bisecting cause commit starting from b652d2a5f2a4e93d803cc33eb57fdc41ee528500
building syzkaller on 9564d2e9821aea842b6ab213174aabd4b578b039
testing commit b652d2a5f2a4e93d803cc33eb57fdc41ee528500 with gcc (GCC) 8.1.0
kernel signature: 1ffe9ea54a1356024c6c8c8c32b0d3d724d943a2e0ef716d80ec8b0f043acfe1
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 1b7a2109610e6d7f242d8280aba79a3a175046f2c4b39fcadbfe43e7a615c750
all runs: OK
# git bisect start b652d2a5f2a4e93d803cc33eb57fdc41ee528500 bcf876870b95592b52519ed4aafcf9d95999bc9c
Bisecting: 12081 revisions left to test after this (roughly 14 steps)
[8c2618a6d0f7b08e2b41575a87cf568745c8860e] Merge tag 'gfs2-for-5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2
testing commit 8c2618a6d0f7b08e2b41575a87cf568745c8860e with gcc (GCC) 8.1.0
kernel signature: 6cd73de60048a6ceba651088fbfb0d288aa90273eb81f259d38c6f96342d87a3
all runs: OK
# git bisect good 8c2618a6d0f7b08e2b41575a87cf568745c8860e
Bisecting: 6037 revisions left to test after this (roughly 13 steps)
[e73fb7b376da4f804442335da3d7c2d1526843fc] Merge remote-tracking branch 'cpufreq-arm/cpufreq/arm/linux-next' into master
testing commit e73fb7b376da4f804442335da3d7c2d1526843fc with gcc (GCC) 8.1.0
kernel signature: 7507f0e3b68e1410ea7a8755d206daf957faa3b1a457ac58d2e6b31d40c034b3
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad e73fb7b376da4f804442335da3d7c2d1526843fc
Bisecting: 3021 revisions left to test after this (roughly 12 steps)
[d005f8c6588efcfbe88099b6edafc6f58c84a9c1] ubi: check kthread_should_stop() after the setting of task state
testing commit d005f8c6588efcfbe88099b6edafc6f58c84a9c1 with gcc (GCC) 8.1.0
kernel signature: a99e368e219311f357ee290ff74ac5fefcf6a65886112ef81ad1677586c2af23
all runs: OK
# git bisect good d005f8c6588efcfbe88099b6edafc6f58c84a9c1
Bisecting: 1513 revisions left to test after this (roughly 11 steps)
[67536a97e31fc48e0ab88579b60f2901de4d407b] Merge remote-tracking branch 'parisc-hd/for-next' into master
testing commit 67536a97e31fc48e0ab88579b60f2901de4d407b with gcc (GCC) 8.1.0
kernel signature: 1603317b54fc2582108e0d37b1f716636a489145842da689c7b3b6a7159c2620
all runs: OK
# git bisect good 67536a97e31fc48e0ab88579b60f2901de4d407b
Bisecting: 838 revisions left to test after this (roughly 10 steps)
[392e6d61bb3291fe0a8bf4f8a114f8e5bda412ac] Merge remote-tracking branch 'pstore/for-next/pstore' into master
testing commit 392e6d61bb3291fe0a8bf4f8a114f8e5bda412ac with gcc (GCC) 8.1.0
kernel signature: 0cd499685d81fd26c715e987d7a5e70f3de3c22f081215a4bde3965a89e2b91f
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad 392e6d61bb3291fe0a8bf4f8a114f8e5bda412ac
Bisecting: 329 revisions left to test after this (roughly 8 steps)
[369b29cc8f521609c75bd884ed5e2157ac013bbb] Merge remote-tracking branch 'btrfs/for-next' into master
testing commit 369b29cc8f521609c75bd884ed5e2157ac013bbb with gcc (GCC) 8.1.0
kernel signature: 4decf9d3dbf7ed6ed44a1a867b11d13265c9d0792af7a693c584c4c74aa71522
all runs: OK
# git bisect good 369b29cc8f521609c75bd884ed5e2157ac013bbb
Bisecting: 165 revisions left to test after this (roughly 7 steps)
[c6f51d8a423d878d6a67387717dca197621f904d] Merge remote-tracking branch 'zonefs/for-next' into master
testing commit c6f51d8a423d878d6a67387717dca197621f904d with gcc (GCC) 8.1.0
