919ee65abc4e40212] block: rename bd_invalidated
testing commit f4ad06f2bb8476548b08f89919ee65abc4e40212 with gcc (GCC) 8.1.0
kernel signature: aeaf5c8a246624c60721c5b9c2ea0bf0c3a379aeab71e14a002b24ec270f97d0
all runs: OK
# git bisect good f4ad06f2bb8476548b08f89919ee65abc4e40212
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[033a1b98b1f8a823fb0bd985d45290016eee54ce] sd: open code revalidate_disk
testing commit 033a1b98b1f8a823fb0bd985d45290016eee54ce with gcc (GCC) 8.1.0
kernel signature: b5c3aabe6952647f295138d0175d0214758010b018b37db2d0cdcdb523729631
all runs: OK
# git bisect good 033a1b98b1f8a823fb0bd985d45290016eee54ce
Bisecting: 1 revision left to test after this (roughly 1 step)
[de09077c89183cbc627d9393706343662da7f5a3] block: remove revalidate_disk()
testing commit de09077c89183cbc627d9393706343662da7f5a3 with gcc (GCC) 8.1.0
kernel signature: 5a4cda00e84a5d42257a2db9b087afea18fc0075715e976b26eeff266570841e
all runs: OK
# git bisect good de09077c89183cbc627d9393706343662da7f5a3
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[d0c567d60f3730b97050347ea806e1ee06445c78] percpu_ref: reduce memory footprint of percpu_ref in fast path
testing commit d0c567d60f3730b97050347ea806e1ee06445c78 with gcc (GCC) 8.1.0
kernel signature: 6111934de4df50c463e9f409cba55edd45508bcc3cc6699e3a09bdc00edc8293
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in percpu_ref_exit
# git bisect bad d0c567d60f3730b97050347ea806e1ee06445c78
d0c567d60f3730b97050347ea806e1ee06445c78 is the first bad commit
commit d0c567d60f3730b97050347ea806e1ee06445c78
Author: Ming Lei <ming.lei@redhat.com>
Date:   Wed Sep 2 20:26:42 2020 +0800

    percpu_ref: reduce memory footprint of percpu_ref in fast path
    
    'struct percpu_ref' is often embedded into one user structure, and the
    instance is usually referenced in fast path, however actually only
    'percpu_count_ptr' is needed in fast path.
    
    So move other fields into one new structure of 'percpu_ref_data', and
    allocate it dynamically via kzalloc(), then memory footprint of
    'percpu_ref' in fast path is reduced a lot and becomes suitable to put
    into hot cacheline of user structure.
    
    Cc: Sagi Grimberg <sagi@grimberg.me>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: Bart Van Assche <bvanassche@acm.org>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Ming Lei <ming.lei@redhat.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

