bisecting fixing commit since 6d906f99817951e2257d577656899da02bb33105
building syzkaller on b0e8efcb4b0aac61f4647a76bbe54a5d38a370ba
testing commit 6d906f99817951e2257d577656899da02bb33105 with gcc (GCC) 8.1.0
kernel signature: 4786dfd88201dc9dece00367a3c20cf5f30f6e227571eca534a4c67da1f51991
run #0: crashed: KASAN: use-after-free Read in _free_event
run #1: crashed: KASAN: use-after-free Read in _free_event
run #2: crashed: KASAN: use-after-free Read in _free_event
run #3: crashed: KASAN: use-after-free Read in _free_event
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing current HEAD 0bf999f9c5e74c7ecf9dafb527146601e5c848b9
testing commit 0bf999f9c5e74c7ecf9dafb527146601e5c848b9 with gcc (GCC) 8.1.0
kernel signature: 3ea9ce0665f57bfa6216669751ff31ca72b70733009e6e67f10ba4dec9497f91
run #0: crashed: INFO: task hung in perf_event_free_task
run #1: crashed: INFO: task hung in perf_event_free_task
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
revisions tested: 2, total time: 33m6.518799702s (build: 12m23.065114256s, test: 19m54.152993852s)
the crash still happens on HEAD
commit msg: linux/pipe_fs_i.h: fix kernel-doc warnings after @wait was split
crash: INFO: task hung in perf_event_free_task
INFO: task syz-executor.4:22808 blocked for more than 143 seconds.
      Not tainted 5.6.0-rc1-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.4  D28928 22808   7636 0x00004006
Call Trace:
 context_switch kernel/sched/core.c:3386 [inline]
 __schedule+0x856/0x1910 kernel/sched/core.c:4082
 schedule+0xc3/0x2b0 kernel/sched/core.c:4156
 perf_event_free_task+0x45d/0x660 kernel/events/core.c:12008
 copy_process+0x35fa/0x6380 kernel/fork.c:2342
 _do_fork+0xec/0xc30 kernel/fork.c:2430
 __do_sys_clone kernel/fork.c:2585 [inline]
 __se_sys_clone kernel/fork.c:2566 [inline]
 __x64_sys_clone+0x176/0x230 kernel/fork.c:2566
 do_syscall_64+0xd0/0x600 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458c29
Code: fe de fa ff ff 0f 84 90 00 00 00 48 8d 84 24 70 03 00 00 48 29 f0 48 3d f8 02 00 01 76 7d 48 81 ec 08 00 00 01 48 89 ac 24 00 <00> 00 01 48 8d ac 24 00 00 00 01 48 8b 59 20 48 85 db 75 67 48 8b
RSP: 002b:00007ff744e1cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458c29
RDX: 9999999999999999 RSI: 0000000000000000 RDI: 0000002102001ff9
RBP: 000000000073bf00 R08: ffffffffffffffff R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff744e1d6d4
R13: 00000000004befd3 R14: 00000000004d0020 R15: 00000000ffffffff

Showing all locks held in the system:
1 lock held by khungtaskd/557:
 #0: ffffffff885a5500 (rcu_read_lock){....}, at: debug_show_all_locks+0x5b/0x275 kernel/locking/lockdep.c:5333
1 lock held by rsyslogd/7430:
 #0: ffff8880a42b08a0 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xa3/0xc0 fs/file.c:821
2 locks held by getty/7520:
 #0: ffff888090e4b090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f112e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7521:
 #0: ffff888096f14090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f392e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7522:
 #0: ffff888098e4a090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f2d2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7523:
 #0: ffff888097633090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f352e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7524:
 #0: ffff8880a9412090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f312e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7525:
 #0: ffff8880923d0090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f252e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156
2 locks held by getty/7526:
 #0: ffff888098e67090 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:340
 #1: ffffc90005f012e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x1ee/0x17d0 drivers/tty/n_tty.c:2156

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 557 Comm: khungtaskd Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x12d/0x187 lib/dump_stack.c:118
 nmi_cpu_backtrace.cold.7+0x4b/0x84 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x18b/0x1b7 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
 watchdog+0x611/0xc50 kernel/hung_task.c:289
 kthread+0x334/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 754 Comm: kworker/u4:8 Not tainted 5.6.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: bat_events batadv_nc_worker
RIP: 0010:lock_release+0x51/0x910 kernel/locking/lockdep.c:4492
Code: eb 03 48 81 ec c0 00 00 00 48 c7 85 38 ff ff ff b3 8a b5 41 48 8d 04 13 48 89 b5 30 ff ff ff 48 c7 85 40 ff ff ff 06 9e 1a 88 <48> c7 85 48 ff ff ff c0 a8 52 81 65 4c 8b 3c 25 c0 1e 02 00 c7 00
RSP: 0018:ffff8880a84f7c10 EFLAGS: 00000282
RAX: ffffed101509ef86 RBX: 1ffff1101509ef86 RCX: 1ffff11015198c97
RDX: dffffc0000000000 RSI: ffffffff86bd4a54 RDI: ffffffff885a5500
RBP: ffff8880a84f7cf8 R08: ffffed1015da706c R09: ffffed1015da706c
R10: ffffed1015da706b R11: ffff8880aed3835b R12: ffff8880a84f7cd0
R13: ffffffff885a5500 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880aed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f00838fd140 CR3: 000000009a678000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rcu_lock_release include/linux/rcupdate.h:213 [inline]
 rcu_read_unlock include/linux/rcupdate.h:655 [inline]
 batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:411 [inline]
 batadv_nc_worker+0x190/0x620 net/batman-adv/network-coding.c:718
 process_one_work+0x891/0x1690 kernel/workqueue.c:2264
 worker_thread+0x85/0xb60 kernel/workqueue.c:2410
 kthread+0x334/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352