bisecting cause commit starting from b01f250d83f6c3af5c77699dd14e7b48ee0b5383
building syzkaller on 6593fd32d71a33f76462f347ef263e26600d998e
testing commit b01f250d83f6c3af5c77699dd14e7b48ee0b5383 with gcc (GCC) 8.1.0
kernel signature: b1e103ff4b9b3e9de737ae96297ca821db7f9024b17ead150185e931efb98d21
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0
kernel signature: 0ac21c7bec8a01fc2233fe2faf9cb6641f5d6068f7226445cdb28206bf6f01d9
all runs: OK
# git bisect start b01f250d83f6c3af5c77699dd14e7b48ee0b5383 2c85ebc57b3e1817b6ce1a6b703928e113a90442
Bisecting: 11010 revisions left to test after this (roughly 14 steps)
[be695ee29e8fc0af266d9f1882868c47da01a790] Merge tag 'ceph-for-5.11-rc1' of git://github.com/ceph/ceph-client

testing commit be695ee29e8fc0af266d9f1882868c47da01a790 with gcc (GCC) 8.1.0
kernel signature: c899b7f47930248b3cde8210023736481485121c7ddac3754a9c08c5a8da6fde
all runs: OK
# git bisect good be695ee29e8fc0af266d9f1882868c47da01a790
Bisecting: 5509 revisions left to test after this (roughly 13 steps)
[0652bd53e0c0575dc41543bcc51a1076768d3872] Merge remote-tracking branch 'pci/next'

testing commit 0652bd53e0c0575dc41543bcc51a1076768d3872 with gcc (GCC) 8.1.0
kernel signature: 699c8f551ef801018cf493b90c3cf92df39164588129c4bd1ed86f11971b0aab
all runs: OK
# git bisect good 0652bd53e0c0575dc41543bcc51a1076768d3872
Bisecting: 2737 revisions left to test after this (roughly 12 steps)
[f435e1394249cacaf0fa6cd172d76254ceb071a3] Merge remote-tracking branch 'amdgpu/drm-next'

testing commit f435e1394249cacaf0fa6cd172d76254ceb071a3 with gcc (GCC) 8.1.0
kernel signature: a9e90cc45015cb75f895e4214967d8467a141217fffb1b258a916c293d3a21c5
all runs: OK
# git bisect good f435e1394249cacaf0fa6cd172d76254ceb071a3
Bisecting: 1377 revisions left to test after this (roughly 11 steps)
[589e25c6dfdd535e8eba052f7314054f6d75be4a] Merge remote-tracking branch 'drivers-x86/for-next'

testing commit 589e25c6dfdd535e8eba052f7314054f6d75be4a with gcc (GCC) 8.1.0
kernel signature: a44fc8028eea84612fee1e7ebcc3c432bf2c27d10066d3e6a90b92516f6911c9
all runs: OK
# git bisect good 589e25c6dfdd535e8eba052f7314054f6d75be4a
Bisecting: 638 revisions left to test after this (roughly 10 steps)
[dffa1670056fe42a75f02f303f20cca1e1ef8e00] Merge remote-tracking branch 'scsi/for-next'

testing commit dffa1670056fe42a75f02f303f20cca1e1ef8e00 with gcc (GCC) 8.1.0
kernel signature: 1804b2139e393682f9107681916910b79ac792252180d9f37350afa77f2bddba
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes
# git bisect bad dffa1670056fe42a75f02f303f20cca1e1ef8e00
Bisecting: 370 revisions left to test after this (roughly 9 steps)
[0f65047c477a78bba324bee03a01f6768054d8ac] Merge remote-tracking branch 'extcon/extcon-next'

testing commit 0f65047c477a78bba324bee03a01f6768054d8ac with gcc (GCC) 8.1.0
kernel signature: a28ad1a64f2af6b9aa501811b8ebdafe0d0b70655022023648d743c0218737de
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes
# git bisect bad 0f65047c477a78bba324bee03a01f6768054d8ac
Bisecting: 173 revisions left to test after this (roughly 8 steps)
[98e3752c43e9228edf7ee29d461f56c971ff9628] Merge remote-tracking branch 'usb-serial/usb-next'