kernel signature: 172feb9e4bc530ece273bbc1062aa8bbe7e2b411fed7ee49855316f4bb6a557f
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad c6f51d8a423d878d6a67387717dca197621f904d
Bisecting: 95 revisions left to test after this (roughly 6 steps)
[d9aaf5d273f69b5324a20e3b8cfdddef9d810e65] Merge remote-tracking branch 'fuse/for-next' into master
testing commit d9aaf5d273f69b5324a20e3b8cfdddef9d810e65 with gcc (GCC) 8.1.0
kernel signature: 43dcd35f2bffb61fa84217b4e47201e203e5084e1adaaa5b801569a5ebda0096
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad d9aaf5d273f69b5324a20e3b8cfdddef9d810e65
Bisecting: 38 revisions left to test after this (roughly 5 steps)
[b8ee60871d5e5fe854665aef232e6109b1d3137c] f2fs: compress: introduce cic/dic slab cache
testing commit b8ee60871d5e5fe854665aef232e6109b1d3137c with gcc (GCC) 8.1.0
kernel signature: 00b996543404d8b39266fc433033095fe3b40588532ce0b1253f34b97f768b8f
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad b8ee60871d5e5fe854665aef232e6109b1d3137c
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[093749e296e29a4b0162eb925a6701a01e8c9a98] f2fs: support age threshold based garbage collection
testing commit 093749e296e29a4b0162eb925a6701a01e8c9a98 with gcc (GCC) 8.1.0
kernel signature: a119288062473f5218a968695f5d87227f5389fb6f3fe9e027a260309276e472
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad 093749e296e29a4b0162eb925a6701a01e8c9a98
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[2e9b2bb250d5d1493eaf36215fbfe2cd76ce4f7c] f2fs: support 64-bits key in f2fs rb-tree node entry
testing commit 2e9b2bb250d5d1493eaf36215fbfe2cd76ce4f7c with gcc (GCC) 8.1.0
kernel signature: c34f55c77ee258031e9b234110995cf47e02cce4126803a5800b292d3d8755f4
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad 2e9b2bb250d5d1493eaf36215fbfe2cd76ce4f7c
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[376207af4bf809a48bea79fc1970a17e048c734e] f2fs: compress: remove unneeded code
testing commit 376207af4bf809a48bea79fc1970a17e048c734e with gcc (GCC) 8.1.0
kernel signature: d0119e3f7e0cc51092ad388315c32f3603fff6817e2b44923e031dd2bc544bb0
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad 376207af4bf809a48bea79fc1970a17e048c734e
Bisecting: 0 revisions left to test after this (roughly 1 step)
[e90027d23aecfce5c3a63b14a676377602d4bdac] f2fs: remove duplicated type casting
testing commit e90027d23aecfce5c3a63b14a676377602d4bdac with gcc (GCC) 8.1.0
kernel signature: aa0cfb18a35ee3140a40e400c63db8a7e7f5562edae00e563b3e59432da449bc
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad e90027d23aecfce5c3a63b14a676377602d4bdac
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[de881df97768d07b342cbd1f8359b832afccace9] f2fs: support zone capacity less than zone size
testing commit de881df97768d07b342cbd1f8359b832afccace9 with gcc (GCC) 8.1.0
kernel signature: c386b14a2c2023c213d6deea8f5508469fe2e00d96a9d0499543c3904f95d4f1
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
# git bisect bad de881df97768d07b342cbd1f8359b832afccace9
de881df97768d07b342cbd1f8359b832afccace9 is the first bad commit
commit de881df97768d07b342cbd1f8359b832afccace9
Author: Aravind Ramesh <aravind.ramesh@wdc.com>
Date:   Thu Jul 16 18:26:56 2020 +0530

