bisecting cause commit starting from f75aef392f869018f78cfedf3c320a6b3fcfda6b
building syzkaller on d5a3ae1f760e7cb2cd5a721d9645ae22eae114fe
testing commit f75aef392f869018f78cfedf3c320a6b3fcfda6b with gcc (GCC) 8.1.0
kernel signature: 6634d7e4c21c26f7c96e95b90cd05eefbfc923ad56f8eff83c7283bae07a59c4
all runs: crashed: no output from test machine
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 16f658a0062cb88c1867cf085bb302f679f0ab2ebdcf04b49519114e4c74d2cc
run #0: crashed: WARNING: kobject bug in delete_partition
run #1: crashed: WARNING: refcount bug in delete_partition
run #2: crashed: WARNING: refcount bug in delete_partition
run #3: crashed: no output from test machine
run #4: crashed: no output from test machine
run #5: crashed: no output from test machine
run #6: crashed: no output from test machine
run #7: crashed: no output from test machine
run #8: crashed: no output from test machine
run #9: crashed: no output from test machine
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: e37e3977b095c2e3007f70269637727a0f61fc5dad539d282c7f7aa6179f7af5
all runs: OK
# git bisect start bcf876870b95592b52519ed4aafcf9d95999bc9c 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
Bisecting: 8752 revisions left to test after this (roughly 13 steps)
[694b5a5d313f3997764b67d52bab66ec7e59e714] Merge tag 'arm-soc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit 694b5a5d313f3997764b67d52bab66ec7e59e714 with gcc (GCC) 8.1.0
kernel signature: e11220ca1069a3aa93a3c091b92ceb8a75d655e10e9a987f6b5589d49ad44155
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad 694b5a5d313f3997764b67d52bab66ec7e59e714
Bisecting: 4417 revisions left to test after this (roughly 12 steps)
[2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0
kernel signature: 203970a93b060e390bce0196c75d339ee39e13f7ad2b3a0119baa960625e9215
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63
Bisecting: 2658 revisions left to test after this (roughly 11 steps)
[cfa3b8068b09f25037146bfd5eed041b78878bee] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma
testing commit cfa3b8068b09f25037146bfd5eed041b78878bee with gcc (GCC) 8.1.0
kernel signature: c94d70a736fd2a0c04ac16bc33b4ba36468f9ce0587b7c7f5b3ad6a07693d4d1
all runs: OK
# git bisect good cfa3b8068b09f25037146bfd5eed041b78878bee
Bisecting: 1328 revisions left to test after this (roughly 10 steps)
[c41219fda6e04255c44d37fd2c0d898c1c46abf1] Merge tag 'drm-intel-next-fixes-2020-05-20' of git://anongit.freedesktop.org/drm/drm-intel into drm-next
testing commit c41219fda6e04255c44d37fd2c0d898c1c46abf1 with gcc (GCC) 8.1.0
kernel signature: 6a1e453fef9753a95616931b1399744076060a77cab3aa094702ae029acdcd31
all runs: OK
# git bisect good c41219fda6e04255c44d37fd2c0d898c1c46abf1
Bisecting: 602 revisions left to test after this (roughly 9 steps)
[f3cdc8ae116e27d84e1f33c7a2995960cebb73ac] Merge tag 'for-5.8-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
testing commit f3cdc8ae116e27d84e1f33c7a2995960cebb73ac with gcc (GCC) 8.1.0
kernel signature: 0dd2db01bc3c8cf57cbf491a5ec460d41af62322b270164c1f2712343fa5e894
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad f3cdc8ae116e27d84e1f33c7a2995960cebb73ac
Bisecting: 327 revisions left to test after this (roughly 9 steps)
[bce159d734091fe31340976081577333f52a85e4] Merge tag 'for-5.8/drivers-2020-06-01' of git://git.kernel.dk/linux-block
testing commit bce159d734091fe31340976081577333f52a85e4 with gcc (GCC) 8.1.0
kernel signature: a7dabc6eefd2a131a02366dc4119fdd0ebc02224cfe85107dc67f6959f8eb1b7
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad bce159d734091fe31340976081577333f52a85e4
Bisecting: 198 revisions left to test after this (roughly 8 steps)
[95093350394a394e7c4e778176194b14b76ec5d8] nvme: introduce max_integrity_segments ctrl attribute
testing commit 95093350394a394e7c4e778176194b14b76ec5d8 with gcc (GCC) 8.1.0
drivers/block/aoe/aoeblk.c:410:21: error: 'struct backing_dev_info' has no member named 'name'
# git bisect skip 95093350394a394e7c4e778176194b14b76ec5d8
Bisecting: 198 revisions left to test after this (roughly 8 steps)
[33cfdc2aa6969829f42640f758357e4b015e9f7d] nvme: enforce extended LBA format for fabrics metadata
testing commit 33cfdc2aa6969829f42640f758357e4b015e9f7d with gcc (GCC) 8.1.0
