bisecting cause commit starting from b01f250d83f6c3af5c77699dd14e7b48ee0b5383 building syzkaller on 6593fd32d71a33f76462f347ef263e26600d998e testing commit b01f250d83f6c3af5c77699dd14e7b48ee0b5383 with gcc (GCC) 8.1.0 kernel signature: b1e103ff4b9b3e9de737ae96297ca821db7f9024b17ead150185e931efb98d21 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: 0ac21c7bec8a01fc2233fe2faf9cb6641f5d6068f7226445cdb28206bf6f01d9 all runs: OK # git bisect start b01f250d83f6c3af5c77699dd14e7b48ee0b5383 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 11010 revisions left to test after this (roughly 14 steps) [be695ee29e8fc0af266d9f1882868c47da01a790] Merge tag 'ceph-for-5.11-rc1' of git://github.com/ceph/ceph-client testing commit be695ee29e8fc0af266d9f1882868c47da01a790 with gcc (GCC) 8.1.0 kernel signature: c899b7f47930248b3cde8210023736481485121c7ddac3754a9c08c5a8da6fde all runs: OK # git bisect good be695ee29e8fc0af266d9f1882868c47da01a790 Bisecting: 5509 revisions left to test after this (roughly 13 steps) [0652bd53e0c0575dc41543bcc51a1076768d3872] Merge remote-tracking branch 'pci/next' testing commit 0652bd53e0c0575dc41543bcc51a1076768d3872 with gcc (GCC) 8.1.0 kernel signature: 699c8f551ef801018cf493b90c3cf92df39164588129c4bd1ed86f11971b0aab all runs: OK # git bisect good 0652bd53e0c0575dc41543bcc51a1076768d3872 Bisecting: 2737 revisions left to test after this (roughly 12 steps) [f435e1394249cacaf0fa6cd172d76254ceb071a3] Merge remote-tracking branch 'amdgpu/drm-next' testing commit f435e1394249cacaf0fa6cd172d76254ceb071a3 with gcc (GCC) 8.1.0 kernel signature: a9e90cc45015cb75f895e4214967d8467a141217fffb1b258a916c293d3a21c5 all runs: OK # git bisect good f435e1394249cacaf0fa6cd172d76254ceb071a3 Bisecting: 1377 revisions left to test after this (roughly 11 steps) [589e25c6dfdd535e8eba052f7314054f6d75be4a] Merge remote-tracking branch 'drivers-x86/for-next' testing commit 589e25c6dfdd535e8eba052f7314054f6d75be4a with gcc (GCC) 8.1.0 kernel signature: a44fc8028eea84612fee1e7ebcc3c432bf2c27d10066d3e6a90b92516f6911c9 all runs: OK # git bisect good 589e25c6dfdd535e8eba052f7314054f6d75be4a Bisecting: 638 revisions left to test after this (roughly 10 steps) [dffa1670056fe42a75f02f303f20cca1e1ef8e00] Merge remote-tracking branch 'scsi/for-next' testing commit dffa1670056fe42a75f02f303f20cca1e1ef8e00 with gcc (GCC) 8.1.0 kernel signature: 1804b2139e393682f9107681916910b79ac792252180d9f37350afa77f2bddba all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes # git bisect bad dffa1670056fe42a75f02f303f20cca1e1ef8e00 Bisecting: 370 revisions left to test after this (roughly 9 steps) [0f65047c477a78bba324bee03a01f6768054d8ac] Merge remote-tracking branch 'extcon/extcon-next' testing commit 0f65047c477a78bba324bee03a01f6768054d8ac with gcc (GCC) 8.1.0 kernel signature: a28ad1a64f2af6b9aa501811b8ebdafe0d0b70655022023648d743c0218737de all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes # git bisect bad 0f65047c477a78bba324bee03a01f6768054d8ac Bisecting: 173 revisions left to test after this (roughly 8 steps) [98e3752c43e9228edf7ee29d461f56c971ff9628] Merge remote-tracking branch 'usb-serial/usb-next' testing commit 98e3752c43e9228edf7ee29d461f56c971ff9628 with gcc (GCC) 8.1.0 kernel signature: b6d1802f445ac672c9caabb728e7fe25d860c4713dcd4cbc2d7ddc4172952be0 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes # git bisect bad 98e3752c43e9228edf7ee29d461f56c971ff9628 Bisecting: 96 revisions left to test after this (roughly 7 steps) [c00243e7cd5c5c018f8addd6d7c234e2ef16d202] usb: typec: ucsi: Add conditional dependency on USB role switch testing commit c00243e7cd5c5c018f8addd6d7c234e2ef16d202 with gcc (GCC) 8.1.0 kernel signature: 87c882fb455050f40901f886b712bb0f1f615442640d4372e2d6716da74ea5b1 all runs: OK # git bisect good c00243e7cd5c5c018f8addd6d7c234e2ef16d202 Bisecting: 48 revisions left to test after this (roughly 6 steps) [4d2aeb214b221250593e0b3bf8382f4f9863e244] Merge remote-tracking branch 'driver-core/driver-core-next' testing commit 4d2aeb214b221250593e0b3bf8382f4f9863e244 with gcc (GCC) 8.1.0 kernel signature: 7849cad226e8407f75ec38eac6f7315761a2359c255be21641860f02f9edac90 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes # git bisect bad 4d2aeb214b221250593e0b3bf8382f4f9863e244 Bisecting: 27 revisions left to test after this (roughly 5 steps) [e825165f56ef384b2ba7a4f5912b78db8dd01c4e] Merge remote-tracking branch 'hsi/for-next' testing commit e825165f56ef384b2ba7a4f5912b78db8dd01c4e with gcc (GCC) 8.1.0 kernel signature: a44fc8028eea84612fee1e7ebcc3c432bf2c27d10066d3e6a90b92516f6911c9 all runs: OK # git bisect good e825165f56ef384b2ba7a4f5912b78db8dd01c4e Bisecting: 13 revisions left to test after this (roughly 4 steps) [4044b2fcfb2048a256529ecbd869b43713982006] drivers: base: change 'driver_create_groups' to 'driver_add_groups' in printk testing commit 4044b2fcfb2048a256529ecbd869b43713982006 with gcc (GCC) 8.1.0 kernel signature: 3adc6eed528b3f08f30f268a8d8284d57218798f9fbae6467578bfcabd48b98f all runs: OK # git bisect good 4044b2fcfb2048a256529ecbd869b43713982006 Bisecting: 6 revisions left to test after this (roughly 3 steps) [9a5ad5c5b2d25508996f10ee6b428d5df91d9160] leds: trigger: fix potential deadlock with libata testing commit 9a5ad5c5b2d25508996f10ee6b428d5df91d9160 with gcc (GCC) 8.1.0 kernel signature: f72ae9e6bca8d5db2f0ba7b795efb6c576ffa20a522c775ffe879deea7be7a1d all runs: OK # git bisect good 9a5ad5c5b2d25508996f10ee6b428d5df91d9160 Bisecting: 3 revisions left to test after this (roughly 2 steps) [6d0348cefe7d098e744a9a2141febe8fc20197d3] Merge remote-tracking branch 'ipmi/for-next' testing commit 6d0348cefe7d098e744a9a2141febe8fc20197d3 with gcc (GCC) 8.1.0 kernel signature: 0148f0b1aa74d87f8bfc233b328d97d2ec530b1c43f190d4df05a737d44331c3 all runs: OK # git bisect good 6d0348cefe7d098e744a9a2141febe8fc20197d3 Bisecting: 1 revision left to test after this (roughly 1 step) [38009c766725a9877ea8866fc813a5460011817f] drivers/base: build kunit tests without structleak plugin testing commit 38009c766725a9877ea8866fc813a5460011817f with gcc (GCC) 8.1.0 kernel signature: 3adc6eed528b3f08f30f268a8d8284d57218798f9fbae6467578bfcabd48b98f all runs: OK # git bisect good 38009c766725a9877ea8866fc813a5460011817f Bisecting: 0 revisions left to test after this (roughly 0 steps) [4731210c09f5977300f439b6c56ba220c65b2348] gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default testing commit 4731210c09f5977300f439b6c56ba220c65b2348 with gcc (GCC) 8.1.0 kernel signature: 455ff425cfacac859e561a37122be4501d7f4415a6fed6b67c2a4429d3180305 all runs: crashed: BUG: unable to handle kernel NULL pointer dereference in release_nodes # git bisect bad 4731210c09f5977300f439b6c56ba220c65b2348 4731210c09f5977300f439b6c56ba220c65b2348 is the first bad commit commit 4731210c09f5977300f439b6c56ba220c65b2348 Author: Saravana Kannan Date: Fri Jan 22 11:35:59 2021 -0800 gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default There are multiple instances of GPIO device tree nodes of the form: foo { compatible = "acme,foo"; ... gpio0: gpio0@xxxxxxxx { compatible = "acme,bar"; ... gpio-controller; }; gpio1: gpio1@xxxxxxxx { compatible = "acme,bar"; ... gpio-controller; }; ... } bazz { my-gpios = <&gpio0 ...