bisecting fixing commit since 6d906f99817951e2257d577656899da02bb33105
building syzkaller on b0e8efcb4b0aac61f4647a76bbe54a5d38a370ba
testing commit 6d906f99817951e2257d577656899da02bb33105 with gcc (GCC) 8.1.0
kernel signature: f3e156eb0001f8fd92552ef8602d84eaf454860c
run #0: crashed: KASAN: use-after-free Read in _free_event
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing current HEAD b3a987b0264d3ddbb24293ebff10eddfc472f653
testing commit b3a987b0264d3ddbb24293ebff10eddfc472f653 with gcc (GCC) 8.1.0
kernel signature: 7eb82ba845dc235e4516ef89e1dc315f40a9679b
run #0: crashed: INFO: task hung in perf_event_free_task
run #1: crashed: INFO: task hung in perf_event_free_task
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
revisions tested: 2, total time: 31m58.245841146s (build: 11m18.013558558s, test: 19m54.981355488s)
the crash still happens on HEAD
commit msg: Linux 5.5-rc6
crash: INFO: task hung in perf_event_free_task
INFO: task syz-executor.5:29633 blocked for more than 143 seconds.
      Not tainted 5.5.0-rc6-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.5  D29320 29633   7469 0x00004006
Call Trace:
 context_switch kernel/sched/core.c:3385 [inline]
 __schedule+0x856/0x1910 kernel/sched/core.c:4081
 schedule+0xc3/0x2b0 kernel/sched/core.c:4155
 perf_event_free_task+0x45d/0x660 kernel/events/core.c:11997
 copy_process+0x376b/0x65c0 kernel/fork.c:2333
 _do_fork+0xec/0xc30 kernel/fork.c:2421
 __do_sys_clone kernel/fork.c:2576 [inline]
 __se_sys_clone kernel/fork.c:2557 [inline]
 __x64_sys_clone+0x176/0x230 kernel/fork.c:2557
 do_syscall_64+0xd0/0x600 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458c29
Code: fe de fa ff ff 0f 84 90 00 00 00 48 8d 84 24 70 03 00 00 48 29 f0 48 3d f8 02 00 01 76 7d 48 81 ec 08 00 00 01 48 89 ac 24 00 <00> 00 01 48 8d ac 24 00 00 00 01 48 8b 59 20 48 85 db 75 67 48 8b
RSP: 002b:00007fbbad22bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458c29
RDX: 9999999999999999 RSI: 0000000000000000 RDI: 0000002102001ff9
RBP: 000000000073bf00 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbbad22c6d4
R13: 00000000004befd3 R14: 00000000004d0020 R15: 00000000ffffffff

Showing all locks held in the system:
1 lock held by khungtaskd/1058:
 #0: ffffffff8859c5c0 (rcu_read_lock){....}, at: debug_show_all_locks+0x5b/0x275 kernel/locking/lockdep.c:5334
2 locks held by getty/7348:
 #0: ffff88808f56f090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f212e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7349:
 #0: ffff8880a3f5b090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f392e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7350:
 #0: ffff8880990d7090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f312e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7351:
 #0: ffff8880970b1090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f2d2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7352:
 #0: ffff888097a68090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f152e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7353:
 #0: ffff88808f6fb090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f292e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7354:
 #0: ffff88809ae04090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f012e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1058 Comm: khungtaskd Not tainted 5.5.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 nmi_cpu_backtrace.cold.7+0x4b/0x84 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x18b/0x1b7 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
 watchdog+0x611/0xc50 kernel/hung_task.c:289
 kthread+0x334/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 350 Comm: kworker/u4:3 Not tainted 5.5.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_nc_worker
RIP: 0010:cpumask_test_cpu include/linux/cpumask.h:360 [inline]
RIP: 0010:trace_lock_acquire include/trace/events/lock.h:13 [inline]
RIP: 0010:lock_acquire+0x136/0x410 kernel/locking/lockdep.c:4484
Code: c8 7c 08 84 c9 0f 85 64 02 00 00 c7 82 94 08 00 00 01 00 00 00 0f 1f 44 00 00 65 8b 15 db 4f af 7e 83 fa 3f 0f 87 2c 02 00 00 <89> d2 be 08 00 00 00 48 89 d0 48 89 55 c0 48 c1 f8 06 48 8d 3c c5
RSP: 0018:ffff8880a8c2fc18 EFLAGS: 00000093
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880a8c24914
RBP: ffff8880a8c2fc60 R08: 0000000000000001 R09: 0000000000000000
R10: fffffbfff138c827 R11: ffffffff89c6413f R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f65d8001ad8 CR3: 00000000a87d2000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:343 [inline]
 batadv_nc_purge_paths+0xc0/0x300 net/batman-adv/network-coding.c:441
 batadv_nc_worker+0x220/0x620 net/batman-adv/network-coding.c:721
 process_one_work+0x85b/0x1630 kernel/workqueue.c:2264
 worker_thread+0x85/0xb60 kernel/workqueue.c:2410
 kthread+0x334/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352