[syzbot] [raid?] WARNING: refcount bug in trace_suspend_resume

[syzbot <syzbot+60bcc1e0853c7179dfc8@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    186f3edfdd41 Merge tag 'pinctrl-v6.17-1' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=173f0042580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=2830738f4a5181eb
dashboard link: https://syzkaller.appspot.com/bug?extid=60bcc1e0853c7179dfc8
compiler:       arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1748f834580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14c8fcf0580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/98a89b9f34e4/non_bootable_disk-186f3edf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/85e73a28f18d/vmlinux-186f3edf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/1cb9a6c732ea/zImage-186f3edf.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+60bcc1e0853c7179dfc8@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 0 PID: 3065 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28
refcount_t: underflow; use-after-free.
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 3065 Comm: kworker/0:3 Not tainted 6.16.0-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
Workqueue: md_misc mddev_delayed_delete
Call trace: 
[<80201a24>] (dump_backtrace) from [<80201b20>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:8281f77c r5:00000000 r4:82260f18
[<80201b08>] (show_stack) from [<8021fbf4>] (__dump_stack lib/dump_stack.c:94 [inline])
[<80201b08>] (show_stack) from [<8021fbf4>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
[<8021fba0>] (dump_stack_lvl) from [<8021fc34>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
 r5:00000000 r4:82a77d18
[<8021fc1c>] (dump_stack) from [<80202624>] (vpanic+0x10c/0x360 kernel/panic.c:440)
[<80202518>] (vpanic) from [<802028ac>] (trace_suspend_resume+0x0/0xd8 kernel/panic.c:574)
 r7:808bb0e8
[<80202878>] (panic) from [<802548cc>] (check_panic_on_warn kernel/panic.c:333 [inline])
[<80202878>] (panic) from [<802548cc>] (get_taint+0x0/0x1c kernel/panic.c:328)
 r3:8280c684 r2:00000001 r1:822479f0 r0:8224f3b8
[<80254858>] (check_panic_on_warn) from [<80254a30>] (__warn+0x80/0x188 kernel/panic.c:845)
[<802549b0>] (__warn) from [<80254d20>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:880)
 r8:00000009 r7:822b98e4 r6:ec1cde54 r5:848eec00 r4:00000000
[<80254b3c>] (warn_slowpath_fmt) from [<808bb0e8>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28)
 r10:83811e70 r9:8339f225 r8:848eec00 r7:dddced40 r6:8339f200 r5:84ccfa1c
 r4:84ccf850
[<808bafac>] (refcount_warn_saturate) from [<81a11768>] (__refcount_sub_and_test include/linux/refcount.h:400 [inline])
[<808bafac>] (refcount_warn_saturate) from [<81a11768>] (__refcount_dec_and_test include/linux/refcount.h:432 [inline])
[<808bafac>] (refcount_warn_saturate) from [<81a11768>] (refcount_dec_and_test include/linux/refcount.h:450 [inline])
[<808bafac>] (refcount_warn_saturate) from [<81a11768>] (kref_put include/linux/kref.h:64 [inline])
[<808bafac>] (refcount_warn_saturate) from [<81a11768>] (kobject_put+0x158/0x1f4 lib/kobject.c:737)
[<81a11610>] (kobject_put) from [<81169718>] (mddev_delayed_delete+0x14/0x18 drivers/md/md.c:5893)
 r7:dddced40 r6:8339f200 r5:84ccfa1c r4:84b39d00
[<81169704>] (mddev_delayed_delete) from [<8027a32c>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3236)
[<8027a178>] (process_one_work) from [<8027af74>] (process_scheduled_works kernel/workqueue.c:3319 [inline])
[<8027a178>] (process_one_work) from [<8027af74>] (worker_thread+0x1fc/0x3d8 kernel/workqueue.c:3400)
 r10:61c88647 r9:848eec00 r8:84b39d2c r7:82804d40 r6:dddced40 r5:dddced60
 r4:84b39d00
[<8027ad78>] (worker_thread) from [<80281f5c>] (kthread+0x12c/0x280 kernel/kthread.c:464)
 r10:00000000 r9:84b39d00 r8:8027ad78 r7:df83de60 r6:84ae1980 r5:848eec00
 r4:00000001
[<80281e30>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137)
Exception stack(0xec1cdfb0 to 0xec1cdff8)
dfa0:                                     00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:80281e30
 r4:84b57fc0
Rebooting in 86400 seconds..


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup