bisecting cause commit starting from d8f190ee836a4581ba906731835d735cb97948f5
building syzkaller on 5a58167323289751602879a986a1b9f95531a31b
testing commit d8f190ee836a4581ba906731835d735cb97948f5 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in debugfs_remove
run #1: crashed: KASAN: use-after-free Read in debugfs_remove
run #2: crashed: WARNING: bad unlock balance detected!
run #3: crashed: KASAN: use-after-free Read in debugfs_remove
run #4: crashed: KASAN: use-after-free Read in debugfs_remove
run #5: crashed: KASAN: use-after-free Read in debugfs_remove
run #6: crashed: KASAN: use-after-free Read in debugfs_remove
run #7: crashed: KASAN: use-after-free Read in debugfs_remove
run #8: crashed: KASAN: use-after-free Read in debugfs_remove
run #9: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: invalid-free in relay_open
run #1: crashed: KASAN: invalid-free in relay_open
run #2: crashed: KASAN: use-after-free Read in debugfs_remove
run #3: crashed: KASAN: invalid-free in relay_open
run #4: crashed: KASAN: use-after-free Read in debugfs_remove
run #5: crashed: KASAN: use-after-free Read in debugfs_remove
run #6: crashed: KASAN: invalid-free in relay_open
run #7: crashed: KASAN: invalid-free in relay_open
run #8: crashed: KASAN: use-after-free Read in debugfs_remove
run #9: crashed: KASAN: invalid-free in relay_open
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Read in debugfs_remove
run #1: crashed: KASAN: use-after-free Read in debugfs_remove
run #2: crashed: KASAN: use-after-free Read in debugfs_remove
run #3: crashed: KASAN: use-after-free Read in debugfs_remove
run #4: crashed: KASAN: use-after-free Read in debugfs_remove
run #5: crashed: KASAN: use-after-free Read in debugfs_remove
run #6: crashed: general protection fault in debugfs_remove
run #7: crashed: KASAN: use-after-free Read in debugfs_remove
run #8: crashed: KASAN: use-after-free Read in debugfs_remove
run #9: crashed: KASAN: use-after-free Read in debugfs_remove
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0
all runs: crashed: KASAN: use-after-free Read in disk_unblock_events
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0
all runs: crashed: KASAN: use-after-free Read in disk_unblock_events
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0
all runs: crashed: KASAN: use-after-free Read in disk_unblock_events
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0
all runs: crashed: KASAN: use-after-free Read in disk_unblock_events
testing release v4.6
testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0
all runs: crashed: KASAN: use-after-free Read in disk_unblock_events
testing release v4.5
testing commit b562e44f507e863c6792946e4e1b1449fbbac85d with gcc (GCC) 5.5.0
run #0: crashed: WARNING in tracepoint_probe_register_prio
run #1: OK
run #2: OK
run #3: OK
run #4: crashed: WARNING in tracepoint_probe_register_prio
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.4
testing commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc with gcc (GCC) 5.5.0
all runs: crashed: WARNING in tracepoint_probe_register_prio
testing release v4.3
testing commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861 with gcc (GCC) 5.5.0
run #0: crashed: WARNING in tracepoint_probe_register
run #1: crashed: WARNING in tracepoint_probe_register
run #2: crashed: WARNING in tracepoint_probe_register
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.2
testing commit 64291f7db5bd8150a74ad2036f1037e6a0428df2 with gcc (GCC) 5.5.0
all runs: crashed: WARNING in tracepoint_probe_register
testing release v4.1
testing commit b953c0d234bc72e8489d3bf51a276c5c4ec85345 with gcc (GCC) 5.5.0
all runs: crashed: WARNING in tracepoint_probe_register
revisions tested: 20, total time: 2h56m19.344885072s (build: 1h19m31.862014863s, test: 1h32m30.174626257s)
the crash already happened on the oldest tested release
crash: WARNING in tracepoint_probe_register
------------[ cut here ]------------
WARNING: CPU: 1 PID: 31672 at kernel/tracepoint.c:188 tracepoint_add_func kernel/tracepoint.c:188 [inline]()
WARNING: CPU: 1 PID: 31672 at kernel/tracepoint.c:188 tracepoint_probe_register+0xc7/0x250 kernel/tracepoint.c:258()
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 31672 Comm: syz-executor1 Not tainted 4.1.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
 ffffffff82e2b4b8 ffff88006f99bb98 ffffffff8260f242 0000000000000032
 ffffffff82e252bb ffff88006f99bc18 ffffffff8260b0d5 ffff88006f99bbb8
 ffffffff00000008 ffff88006f99bc28 ffff88006f99bbc8 ffff88006f99bc68
Call Trace:
 [<ffffffff8260f242>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff8260f242>] dump_stack+0x4f/0x7b lib/dump_stack.c:50
 [<ffffffff8260b0d5>] panic+0xcd/0x211 kernel/panic.c:111
 [<ffffffff8116daeb>] warn_slowpath_common+0xbb/0xc0 kernel/panic.c:442
 [<ffffffff8116db95>] warn_slowpath_null+0x15/0x20 kernel/panic.c:479
 [<ffffffff8123c1c7>] tracepoint_add_func kernel/tracepoint.c:188 [inline]
 [<ffffffff8123c1c7>] tracepoint_probe_register+0xc7/0x250 kernel/tracepoint.c:258
kobject: 'queue': free name
kobject: 'loop0': free name
kobject: 'queue': free name
kobject: 'loop0': free name
kobject: 'loop4' (ffff88007aa548a0): kobject_uevent_env
kobject: 'loop4' (ffff88007aa548a0): fill_kobj_path: path = '/devices/virtual/block/loop4'
 [<ffffffff8124ed09>] register_trace_block_rq_abort include/trace/events/block.h:108 [inline]
 [<ffffffff8124ed09>] blk_register_tracepoints+0x19/0x400 kernel/trace/blktrace.c:995
 [<ffffffff8125112e>] do_blk_trace_setup+0x2ce/0x300 kernel/trace/blktrace.c:531
 [<ffffffff812511bc>] blk_trace_setup+0x5c/0xa0 kernel/trace/blktrace.c:550
 [<ffffffff812513d2>] blk_trace_ioctl+0xc2/0x160 kernel/trace/blktrace.c:659
 [<ffffffff818b139d>] blkdev_ioctl+0x5fd/0x820 block/ioctl.c:423
 [<ffffffff81342178>] block_ioctl+0x38/0x40 fs/block_dev.c:1586
 [<ffffffff81315eb8>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff81315eb8>] do_vfs_ioctl+0x2d8/0x510 fs/ioctl.c:607
 [<ffffffff81316171>] SYSC_ioctl fs/ioctl.c:622 [inline]
 [<ffffffff81316171>] SyS_ioctl+0x81/0xa0 fs/ioctl.c:613
 [<ffffffff8261ebf2>] system_call_fastpath+0x16/0x7a
Kernel Offset: disabled
drm_kms_helper: panic occurred, switching back to text console