testing commit 98e3752c43e9228edf7ee29d461f56c971ff9628 with gcc (GCC) 8.1.0
kernel signature: b6d1802f445ac672c9caabb728e7fe25d860c4713dcd4cbc2d7ddc4172952be0
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes
# git bisect bad 98e3752c43e9228edf7ee29d461f56c971ff9628
Bisecting: 96 revisions left to test after this (roughly 7 steps)
[c00243e7cd5c5c018f8addd6d7c234e2ef16d202] usb: typec: ucsi: Add conditional dependency on USB role switch

testing commit c00243e7cd5c5c018f8addd6d7c234e2ef16d202 with gcc (GCC) 8.1.0
kernel signature: 87c882fb455050f40901f886b712bb0f1f615442640d4372e2d6716da74ea5b1
all runs: OK
# git bisect good c00243e7cd5c5c018f8addd6d7c234e2ef16d202
Bisecting: 48 revisions left to test after this (roughly 6 steps)
[4d2aeb214b221250593e0b3bf8382f4f9863e244] Merge remote-tracking branch 'driver-core/driver-core-next'

testing commit 4d2aeb214b221250593e0b3bf8382f4f9863e244 with gcc (GCC) 8.1.0
kernel signature: 7849cad226e8407f75ec38eac6f7315761a2359c255be21641860f02f9edac90
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes
# git bisect bad 4d2aeb214b221250593e0b3bf8382f4f9863e244
Bisecting: 27 revisions left to test after this (roughly 5 steps)
[e825165f56ef384b2ba7a4f5912b78db8dd01c4e] Merge remote-tracking branch 'hsi/for-next'

testing commit e825165f56ef384b2ba7a4f5912b78db8dd01c4e with gcc (GCC) 8.1.0
kernel signature: a44fc8028eea84612fee1e7ebcc3c432bf2c27d10066d3e6a90b92516f6911c9
all runs: OK
# git bisect good e825165f56ef384b2ba7a4f5912b78db8dd01c4e
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[4044b2fcfb2048a256529ecbd869b43713982006] drivers: base: change 'driver_create_groups' to 'driver_add_groups' in printk

testing commit 4044b2fcfb2048a256529ecbd869b43713982006 with gcc (GCC) 8.1.0
kernel signature: 3adc6eed528b3f08f30f268a8d8284d57218798f9fbae6467578bfcabd48b98f
all runs: OK
# git bisect good 4044b2fcfb2048a256529ecbd869b43713982006
Bisecting: 6 revisions left to test after this (roughly 3 steps)
[9a5ad5c5b2d25508996f10ee6b428d5df91d9160] leds: trigger: fix potential deadlock with libata

testing commit 9a5ad5c5b2d25508996f10ee6b428d5df91d9160 with gcc (GCC) 8.1.0
kernel signature: f72ae9e6bca8d5db2f0ba7b795efb6c576ffa20a522c775ffe879deea7be7a1d
all runs: OK
# git bisect good 9a5ad5c5b2d25508996f10ee6b428d5df91d9160
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[6d0348cefe7d098e744a9a2141febe8fc20197d3] Merge remote-tracking branch 'ipmi/for-next'

testing commit 6d0348cefe7d098e744a9a2141febe8fc20197d3 with gcc (GCC) 8.1.0
kernel signature: 0148f0b1aa74d87f8bfc233b328d97d2ec530b1c43f190d4df05a737d44331c3
all runs: OK
# git bisect good 6d0348cefe7d098e744a9a2141febe8fc20197d3
Bisecting: 1 revision left to test after this (roughly 1 step)
[38009c766725a9877ea8866fc813a5460011817f] drivers/base: build kunit tests without structleak plugin

testing commit 38009c766725a9877ea8866fc813a5460011817f with gcc (GCC) 8.1.0
kernel signature: 3adc6eed528b3f08f30f268a8d8284d57218798f9fbae6467578bfcabd48b98f
all runs: OK
# git bisect good 38009c766725a9877ea8866fc813a5460011817f
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[4731210c09f5977300f439b6c56ba220c65b2348] gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default

testing commit 4731210c09f5977300f439b6c56ba220c65b2348 with gcc (GCC) 8.1.0
kernel signature: 455ff425cfacac859e561a37122be4501d7f4415a6fed6b67c2a4429d3180305
all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes
# git bisect bad 4731210c09f5977300f439b6c56ba220c65b2348
4731210c09f5977300f439b6c56ba220c65b2348 is the first bad commit
commit 4731210c09f5977300f439b6c56ba220c65b2348
Author: Saravana Kannan <saravanak@google.com>
Date:   Fri Jan 22 11:35:59 2021 -0800

    gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default
    
    There are multiple instances of GPIO device tree nodes of the form:
    
    foo {
            compatible = "acme,foo";
            ...
    
