==================================================================
BUG: KFENCE: use-after-free read in __list_del_entry_valid+0xc1/0x110 lib/list_debug.c:62

Use-after-free read at 0xffff88823bdc45d0 (in kfence-#225):
 __list_del_entry_valid+0xc1/0x110 lib/list_debug.c:62
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 unregister_shrinker mm/vmscan.c:736 [inline]
 unregister_shrinker+0x83/0x2f0 mm/vmscan.c:730
 nfsd_reply_cache_shutdown+0x22/0x280 fs/nfsd/nfscache.c:210
 nfsd_exit_net+0x110/0x4c0 fs/nfsd/nfsctl.c:1479
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:162
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

kfence-#225: 0xffff88823bdc4000-0xffff88823bdc468f, size=1680, cache=kmalloc-2k

allocated by task 6225 on cpu 0 at 286.724677s:
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 ops_init+0xfb/0x470 net/core/net_namespace.c:124
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 copy_namespaces+0x391/0x450 kernel/nsproxy.c:178
 copy_process+0x304d/0x7090 kernel/fork.c:2257
 kernel_clone+0xe7/0xab0 kernel/fork.c:2671
 __do_sys_clone+0xba/0x100 kernel/fork.c:2805
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

freed by task 6225 on cpu 0 at 286.906433s:
 ops_init+0xcd/0x470 net/core/net_namespace.c:139
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:471
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 copy_namespaces+0x391/0x450 kernel/nsproxy.c:178
 copy_process+0x304d/0x7090 kernel/fork.c:2257
 kernel_clone+0xe7/0xab0 kernel/fork.c:2671
 __do_sys_clone+0xba/0x100 kernel/fork.c:2805
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

CPU: 1 PID: 47 Comm: kworker/u4:3 Not tainted 6.0.0-syzkaller-02744-g2e30960097f6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
Workqueue: netns cleanup_net
RIP: 0010:__list_del_entry_valid+0xc1/0x110 lib/list_debug.c:62
Code: 75 51 49 8b 14 24 48 39 ea 0f 85 22 d6 4b 05 49 8d 7d 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 22 <49> 8b 55 08 48 39 ea 0f 85 58 d6 4b 05 5d b8 01 00 00 00 41 5c 41
RSP: 0018:ffffc90000b87b48 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff888046fb6458 RCX: ffffffff8985948e
RDX: 1ffff110477b88ba RSI: 0000000000000008 RDI: ffff88823bdc45d0
RBP: ffff888046fb6478 R08: 0000000000000001 R09: ffffffff8c083a0f
R10: fffffbfff1810741 R11: 0000000000000000 R12: ffff888046fb65c8
R13: ffff88823bdc45c8 R14: ffff888046fb6480 R15: fffffbfff1861da8
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bdc45d0 CR3: 000000000bc8e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 unregister_shrinker mm/vmscan.c:736 [inline]
 unregister_shrinker+0x83/0x2f0 mm/vmscan.c:730
 nfsd_reply_cache_shutdown+0x22/0x280 fs/nfsd/nfscache.c:210
 nfsd_exit_net+0x110/0x4c0 fs/nfsd/nfsctl.c:1479
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:162
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
 process_one_work+0x991/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	75 51                	jne    0x53
   2:	49 8b 14 24          	mov    (%r12),%rdx
   6:	48 39 ea             	cmp    %rbp,%rdx
   9:	0f 85 22 d6 4b 05    	jne    0x54bd631
   f:	49 8d 7d 08          	lea    0x8(%r13),%rdi
  13:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1a:	fc ff df
  1d:	48 89 fa             	mov    %rdi,%rdx
  20:	48 c1 ea 03          	shr    $0x3,%rdx
  24:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  28:	75 22                	jne    0x4c
* 2a:	49 8b 55 08          	mov    0x8(%r13),%rdx <-- trapping instruction
  2e:	48 39 ea             	cmp    %rbp,%rdx
  31:	0f 85 58 d6 4b 05    	jne    0x54bd68f
  37:	5d                   	pop    %rbp
  38:	b8 01 00 00 00       	mov    $0x1,%eax
  3d:	41 5c                	pop    %r12
  3f:	41                   	rex.B