>; } Case 1: The driver for "foo" populates struct device for these gpio* nodes and then probes them using a driver that binds with "acme,bar". This driver for "acme,bar" then registers the gpio* nodes with gpiolib. This lines up with how DT nodes with the "compatible" property are typically converted to struct devices and then registered with driver core to probe them. This also allows the gpio* devices to hook into all the driver core capabilities like runtime PM, probe deferral, suspend/resume ordering, device links, etc. Case 2: The driver for "foo" doesn't populate struct devices for these gpio* nodes before registering them with gpiolib. Instead it just loops through its child nodes and directly registers the gpio* nodes with gpiolib. Drivers that follow case 2 cause problems with fw_devlink=on. This is because fw_devlink will prevent bazz from probing until there's a struct device that has gpio0 as its fwnode (because bazz lists gpio0 as a GPIO supplier). Once the struct device is available, fw_devlink will create a device link with gpio0 device as the supplier and bazz device as the consumer. After this point, since the gpio0 device will never bind to a driver, the device link will prevent bazz device from ever probing. Finding and refactoring all the instances of drivers that follow case 2 will cause a lot of code churn and it is not something that can be done in one shot. In some instances it might not even be possible to refactor them cleanly. Examples of such instances are [1] [2]. This patch works around this problem and avoids all the code churn by simply setting the fwnode of the gpio_device and creating a stub driver to bind to the gpio_device. This allows all the consumers to continue probing when the driver follows case 2. [1] - https://lore.kernel.org/lkml/20201014191235.7f71fcb4@xhacker.debian/ [2] - https://lore.kernel.org/lkml/e28e1f38d87c12a3c714a6573beba6e1@kernel.org/ Fixes: e590474768f1 ("driver core: Set fw_devlink=on by default") Cc: Marc Zyngier Cc: Jisheng Zhang Cc: Kever Yang Reviewed-by: Linus Walleij Acked-by: Bartosz Golaszewski Signed-off-by: Saravana Kannan Link: https://lore.kernel.org/r/20210122193600.1415639-1-saravanak@google.com Signed-off-by: Greg Kroah-Hartman drivers/gpio/gpiolib-of.c | 11 +++++++++++ drivers/gpio/gpiolib-of.h | 5 +++++ drivers/gpio/gpiolib.c | 38 +++++++++++++++++++++++++++++++------- 3 files changed, 47 insertions(+), 7 deletions(-) culprit signature: 455ff425cfacac859e561a37122be4501d7f4415a6fed6b67c2a4429d3180305 parent signature: 3adc6eed528b3f08f30f268a8d8284d57218798f9fbae6467578bfcabd48b98f revisions tested: 17, total time: 3h23m19.667184919s (build: 1h26m36.511936279s, test: 1h54m27.797674006s) first bad commit: 4731210c09f5977300f439b6c56ba220c65b2348 gpiolib: Bind gpio_device to a driver to enable fw_devlink=on by default recipients (to): ["bgolaszewski@baylibre.com" "gregkh@linuxfoundation.org" "linus.walleij@linaro.org" "saravanak@google.com"] recipients (cc): [] crash: BUG: unable to handle kernel NULL pointer dereference in release_nodes usb 6-1: USB disconnect, device number 2 BUG: kernel NULL pointer dereference, address: 0000000000000590 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 10bb1b067 P4D 10bb1b067 PUD 10be25067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 4904 Comm: kworker/0:3 Not tainted 5.11.