drivers/block/aoe/aoeblk.c:410:21: error: 'struct backing_dev_info' has no member named 'name'
# git bisect skip 33cfdc2aa6969829f42640f758357e4b015e9f7d
Bisecting: 198 revisions left to test after this (roughly 8 steps)
[b5af37ab3a2b143e278340d2c6fa5790d53817e7] block: add a blk_account_io_merge_bio helper
testing commit b5af37ab3a2b143e278340d2c6fa5790d53817e7 with gcc (GCC) 8.1.0
kernel signature: 9c4bfceec328c99d7a348df7687f5746882474c18a7f15a9c842e9a9b224fb76
run #0: crashed: KASAN: use-after-free Read in delete_partition
run #1: crashed: KASAN: use-after-free Read in delete_partition
run #2: crashed: KASAN: use-after-free Read in delete_partition
run #3: crashed: KASAN: use-after-free Read in delete_partition
run #4: crashed: KASAN: use-after-free Read in delete_partition
run #5: crashed: KASAN: use-after-free Read in delete_partition
run #6: crashed: KASAN: use-after-free Read in delete_partition
run #7: crashed: KASAN: use-after-free Read in delete_partition
run #8: crashed: KASAN: use-after-free Read in delete_partition
run #9: boot failed: can't ssh into the instance
# git bisect bad b5af37ab3a2b143e278340d2c6fa5790d53817e7
Bisecting: 52 revisions left to test after this (roughly 6 steps)
[ae979182ebb322ddd159f998ddeed6efa4547073] bdi: fix up for "remove the name field in struct backing_dev_info"
testing commit ae979182ebb322ddd159f998ddeed6efa4547073 with gcc (GCC) 8.1.0
kernel signature: f3835897dd898cd857e794f6d53270c11eff0b839c1ac67a9101e99af2504e58
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad ae979182ebb322ddd159f998ddeed6efa4547073
Bisecting: 26 revisions left to test after this (roughly 5 steps)
[3fdd40861d800a4e1eb67c5158e8ab90076e2f93] block: improve the submit_bio and generic_make_request documentation
testing commit 3fdd40861d800a4e1eb67c5158e8ab90076e2f93 with gcc (GCC) 8.1.0
kernel signature: 8680ad8948bf1578262ea3f94ffb73e7138da5fc7c480f81655390d03d37c02d
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad 3fdd40861d800a4e1eb67c5158e8ab90076e2f93
Bisecting: 13 revisions left to test after this (roughly 4 steps)
[02d33b6771fcc63c98cb48cad0cd8b8fb033837a] block: mark invalidate_partition static
testing commit 02d33b6771fcc63c98cb48cad0cd8b8fb033837a with gcc (GCC) 8.1.0
kernel signature: f2188316125000bc9322dda6a65ca4704a38b06f37307489de6e0490cf7a3ca2
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad 02d33b6771fcc63c98cb48cad0cd8b8fb033837a
Bisecting: 5 revisions left to test after this (roughly 3 steps)
[8da2892e27833c5ee78788a66941e0e96eedad22] block: cleanup hd_struct freeing
testing commit 8da2892e27833c5ee78788a66941e0e96eedad22 with gcc (GCC) 8.1.0
kernel signature: ffbdfbdb8b1da53c6e85063839b46b7adc420f5969f1c713c08619d63faed9e4
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad 8da2892e27833c5ee78788a66941e0e96eedad22
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[a0823421a4d7264fc91c7b3769612331493cec1b] blk-mq: Rerun dispatching in the case of budget contention
testing commit a0823421a4d7264fc91c7b3769612331493cec1b with gcc (GCC) 8.1.0
kernel signature: 1983895b6a8bdbd477da6937fbddfdf4467ac04e79f56deaeddec9d3763dedba
all runs: OK
# git bisect good a0823421a4d7264fc91c7b3769612331493cec1b
Bisecting: 1 revision left to test after this (roughly 1 step)
[fa9156ae597c244df4e12891dc8329f649970d9a] block: refactor blkpg_ioctl
testing commit fa9156ae597c244df4e12891dc8329f649970d9a with gcc (GCC) 8.1.0
kernel signature: e1ad077caed30ee34ef2ca7b436204618c48dbd522442b3fd6c505fa203ad823
all runs: OK
# git bisect good fa9156ae597c244df4e12891dc8329f649970d9a
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[cddae808aeb77e5c29d22a8e0dfbdaed413f9e04] block: pass a hd_struct to delete_partition
testing commit cddae808aeb77e5c29d22a8e0dfbdaed413f9e04 with gcc (GCC) 8.1.0
kernel signature: 5fb5d7f53f4985cb22fa967d0df972ef789f97df064503bb2e21890ddd5a1a71
all runs: crashed: KASAN: use-after-free Read in delete_partition
# git bisect bad cddae808aeb77e5c29d22a8e0dfbdaed413f9e04
cddae808aeb77e5c29d22a8e0dfbdaed413f9e04 is the first bad commit
commit cddae808aeb77e5c29d22a8e0dfbdaed413f9e04
Author: Christoph Hellwig <hch@lst.de>
Date:   Tue Apr 14 09:28:54 2020 +0200

