==================================================================
BUG: KFENCE: use-after-free read in arch_atomic64_read arch/x86/include/asm/atomic64_64.h:15 [inline]
BUG: KFENCE: use-after-free read in raw_atomic64_read include/linux/atomic/atomic-arch-fallback.h:2583 [inline]
BUG: KFENCE: use-after-free read in raw_atomic_long_read include/linux/atomic/atomic-long.h:38 [inline]
BUG: KFENCE: use-after-free read in atomic_long_read include/linux/atomic/atomic-instrumented.h:3189 [inline]
BUG: KFENCE: use-after-free read in __mutex_unlock_slowpath+0x10a/0x750 kernel/locking/mutex.c:921

Use-after-free read at 0xffff88823bd54e80 (in kfence-#169):
 arch_atomic64_read arch/x86/include/asm/atomic64_64.h:15 [inline]
 raw_atomic64_read include/linux/atomic/atomic-arch-fallback.h:2583 [inline]
 raw_atomic_long_read include/linux/atomic/atomic-long.h:38 [inline]
 atomic_long_read include/linux/atomic/atomic-instrumented.h:3189 [inline]
 __mutex_unlock_slowpath+0x10a/0x750 kernel/locking/mutex.c:921
 vhost_task_fn+0x3bc/0x3f0 kernel/vhost_task.c:65
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

kfence-#169: 0xffff88823bd54e00-0xffff88823bd54f0f, size=272, cache=kmalloc-512

allocated by task 5955 on cpu 0 at 104.079419s:
 kfence_alloc include/linux/kfence.h:129 [inline]
 slab_alloc_node mm/slub.c:3978 [inline]
 kmalloc_trace_noprof+0x237/0x2b0 mm/slub.c:4141
 kmalloc_noprof include/linux/slab.h:660 [inline]
 kzalloc_noprof include/linux/slab.h:778 [inline]
 vhost_task_create+0x149/0x300 kernel/vhost_task.c:134
 vhost_worker_create+0x17b/0x3f0 drivers/vhost/vhost.c:667
 vhost_dev_set_owner+0x563/0x940 drivers/vhost/vhost.c:945
 vhost_dev_ioctl+0xda/0xda0 drivers/vhost/vhost.c:2108
 vhost_vsock_dev_ioctl+0x2bb/0xfa0 drivers/vhost/vsock.c:875
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

freed by task 5953 on cpu 1 at 104.266554s:
 vhost_worker_destroy drivers/vhost/vhost.c:629 [inline]
 vhost_workers_free drivers/vhost/vhost.c:648 [inline]
 vhost_dev_cleanup+0x9b0/0xba0 drivers/vhost/vhost.c:1051
 vhost_vsock_dev_release+0x3aa/0x410 drivers/vhost/vsock.c:751
 __fput+0x406/0x8b0 fs/file_table.c:422
 __do_sys_close fs/open.c:1555 [inline]
 __se_sys_close fs/open.c:1540 [inline]
 __x64_sys_close+0x7f/0x110 fs/open.c:1540
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 PID: 5958 Comm: vhost-5955 Not tainted 6.9.0-rc6-next-20240501-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:arch_atomic64_read arch/x86/include/asm/atomic64_64.h:15 [inline]
RIP: 0010:raw_atomic64_read include/linux/atomic/atomic-arch-fallback.h:2583 [inline]
RIP: 0010:raw_atomic_long_read include/linux/atomic/atomic-long.h:38 [inline]
RIP: 0010:atomic_long_read include/linux/atomic/atomic-instrumented.h:3189 [inline]
RIP: 0010:__mutex_unlock_slowpath+0x10a/0x750 kernel/locking/mutex.c:921
Code: df f5 4c 89 f7 be 08 00 00 00 e8 31 d0 68 f6 4c 89 f0 48 c1 e8 03 48 89 44 24 28 42 80 3c 28 00 74 08 4c 89 f7 e8 a6 cd 68 f6 <49> 8b 1e 4d 89 e7 49 c1 ef 03 49 c7 c4 e0 e6 79 94 49 c1 ec 03 48
RSP: 0018:ffffc900137bfcc0 EFLAGS: 00010246
RAX: 1ffff110477aa9d0 RBX: ffffc900137bfd40 RCX: ffffffff8b92f55f
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88823bd54e80
RBP: ffffc900137bfdd0 R08: ffff88823bd54e87 R09: 1ffff110477aa9d0
R10: dffffc0000000000 R11: ffffed10477aa9d1 R12: ffffc900137bfd60
R13: dffffc0000000000 R14: ffff88823bd54e80 R15: ffffffff8164997c
FS:  00007f0aa8e846c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bd54e80 CR3: 00000000246ae000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 vhost_task_fn+0x3bc/0x3f0 kernel/vhost_task.c:65
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	df f5                	fcomip %st(5),%st
   2:	4c 89 f7             	mov    %r14,%rdi
   5:	be 08 00 00 00       	mov    $0x8,%esi
   a:	e8 31 d0 68 f6       	call   0xf668d040
   f:	4c 89 f0             	mov    %r14,%rax
  12:	48 c1 e8 03          	shr    $0x3,%rax
  16:	48 89 44 24 28       	mov    %rax,0x28(%rsp)
  1b:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  20:	74 08                	je     0x2a
  22:	4c 89 f7             	mov    %r14,%rdi
  25:	e8 a6 cd 68 f6       	call   0xf668cdd0
* 2a:	49 8b 1e             	mov    (%r14),%rbx <-- trapping instruction
  2d:	4d 89 e7             	mov    %r12,%r15
  30:	49 c1 ef 03          	shr    $0x3,%r15
  34:	49 c7 c4 e0 e6 79 94 	mov    $0xffffffff9479e6e0,%r12
  3b:	49 c1 ec 03          	shr    $0x3,%r12
  3f:	48                   	rex.W