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event RIP: 0010:__list_del_entry_valid+0xa/0x50 lib/list_debug.c:43 Code: 89 c1 48 89 fe 48 c7 c7 60 55 7b 84 e8 70 cc 70 01 0f 0b 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 48 b9 00 01 00 00 00 00 ad de <48> 8b 07 48 8b 57 08 48 39 c8 0f 84 c4 72 77 01 48 b9 22 01 00 00 RSP: 0018:ffffc90000d77a00 EFLAGS: 00010286 RAX: ffffffff81e6f0f0 RBX: 0000000000000000 RCX: dead000000000100 RDX: 0000000000000001 RSI: ffffffff846ac8ac RDI: 0000000000000590 RBP: ffff88811ed67a00 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000006 R12: ffffffff8504f680 R13: ffff88811ee4d0d0 R14: 0000000000000000 R15: ffff88811ee74cb8 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000590 CR3: 000000010bed0000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry include/linux/list.h:132 [inline] list_del include/linux/list.h:146 [inline] gpiodevice_release+0x11/0x80 drivers/gpio/gpiolib.c:477 device_release+0x2b/0x80 drivers/base/core.c:2055 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x7c/0x1c0 lib/kobject.c:753 release_nodes+0x229/0x270 drivers/base/devres.c:523 __device_release_driver drivers/base/dd.c:1160 [inline] device_release_driver_internal+0xff/0x1d0 drivers/base/dd.c:1187 bus_remove_device+0xea/0x160 drivers/base/bus.c:533 device_del+0x186/0x3e0 drivers/base/core.c:3363 platform_device_del.part.11+0xe/0x60 drivers/base/platform.c:783 platform_device_del drivers/base/platform.c:820 [inline] platform_device_unregister+0x17/0x30 drivers/base/platform.c:821 mfd_remove_devices_fn+0x3f/0x50 drivers/mfd/mfd-core.c:375 device_for_each_child_reverse+0x54/0x90 drivers/base/core.c:3526 mfd_remove_devices+0x2d/0x50 drivers/mfd/mfd-core.c:391 vprbrd_disconnect+0x1a/0x60 drivers/mfd/viperboard.c:111 usb_unbind_interface+0x6e/0x250 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1156 [inline] device_release_driver_internal+0xef/0x1d0 drivers/base/dd.c:1187 bus_remove_device+0xea/0x160 drivers/base/bus.c:533 device_del+0x186/0x3e0 drivers/base/core.c:3363 usb_disable_device+0xa4/0x220 drivers/usb/core/message.c:1413 usb_disconnect+0xbc/0x2c0 drivers/usb/core/hub.c:2218 hub_port_connect drivers/usb/core/hub.c:5074 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xa3e/0x15f0 drivers/usb/core/hub.c:5591 process_one_work+0x293/0x600 kernel/workqueue.c:2275 process_scheduled_works kernel/workqueue.c:2337 [inline] worker_thread+0x1ff/0x380 kernel/workqueue.c:2423 kthread+0x144/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: CR2: 0000000000000590 ---[ end trace 111ebd768b6d2b88 ]--- RIP: 0010:__list_del_entry_valid+0xa/0x50 lib/list_debug.c:43 Code: 89 c1 48 89 fe 48 c7 c7 60 55 7b 84 e8 70 cc 70 01 0f 0b 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 48 b9 00 01 00 00 00 00 ad de <48> 8b 07 48 8b 57 08 48 39 c8 0f 84 c4 72 77 01 48 b9 22 01 00 00 RSP: 0018:ffffc90000d77a00 EFLAGS: 00010286 RAX: ffffffff81e6f0f0 RBX: 0000000000000000 RCX: dead000000000100 RDX: 0000000000000001 RSI: ffffffff846ac8ac RDI: 0000000000000590 RBP: ffff88811ed67a00 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000006 R12: ffffffff8504f680 R13: ffff88811ee4d0d0 R14: 0000000000000000 R15: ffff88811ee74cb8 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000590 CR3: 000000010bed0000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400