    f2fs: support zone capacity less than zone size
    
    NVMe Zoned Namespace devices can have zone-capacity less than zone-size.
    Zone-capacity indicates the maximum number of sectors that are usable in
    a zone beginning from the first sector of the zone. This makes the sectors
    sectors after the zone-capacity till zone-size to be unusable.
    This patch set tracks zone-size and zone-capacity in zoned devices and
    calculate the usable blocks per segment and usable segments per section.
    
    If zone-capacity is less than zone-size mark only those segments which
    start before zone-capacity as free segments. All segments at and beyond
    zone-capacity are treated as permanently used segments. In cases where
    zone-capacity does not align with segment size the last segment will start
    before zone-capacity and end beyond the zone-capacity of the zone. For
    such spanning segments only sectors within the zone-capacity are used.
    
    During writes and GC manage the usable segments in a section and usable
    blocks per segment. Segments which are beyond zone-capacity are never
    allocated, and do not need to be garbage collected, only the segments
    which are before zone-capacity needs to garbage collected.
    For spanning segments based on the number of usable blocks in that
    segment, write to blocks only up to zone-capacity.
    
    Zone-capacity is device specific and cannot be configured by the user.
    Since NVMe ZNS device zones are sequentially write only, a block device
    with conventional zones or any normal block device is needed along with
    the ZNS device for the metadata operations of F2fs.
    
    A typical nvme-cli output of a zoned device shows zone start and capacity
    and write pointer as below:
    
    SLBA: 0x0     WP: 0x0     Cap: 0x18800 State: EMPTY Type: SEQWRITE_REQ
    SLBA: 0x20000 WP: 0x20000 Cap: 0x18800 State: EMPTY Type: SEQWRITE_REQ
    SLBA: 0x40000 WP: 0x40000 Cap: 0x18800 State: EMPTY Type: SEQWRITE_REQ
    
    Here zone size is 64MB, capacity is 49MB, WP is at zone start as the zones
    are in EMPTY state. For each zone, only zone start + 49MB is usable area,
    any lba/sector after 49MB cannot be read or written to, the drive will fail
    any attempts to read/write. So, the second zone starts at 64MB and is
    usable till 113MB (64 + 49) and the range between 113 and 128MB is
    again unusable. The next zone starts at 128MB, and so on.
    
    Signed-off-by: Aravind Ramesh <aravind.ramesh@wdc.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
    Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

