==================================================================
BUG: KFENCE: use-after-free read in bdev_nr_sectors include/linux/genhd.h:266 [inline]
BUG: KFENCE: use-after-free read in disk_part_iter_next+0x1cd/0x530 block/genhd.c:206

Use-after-free read at 0xffff88823bda0028 (in kfence-#207):
 bdev_nr_sectors include/linux/genhd.h:266 [inline]
 disk_part_iter_next+0x1cd/0x530 block/genhd.c:206
 blk_drop_partitions+0x10a/0x180 block/partitions/core.c:541
 bdev_disk_changed+0x238/0x430 fs/block_dev.c:1246
 __loop_clr_fd+0xc7c/0xff0 drivers/block/loop.c:1271
 loop_clr_fd drivers/block/loop.c:1336 [inline]
 lo_ioctl+0x3b9/0x1620 drivers/block/loop.c:1694
 blkdev_ioctl+0x2a1/0x6d0 block/ioctl.c:583
 block_ioctl+0xf9/0x140 fs/block_dev.c:1667
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

kfence-#207 [0xffff88823bda0000-0xffff88823bda0ae7, size=2792, cache=bdev_cache] allocated by task 16860:
 bdev_alloc_inode+0x18/0x80 fs/block_dev.c:795
 alloc_inode+0x61/0x230 fs/inode.c:234
 new_inode_pseudo fs/inode.c:928 [inline]
 new_inode+0x27/0x2f0 fs/inode.c:957
 bdev_alloc+0x20/0x2f0 fs/block_dev.c:885
 add_partition+0x1ab/0x880 block/partitions/core.c:346
 bdev_add_partition+0xb6/0x130 block/partitions/core.c:449
 blkpg_do_ioctl+0x2d0/0x340 block/ioctl.c:43
 blkpg_ioctl block/ioctl.c:60 [inline]
 blkdev_ioctl+0x577/0x6d0 block/ioctl.c:548
 block_ioctl+0xf9/0x140 fs/block_dev.c:1667
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

freed by task 27839:
 i_callback+0x3f/0x70 fs/inode.c:223
 rcu_do_batch kernel/rcu/tree.c:2559 [inline]
 rcu_core+0x74a/0x12f0 kernel/rcu/tree.c:2794
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:345
 invoke_softirq kernel/softirq.c:221 [inline]
 __irq_exit_rcu kernel/softirq.c:422 [inline]
 irq_exit_rcu+0x134/0x200 kernel/softirq.c:434
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
 _raw_spin_unlock_irq+0x25/0x40 kernel/locking/spinlock.c:199
 finish_lock_switch kernel/sched/core.c:4074 [inline]
 finish_task_switch.isra.0+0x15d/0x810 kernel/sched/core.c:4191
 context_switch kernel/sched/core.c:4325 [inline]
 __schedule+0x919/0x21b0 kernel/sched/core.c:5073
 preempt_schedule_irq+0x4e/0x90 kernel/sched/core.c:5530
 irqentry_exit_cond_resched kernel/entry/common.c:392 [inline]
 irqentry_exit_cond_resched kernel/entry/common.c:384 [inline]
 irqentry_exit+0x7a/0xa0 kernel/entry/common.c:428
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
 lock_is_held_type+0xfd/0x140 kernel/locking/lockdep.c:5554
 lock_is_held include/linux/lockdep.h:278 [inline]
 kernfs_find_ns+0x2e7/0x370 fs/kernfs/dir.c:832
 kernfs_find_and_get_ns+0x2f/0x60 fs/kernfs/dir.c:905
 kernfs_find_and_get include/linux/kernfs.h:548 [inline]
 sysfs_unmerge_group+0x5d/0x160 fs/sysfs/group.c:366
 dev_pm_qos_constraints_destroy+0x2c/0x780 drivers/base/power/qos.c:259
 dpm_sysfs_remove+0x6a/0xb0 drivers/base/power/sysfs.c:834
 device_del+0x20c/0xd40 drivers/base/core.c:3398
 delete_partition+0xac/0x170 block/partitions/core.c:292
 blk_drop_partitions+0xfd/0x180 block/partitions/core.c:542
 bdev_disk_changed+0x238/0x430 fs/block_dev.c:1246
 loop_reread_partitions+0x29/0x50 drivers/block/loop.c:655
 loop_set_status+0x704/0x1050 drivers/block/loop.c:1418
 loop_set_status64 drivers/block/loop.c:1538 [inline]
 lo_ioctl+0x4ca/0x1620 drivers/block/loop.c:1706
 blkdev_ioctl+0x2a1/0x6d0 block/ioctl.c:583
 block_ioctl+0xf9/0x140 fs/block_dev.c:1667
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

CPU: 0 PID: 27839 Comm: syz-executor.0 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:bdev_nr_sectors include/linux/genhd.h:266 [inline]
RIP: 0010:disk_part_iter_next+0x1cd/0x530 block/genhd.c:206
Code: 44 24 20 48 c1 e8 03 4c 01 e0 48 89 44 24 10 e8 59 0d bc fd 48 8d 7d 28 48 89 f8 48 c1 e8 03 42 80 3c 20 00 0f 85 cb 02 00 00 <48> 8b 45 28 48 8d 78 50 48 89 fa 48 c1 ea 03 42 80 3c 22 00 0f 85
RSP: 0018:ffffc90001b0f8c8 EFLAGS: 00010246
RAX: 1ffff110477b4005 RBX: ffffc90001b0f9a8 RCX: ffffc900156b1000
RDX: 0000000000040000 RSI: ffffffff83b7e0d7 RDI: ffff88823bda0028
RBP: ffff88823bda0000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffc90001b0f9b0 R14: ffffc90001b0f9b8 R15: ffffc90001b0f910
FS:  00007f26b7c6f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bda0028 CR3: 0000000066b81000 CR4: 0000000000350ef0
Call Trace:
 blk_drop_partitions+0x10a/0x180 block/partitions/core.c:541
 bdev_disk_changed+0x238/0x430 fs/block_dev.c:1246
 __loop_clr_fd+0xc7c/0xff0 drivers/block/loop.c:1271
 loop_clr_fd drivers/block/loop.c:1336 [inline]
 lo_ioctl+0x3b9/0x1620 drivers/block/loop.c:1694
 blkdev_ioctl+0x2a1/0x6d0 block/ioctl.c:583
 block_ioctl+0xf9/0x140 fs/block_dev.c:1667
 vfs_ioctl fs/ioctl.c:48 [inline]
 __do_sys_ioctl fs/ioctl.c:753 [inline]
 __se_sys_ioctl fs/ioctl.c:739 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x466217
Code: 3c 1c 48 f7 d8 49 39 c4 72 b8 e8 a4 48 02 00 85 c0 78 bd 48 83 c4 08 4c 89 e0 5b 41 5c c3 0f 1f 44 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f26b7c6eef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f26b7c6ef40 RCX: 0000000000466217
RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000006
RBP: 00007f26b7c6f6bc R08: 0000000000000001 R09: 00007f26b7c6ed90
R10: 00007f26b7c6ec47 R11: 0000000000000246 R12: 0000000000000008
R13: 0000000000000000 R14: 0000000000000000 R15: 00007f26b7c6ef80
==================================================================