------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 24519 at lib/refcount.c:28 refcount_warn_saturate+0x10f/0x1b0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 24519 Comm: syz.2.5121 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:refcount_warn_saturate+0x10f/0x1b0 lib/refcount.c:28
Code: 0a 01 48 c7 c7 40 35 1c 8b e8 6d c1 26 fd 0f 0b eb e0 e8 e4 0a 5d fd c6 05 78 a4 4b 0a 01 48 c7 c7 a0 35 1c 8b e8 51 c1 26 fd <0f> 0b eb c4 e8 c8 0a 5d fd c6 05 59 a4 4b 0a 01 48 c7 c7 e0 34 1c
RSP: 0018:ffffc900001f0ba8 EFLAGS: 00010246
RAX: 203bc72e996c4500 RBX: 0000000000000003 RCX: ffff88802da20000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc900001f0cb0 R08: ffffc900001f07a7 R09: 1ffff9200003e0f4
R10: dffffc0000000000 R11: fffff5200003e0f5 R12: 1ffff9200003e17c
R13: ffff88802d9481b8 R14: ffff88802d948020 R15: 0000000000000001
FS: 00007fc1174226c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2fd1cff8 CR3: 00000000627d2000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<IRQ>
call_timer_fn+0x189/0x540 kernel/time/timer.c:1701
expire_timers kernel/time/timer.c:1752 [inline]
__run_timers+0x542/0x800 kernel/time/timer.c:2023
run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2036
handle_softirqs+0x280/0x820 kernel/softirq.c:578
__do_softirq kernel/softirq.c:612 [inline]
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:preempt_schedule_irq+0xba/0x150 kernel/sched/core.c:7010
Code: 00 00 43 c6 44 37 04 f8 74 0b 0f 0b 48 f7 03 08 00 00 00 74 6f bf 01 00 00 00 e8 51 d6 cd f6 e8 7c e3 fe f6 fb bf 01 00 00 00 <e8> f1 b4 ff ff 43 c6 44 37 08 00 48 c7 44 24 40 00 00 00 00 9c 8f
RSP: 0018:ffffc9000357fa80 EFLAGS: 00000282
RAX: 203bc72e996c4500 RBX: 0000000000000000 RCX: 203bc72e996c4500
RDX: dffffc0000000000 RSI: ffffffff8acac9e0 RDI: 0000000000000001
RBP: ffffc9000357fb30 R08: ffffffff911c652f R09: 1ffffffff2238ca5
R10: dffffc0000000000 R11: fffffbfff2238ca6 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920006aff50
irqentry_exit+0x67/0x70 kernel/entry/common.c:438
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:678
RIP: 0010:qlink_to_object mm/kasan/quarantine.c:138 [inline]
RIP: 0010:qlink_free mm/kasan/quarantine.c:143 [inline]
RIP: 0010:qlist_free_all+0x3f/0xd0 mm/kasan/quarantine.c:185
Code: 00 49 89 f6 48 89 fb 49 bd 00 00 00 00 00 fc ff df 49 89 ef 4d 89 f4 4d 85 f6 75 0b 4c 89 ff e8 c7 04 00 00 49 89 c4 49 8b 2f <49> 63 84 24 c0 00 00 00 49 29 c7 4c 89 e7 4c 89 fe e8 ab e8 ff ff
RSP: 0018:ffffc9000357fbf8 EFLAGS: 00000286
RAX: ffff88801da52640 RBX: ffffc9000357fc30 RCX: ffffea0001a66ec0
RDX: ffffea0000000000 RSI: 0000000000000378 RDI: 0000000000000379
RBP: ffff88814cd16000 R08: 0000000000000001 R09: 0000000000000000
R10: ffff888141f30000 R11: fffffbfff2238ca6 R12: ffff88801da52640
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8880699bb780
kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:306
kasan_slab_alloc include/linux/kasan.h:188 [inline]
slab_post_alloc_hook+0x6e/0x4b0 mm/slab.h:767
slab_alloc_node mm/slub.c:3495 [inline]
slab_alloc mm/slub.c:3503 [inline]
__kmem_cache_alloc_lru mm/slub.c:3510 [inline]
kmem_cache_alloc+0x11a/0x2d0 mm/slub.c:3519
sk_prot_alloc+0x57/0x210 net/core/sock.c:2090
sk_alloc+0x3a/0x360 net/core/sock.c:2152
inet_create+0x7a0/0xfe0 net/ipv4/af_inet.c:325
__sock_create+0x4a6/0x940 net/socket.c:1570
sock_create net/socket.c:1626 [inline]
__sys_socket_create net/socket.c:1663 [inline]
__sys_socket+0xd7/0x1a0 net/socket.c:1714
__do_sys_socket net/socket.c:1728 [inline]
__se_sys_socket net/socket.c:1726 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1726
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fc11659cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc117422028 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00007fc116815fa0 RCX: 00007fc11659cdd9
RDX: 0000000000000002 RSI: 0000000000000003 RDI: 0000000000000002
RBP: 00007fc116632d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc116816038 R14: 00007fc116815fa0 R15: 00007fffd487aec8
</TASK>
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 43 c6 44 37 04 f8 movb $0xf8,0x4(%r15,%r14,1)
8: 74 0b je 0x15
a: 0f 0b ud2
c: 48 f7 03 08 00 00 00 testq $0x8,(%rbx)
13: 74 6f je 0x84
15: bf 01 00 00 00 mov $0x1,%edi
1a: e8 51 d6 cd f6 call 0xf6cdd670
1f: e8 7c e3 fe f6 call 0xf6fee3a0
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 f1 b4 ff ff call 0xffffb520 <-- trapping instruction
2f: 43 c6 44 37 08 00 movb $0x0,0x8(%r15,%r14,1)
35: 48 c7 44 24 40 00 00 movq $0x0,0x40(%rsp)
3c: 00 00
3e: 9c pushf
3f: 8f .byte 0x8f