------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 9885 at lib/refcount.c:28 refcount_warn_saturate+0x138/0x19c lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 9885 Comm: kworker/0:3 Not tainted 6.16.0-syzkaller-04055-g14bed9bc81ba #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Workqueue: md_misc mddev_delayed_delete
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x138/0x19c lib/refcount.c:28
lr : refcount_warn_saturate+0x138/0x19c lib/refcount.c:28
sp : ffff8000a3047a80
x29: ffff8000a3047a80 x28: 0000000000000000 x27: ffff80008708df78
x26: 0000000000000000 x25: ffff000012578d00 x24: ffff800087090000
x23: ffff0000168fc130 x22: 0000000000000004 x21: 1fffe00002d1f826
x20: ffff0000168fc130 x19: 0000000000000003 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000001 x12: ffff60000d413a93
x11: 1fffe0000d413a92 x10: ffff60000d413a92 x9 : dfff800000000000
x8 : ffff00006a09d493 x7 : 0000000000000001 x6 : ffff60000d413a92
x5 : ffff00006a09d490 x4 : 1fffe00002defb59 x3 : dfff800000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000016f7dac0
Call trace:
 refcount_warn_saturate+0x138/0x19c lib/refcount.c:28 (P)
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 kref_put include/linux/kref.h:64 [inline]
 kobject_put+0x29c/0x430 lib/kobject.c:737
 mddev_delayed_delete+0x14/0x20 drivers/md/md.c:5893
 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x734/0xb84 kernel/workqueue.c:3402
 kthread+0x348/0x5fc kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
irq event stamp: 8172
hardirqs last  enabled at (8171): [<ffff80008033b238>] __up_console_sem+0x74/0x94 kernel/printk/printk.c:344
hardirqs last disabled at (8172): [<ffff8000853f4538>] el1_dbg+0x24/0x9c arch/arm64/kernel/entry-common.c:511
softirqs last  enabled at (7968): [<ffff8000801b7658>] softirq_handle_end kernel/softirq.c:425 [inline]
softirqs last  enabled at (7968): [<ffff8000801b7658>] handle_softirqs+0x88c/0xdb4 kernel/softirq.c:607
softirqs last disabled at (7635): [<ffff800080010760>] __do_softirq+0x14/0x20 kernel/softirq.c:613
---[ end trace 0000000000000000 ]---