 drivers/infiniband/sw/rdmavt/mr.c |   2 +-
 include/linux/percpu-refcount.h   |  45 +++++---------
 lib/percpu-refcount.c             | 128 ++++++++++++++++++++++++++++----------
 3 files changed, 113 insertions(+), 62 deletions(-)
culprit signature: 6111934de4df50c463e9f409cba55edd45508bcc3cc6699e3a09bdc00edc8293
parent  signature: 5a4cda00e84a5d42257a2db9b087afea18fc0075715e976b26eeff266570841e
revisions tested: 16, total time: 3h46m18.778295539s (build: 1h18m8.706668014s, test: 2h26m28.311102443s)
first bad commit: d0c567d60f3730b97050347ea806e1ee06445c78 percpu_ref: reduce memory footprint of percpu_ref in fast path
recipients (to): ["axboe@kernel.dk" "hch@lst.de" "ming.lei@redhat.com"]
recipients (cc): []
crash: BUG: unable to handle kernel NULL pointer dereference in percpu_ref_exit
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1084bc067 P4D 1084bc067 PUD 10a367067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 26446 Comm: syz-executor.5 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:arch_atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
RIP: 0010:atomic64_read include/asm-generic/atomic-instrumented.h:838 [inline]
RIP: 0010:atomic_long_read include/asm-generic/atomic-long.h:29 [inline]
RIP: 0010:percpu_ref_exit+0x28/0x50 lib/percpu-refcount.c:136
Code: 66 90 55 53 48 89 fb 48 8b 6f 08 e8 c2 ff ff ff 48 c7 c7 80 1c 43 84 e8 66 68 38 01 48 8b 53 08 48 c7 c7 80 1c 43 84 48 89 c6 <48> 8b 12 48 c7 43 08 00 00 00 00 48 c1 e2 02 48 09 13 e8 61 64 38
RSP: 0018:ffffc9000c6cbbc0 EFLAGS: 00010046
RAX: 0000000000000286 RBX: ffff888108ffe820 RCX: 00000000adcb976d
RDX: 0000000000000000 RSI: 0000000000000286 RDI: ffffffff84431c80
RBP: 0000000000000000 R08: 0000000000000028 R09: 0000000000000001
R10: ffff88810b118200 R11: 5b0c99f47ebe1170 R12: ffffffff8445ec40
R13: ffff88810ec95f60 R14: 0000000000000000 R15: ffff8881290e4800
FS:  00007fc44365f700(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010b364000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 hd_free_part block/partitions/../blk.h:391 [inline]
 part_release+0x31/0x40 block/partitions/core.c:262
 device_release+0x1f/0x70 drivers/base/core.c:1800
 kobject_cleanup lib/kobject.c:704 [inline]
 kobject_release lib/kobject.c:735 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x5f/0xc0 lib/kobject.c:752
 add_partition+0x411/0x4a0 block/partitions/core.c:493
 blk_add_partition block/partitions/core.c:685 [inline]
 blk_add_partitions+0x302/0x400 block/partitions/core.c:761
 bdev_disk_changed+0x78/0xf0 fs/block_dev.c:1417
 loop_reread_partitions+0x22/0x40 drivers/block/loop.c:658
 loop_set_status+0x1c1/0x380 drivers/block/loop.c:1427
 loop_set_status64 drivers/block/loop.c:1547 [inline]
 lo_ioctl+0x154/0x6a0 drivers/block/loop.c:1715
 __blkdev_driver_ioctl block/ioctl.c:224 [inline]
 blkdev_ioctl+0x1c6/0x2b0 block/ioctl.c:620
 block_ioctl+0x3a/0x40 fs/block_dev.c:1870
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x7c/0xb0 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d427
Code: 48 83 c4 08 48 89 d8 5b 5d c3 66 0f 1f 84 00 00 00 00 00 48 89 e8 48 f7 d8 48 39 c3 0f 92 c0 eb 92 66 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 bd b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc44365e9f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000020000040 RCX: 000000000045d427
RDX: 00007fc44365eac0 RSI: 0000000000004c04 RDI: 0000000000000004
RBP: 000000000118cf80 R08: 0000000020015898 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 000000000118cf4c
R13: 00007ffe536ffe8f R14: 00007fc44365f9c0 R15: 000000000118cf4c
Modules linked in:
CR2: 0000000000000000
---[ end trace b6653f19250fd59b ]---
RIP: 0010:arch_atomic64_read arch/x86/include/asm/atomic64_64.h:22 [inline]
RIP: 0010:atomic64_read include/asm-generic/atomic-instrumented.h:838 [inline]
RIP: 0010:atomic_long_read include/asm-generic/atomic-long.h:29 [inline]
RIP: 0010:percpu_ref_exit+0x28/0x50 lib/percpu-refcount.c:136
Code: 66 90 55 53 48 89 fb 48 8b 6f 08 e8 c2 ff ff ff 48 c7 c7 80 1c 43 84 e8 66 68 38 01 48 8b 53 08 48 c7 c7 80 1c 43 84 48 89 c6 <48> 8b 12 48 c7 43 08 00 00 00 00 48 c1 e2 02 48 09 13 e8 61 64 38
RSP: 0018:ffffc9000c6cbbc0 EFLAGS: 00010046
RAX: 0000000000000286 RBX: ffff888108ffe820 RCX: 00000000adcb976d
RDX: 0000000000000000 RSI: 0000000000000286 RDI: ffffffff84431c80
RBP: 0000000000000000 R08: 0000000000000028 R09: 0000000000000001
R10: ffff88810b118200 R11: 5b0c99f47ebe1170 R12: ffffffff8445ec40
R13: ffff88810ec95f60 R14: 0000000000000000 R15: ffff8881290e4800
FS:  00007fc44365f700(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010b364000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400