            gpio0: gpio0@xxxxxxxx {
                    compatible = "acme,bar";
                    ...
                    gpio-controller;
            };
    
            gpio1: gpio1@xxxxxxxx {
                    compatible = "acme,bar";
                    ...
                    gpio-controller;
            };
    
            ...
    }
    
    bazz {
            my-gpios = <&gpio0 ...>;
    }
    
    Case 1: The driver for "foo" populates struct device for these gpio*
    nodes and then probes them using a driver that binds with "acme,bar".
    This driver for "acme,bar" then registers the gpio* nodes with gpiolib.
    This lines up with how DT nodes with the "compatible" property are
    typically converted to struct devices and then registered with driver
    core to probe them. This also allows the gpio* devices to hook into all
    the driver core capabilities like runtime PM, probe deferral,
    suspend/resume ordering, device links, etc.
    
    Case 2: The driver for "foo" doesn't populate struct devices for these
    gpio* nodes before registering them with gpiolib. Instead it just loops
    through its child nodes and directly registers the gpio* nodes with
    gpiolib.
    
    Drivers that follow case 2 cause problems with fw_devlink=on. This is
    because fw_devlink will prevent bazz from probing until there's a struct
    device that has gpio0 as its fwnode (because bazz lists gpio0 as a GPIO
    supplier). Once the struct device is available, fw_devlink will create a
    device link with gpio0 device as the supplier and bazz device as the
    consumer. After this point, since the gpio0 device will never bind to a
    driver, the device link will prevent bazz device from ever probing.
    
    Finding and refactoring all the instances of drivers that follow case 2
    will cause a lot of code churn and it is not something that can be done
    in one shot. In some instances it might not even be possible to refactor
    them cleanly. Examples of such instances are [1] [2].
    
    This patch works around this problem and avoids all the code churn by
    simply setting the fwnode of the gpio_device and creating a stub driver
    to bind to the gpio_device. This allows all the consumers to continue
    probing when the driver follows case 2.
    
    [1] - https://lore.kernel.org/lkml/20201014191235.7f71fcb4@xhacker.debian/
    [2] - https://lore.kernel.org/lkml/e28e1f38d87c12a3c714a6573beba6e1@kernel.org/
    
    Fixes: e590474768f1 ("driver core: Set fw_devlink=on by default")
    Cc: Marc Zyngier <maz@kernel.org>
    Cc: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
    Cc: Kever Yang <kever.yang@rock-chips.com>
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Acked-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
    Signed-off-by: Saravana Kannan <saravanak@google.com>
    Link: https://lore.kernel.org/r/20210122193600.1415639-1-saravanak@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 drivers/gpio/gpiolib-of.c | 11 +++++++++++
 drivers/gpio/gpiolib-of.h |  5 +++++
 drivers/gpio/gpiolib.c    | 38 +++++++++++++++++++++++++++++++-------
 3 files changed, 47 insertions(+), 7 deletions(-)

culprit signature: 455ff425cfacac859e561a37122be4501d7f4415a6fed6b67c2a4429d3180305
parent  signature: 3adc6eed528b3f08f30f268a8d8284d57218798f9fbae6467578bfcabd48b98f
revisions tested: 17, total time: 3h23m19.667184919s (build: 1h26m36.511936279s, test: 1h54m27.797674006s)
first bad commit: 4731210c09f5977300f439b6c56ba220c65b2348 gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default
recipients (to): ["bgolaszewski@baylibre.com" "gregkh@linuxfoundation.org" "linus.walleij@linaro.org" "saravanak@google.com"]
recipients (cc): []
crash: BUG: unable to handle kernel NULL pointer dereference in release_nodes
usb 6-1: USB disconnect, device number 2
BUG: kernel NULL pointer dereference, address: 0000000000000590
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 10bb1b067 P4D 10bb1b067 PUD 10be25067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4904 Comm: kworker/0:3 Not tainted 5.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event