 Documentation/filesystems/f2fs.rst |  15 ++++
 fs/f2fs/f2fs.h                     |   5 ++
 fs/f2fs/gc.c                       |  25 ++++--
 fs/f2fs/gc.h                       |  44 ++++++++++-
 fs/f2fs/segment.c                  | 156 ++++++++++++++++++++++++++++++++++---
 fs/f2fs/segment.h                  |  26 ++++---
 fs/f2fs/super.c                    |  41 ++++++++--
 7 files changed, 275 insertions(+), 37 deletions(-)
parent commit 581cb3a26baf846ee9636214afaa5333919875b1 wasn't tested
testing commit 581cb3a26baf846ee9636214afaa5333919875b1 with gcc (GCC) 8.1.0
kernel signature: 98aa795e939dcc581ada9b52d8212fa4f980afc6c69d5e61e9174217f5a090e4
culprit signature: c386b14a2c2023c213d6deea8f5508469fe2e00d96a9d0499543c3904f95d4f1
parent  signature: 98aa795e939dcc581ada9b52d8212fa4f980afc6c69d5e61e9174217f5a090e4
revisions tested: 16, total time: 2h53m31.274649142s (build: 1h29m56.695275654s, test: 1h20m28.875506343s)
first bad commit: de881df97768d07b342cbd1f8359b832afccace9 f2fs: support zone capacity less than zone size
recipients (to): ["aravind.ramesh@wdc.com" "damien.lemoal@wdc.com" "jaegeuk@kernel.org" "niklas.cassel@wdc.com" "yuchao0@huawei.com"]
recipients (cc): []
crash: BUG: unable to handle kernel NULL pointer dereference in f2fs_usable_zone_blks_in_seg
F2FS-fs (loop2): Magic Mismatch, valid(0xf2f52010) - read(0x0)
F2FS-fs (loop2): Can't find valid F2FS filesystem in 2th superblock
F2FS-fs (loop2): invalid crc_offset: 0
BUG: kernel NULL pointer dereference, address: 000000000000004c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 11dd15067 P4D 11dd15067 PUD 11dd16067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 8086 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:get_zone_idx fs/f2fs/segment.c:4704 [inline]
RIP: 0010:f2fs_usable_zone_blks_in_seg+0x8d/0x140 fs/f2fs/segment.c:4755
Code: 8b 83 80 0c 00 00 8b 8b 78 0c 00 00 48 8b bb 08 14 00 00 45 0f af c4 44 03 00 49 63 c1 48 6b c0 68 41 d3 e0 8b 8b 60 01 00 00 <44> 2b 44 07 4c 41 01 d0 44 89 ca 41 d3 e8 44 89 c6 e8 0d ff ff ff
RSP: 0018:ffffc90002057bb8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff88810e810000 RCX: 0000000000000000
RDX: 0000000000000200 RSI: 0000000000001000 RDI: 0000000000000000
RBP: 0000000000001000 R08: 0000000000000e00 R09: 0000000000000000
R10: ffff88810f7b6400 R11: e6e132e01efb9d1b R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810e810000
FS:  00007f9b1801c700(0000) GS:ffff88812c100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000004c CR3: 000000011dd14000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 f2fs_usable_blks_in_seg fs/f2fs/segment.c:4811 [inline]
 check_block_count+0x15b/0x170 fs/f2fs/segment.h:682
 build_sit_entries fs/f2fs/segment.c:4217 [inline]
 f2fs_build_segment_manager+0x12f7/0x2500 fs/f2fs/segment.c:4911
 f2fs_fill_super+0xfc1/0x1f50 fs/f2fs/super.c:3662
 mount_bdev+0x183/0x1b0 fs/super.c:1417
 legacy_get_tree+0x28/0x50 fs/fs_context.c:592
 vfs_get_tree+0x1d/0xb0 fs/super.c:1547
 do_new_mount fs/namespace.c:2875 [inline]
 path_mount+0x6e9/0xa60 fs/namespace.c:3192
 do_mount+0x70/0x90 fs/namespace.c:3205
 __do_sys_mount fs/namespace.c:3413 [inline]
 __se_sys_mount fs/namespace.c:3390 [inline]
 __x64_sys_mount+0xbf/0xe0 fs/namespace.c:3390
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x46004a
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 fd 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 da 89 fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f9b1801ba88 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f9b1801bb20 RCX: 000000000046004a
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f9b1801bae0
RBP: 00007f9b1801bae0 R08: 00007f9b1801bb20 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000
R13: 0000000020000100 R14: 0000000020000200 R15: 0000000020015000
Modules linked in:
CR2: 000000000000004c
---[ end trace d54e08f4bbb744f1 ]---
RIP: 0010:get_zone_idx fs/f2fs/segment.c:4704 [inline]
RIP: 0010:f2fs_usable_zone_blks_in_seg+0x8d/0x140 fs/f2fs/segment.c:4755
Code: 8b 83 80 0c 00 00 8b 8b 78 0c 00 00 48 8b bb 08 14 00 00 45 0f af c4 44 03 00 49 63 c1 48 6b c0 68 41 d3 e0 8b 8b 60 01 00 00 <44> 2b 44 07 4c 41 01 d0 44 89 ca 41 d3 e8 44 89 c6 e8 0d ff ff ff
RSP: 0018:ffffc90002057bb8 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffff88810e810000 RCX: 0000000000000000
RDX: 0000000000000200 RSI: 0000000000001000 RDI: 0000000000000000
RBP: 0000000000001000 R08: 0000000000000e00 R09: 0000000000000000
R10: ffff88810f7b6400 R11: e6e132e01efb9d1b R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810e810000
FS:  00007f9b1801c700(0000) GS:ffff88812c000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f120310c6c8 CR3: 000000011dd14000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400