    block: pass a hd_struct to delete_partition
    
    All callers have the hd_struct at hand, so pass it instead of performing
    another lookup.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

 block/blk.h             |  2 +-
 block/genhd.c           |  2 +-
 block/partitions/core.c | 22 ++++++++--------------
 3 files changed, 10 insertions(+), 16 deletions(-)
culprit signature: 5fb5d7f53f4985cb22fa967d0df972ef789f97df064503bb2e21890ddd5a1a71
parent  signature: e1ad077caed30ee34ef2ca7b436204618c48dbd522442b3fd6c505fa203ad823
revisions tested: 19, total time: 3h38m41.121916256s (build: 1h42m11.837913312s, test: 1h54m52.651704511s)
first bad commit: cddae808aeb77e5c29d22a8e0dfbdaed413f9e04 block: pass a hd_struct to delete_partition
recipients (to): ["axboe@kernel.dk" "hch@lst.de" "johannes.thumshirn@wdc.com"]
recipients (cc): []
crash: KASAN: use-after-free Read in delete_partition
==================================================================
BUG: KASAN: use-after-free in kobject_put+0x1c1/0x210 lib/kobject.c:735
Read of size 1 at addr ffff8880a6d39bbc by task syz-executor.4/10804

CPU: 0 PID: 10804 Comm: syz-executor.4 Not tainted 5.7.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x128/0x182 lib/dump_stack.c:118
 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:382
 __kasan_report.cold.11+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x32/0x50 mm/kasan/common.c:625
 kobject_put+0x1c1/0x210 lib/kobject.c:735
 delete_partition+0xe7/0x180 block/partitions/core.c:306
 bdev_del_partition+0x156/0x1a0 block/partitions/core.c:530
 blkpg_do_ioctl+0x1fa/0x2a0 block/ioctl.c:33
 blkpg_ioctl block/ioctl.c:69 [inline]
 blkdev_ioctl+0x35e/0x580 block/ioctl.c:589
 block_ioctl+0xd8/0x130 fs/block_dev.c:1996
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0xb8/0x110 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f19597f9c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000008c40 RCX: 000000000045d5b9
RDX: 0000000020000000 RSI: 0000000000001269 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffefe84a0ef R14: 00007f19597fa9c0 R15: 000000000118cf4c

Allocated by task 10810:
 save_stack+0x19/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:495
 kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 kobject_create+0x35/0x60 lib/kobject.c:770
 kobject_create_and_add+0xf/0x40 lib/kobject.c:796
 add_partition+0xa37/0xfc0 block/partitions/core.c:424
 bdev_add_partition+0x93/0xe0 block/partitions/core.c:499
 blkpg_do_ioctl+0x1ed/0x2a0 block/ioctl.c:52
 blkpg_ioctl block/ioctl.c:69 [inline]
 blkdev_ioctl+0x35e/0x580 block/ioctl.c:589
 block_ioctl+0xd8/0x130 fs/block_dev.c:1996
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0xb8/0x110 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

Freed by task 10818:
 save_stack+0x19/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x107/0x2b0 mm/slab.c:3757
 kobject_cleanup lib/kobject.c:693 [inline]
 kobject_release lib/kobject.c:722 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x14b/0x210 lib/kobject.c:739
 delete_partition+0xe7/0x180 block/partitions/core.c:306
 bdev_del_partition+0x156/0x1a0 block/partitions/core.c:530
 blkpg_do_ioctl+0x1fa/0x2a0 block/ioctl.c:33
 blkpg_ioctl block/ioctl.c:69 [inline]
 blkdev_ioctl+0x35e/0x580 block/ioctl.c:589
 block_ioctl+0xd8/0x130 fs/block_dev.c:1996
 vfs_ioctl fs/ioctl.c:47 [inline]
 ksys_ioctl+0xb8/0x110 fs/ioctl.c:763
 __do_sys_ioctl fs/ioctl.c:772 [inline]
 __se_sys_ioctl fs/ioctl.c:770 [inline]
 __x64_sys_ioctl+0x6a/0xb0 fs/ioctl.c:770
 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff8880a6d39b80
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 60 bytes inside of
 64-byte region [ffff8880a6d39b80, ffff8880a6d39bc0)
The buggy address belongs to the page:
page:ffffea00029b4e40 refcount:1 mapcount:0 mapping:00000000b2bb5ad0 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00029d73c8 ffffea000259c948 ffff8880aa400380
raw: 0000000000000000 ffff8880a6d39000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a6d39a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a6d39b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a6d39b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                        ^
 ffff8880a6d39c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880a6d39c80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
==================================================================