RIP: 0010:__list_del_entry_valid+0xa/0x50 lib/list_debug.c:43
Code: 89 c1 48 89 fe 48 c7 c7 60 55 7b 84 e8 70 cc 70 01 0f 0b 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 48 b9 00 01 00 00 00 00 ad de <48> 8b 07 48 8b 57 08 48 39 c8 0f 84 c4 72 77 01 48 b9 22 01 00 00
RSP: 0018:ffffc90000d77a00 EFLAGS: 00010286
RAX: ffffffff81e6f0f0 RBX: 0000000000000000 RCX: dead000000000100
RDX: 0000000000000001 RSI: ffffffff846ac8ac RDI: 0000000000000590
RBP: ffff88811ed67a00 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000006 R12: ffffffff8504f680
R13: ffff88811ee4d0d0 R14: 0000000000000000 R15: ffff88811ee74cb8
FS:  0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000590 CR3: 000000010bed0000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:132 [inline]
 list_del include/linux/list.h:146 [inline]
 gpiodevice_release+0x11/0x80 drivers/gpio/gpiolib.c:477
 device_release+0x2b/0x80 drivers/base/core.c:2055
 kobject_cleanup lib/kobject.c:705 [inline]
 kobject_release lib/kobject.c:736 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x7c/0x1c0 lib/kobject.c:753
 release_nodes+0x229/0x270 drivers/base/devres.c:523
 __device_release_driver drivers/base/dd.c:1160 [inline]
 device_release_driver_internal+0xff/0x1d0 drivers/base/dd.c:1187
 bus_remove_device+0xea/0x160 drivers/base/bus.c:533
 device_del+0x186/0x3e0 drivers/base/core.c:3363
 platform_device_del.part.11+0xe/0x60 drivers/base/platform.c:783
 platform_device_del drivers/base/platform.c:820 [inline]
 platform_device_unregister+0x17/0x30 drivers/base/platform.c:821
 mfd_remove_devices_fn+0x3f/0x50 drivers/mfd/mfd-core.c:375
 device_for_each_child_reverse+0x54/0x90 drivers/base/core.c:3526
 mfd_remove_devices+0x2d/0x50 drivers/mfd/mfd-core.c:391
 vprbrd_disconnect+0x1a/0x60 drivers/mfd/viperboard.c:111
 usb_unbind_interface+0x6e/0x250 drivers/usb/core/driver.c:458
 __device_release_driver drivers/base/dd.c:1156 [inline]
 device_release_driver_internal+0xef/0x1d0 drivers/base/dd.c:1187
 bus_remove_device+0xea/0x160 drivers/base/bus.c:533
 device_del+0x186/0x3e0 drivers/base/core.c:3363
 usb_disable_device+0xa4/0x220 drivers/usb/core/message.c:1413
 usb_disconnect+0xbc/0x2c0 drivers/usb/core/hub.c:2218
 hub_port_connect drivers/usb/core/hub.c:5074 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
 port_event drivers/usb/core/hub.c:5509 [inline]
 hub_event+0xa3e/0x15f0 drivers/usb/core/hub.c:5591
 process_one_work+0x293/0x600 kernel/workqueue.c:2275
 process_scheduled_works kernel/workqueue.c:2337 [inline]
 worker_thread+0x1ff/0x380 kernel/workqueue.c:2423
 kthread+0x144/0x170 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
Modules linked in:
CR2: 0000000000000590
---[ end trace 111ebd768b6d2b88 ]---
RIP: 0010:__list_del_entry_valid+0xa/0x50 lib/list_debug.c:43
Code: 89 c1 48 89 fe 48 c7 c7 60 55 7b 84 e8 70 cc 70 01 0f 0b 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 48 b9 00 01 00 00 00 00 ad de <48> 8b 07 48 8b 57 08 48 39 c8 0f 84 c4 72 77 01 48 b9 22 01 00 00
RSP: 0018:ffffc90000d77a00 EFLAGS: 00010286
RAX: ffffffff81e6f0f0 RBX: 0000000000000000 RCX: dead000000000100
RDX: 0000000000000001 RSI: ffffffff846ac8ac RDI: 0000000000000590
RBP: ffff88811ed67a00 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000006 R12: ffffffff8504f680
R13: ffff88811ee4d0d0 R14: 0000000000000000 R15: ffff88811ee74cb8
FS:  0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000590 CR3: 000000010bed0000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400