------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: syz.6.1189/10230
Modules linked in:
CPU: 0 UID: 0 PID: 10230 Comm: syz.6.1189 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28
Code: 34 cc 1c 0b 67 48 0f b9 3a eb 4a e8 f8 f6 31 fd 48 8d 3d 31 cc 1c 0b 67 48 0f b9 3a eb 37 e8 e5 f6 31 fd 48 8d 3d 2e cc 1c 0b <67> 48 0f b9 3a eb 24 e8 d2 f6 31 fd 48 8d 3d 2b cc 1c 0b 67 48 0f
RSP: 0000:ffffc90000007b88 EFLAGS: 00010246
RAX: ffffffff848fc17b RBX: 0000000000000003 RCX: ffff88802585bd00
RDX: 0000000000000100 RSI: ffffffff8e88aec0 RDI: ffffffff8fac8db0
RBP: ffffc90000007c90 R08: ffff88802585bd00 R09: 0000000000000005
R10: 0000000000000004 R11: 0000000000000100 R12: 0000000000000000
R13: ffff88807b818258 R14: ffff88807b818020 R15: 0000000000000001
FS:  000055558d318500(0000) GS:ffff888125c25000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c45e0ec CR3: 000000002d86c000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 call_timer_fn+0x16e/0x590 kernel/time/timer.c:1748
 expire_timers kernel/time/timer.c:1799 [inline]
 __run_timers kernel/time/timer.c:2373 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2385
 run_timer_base kernel/time/timer.c:2394 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2404
 handle_softirqs+0x27d/0x850 kernel/softirq.c:626
 __do_softirq kernel/softirq.c:660 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:727
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:preempt_schedule_irq+0xb0/0x150 kernel/sched/core.c:7193
Code: 24 20 f6 44 24 21 02 74 0c 90 0f 0b 48 f7 03 10 00 00 00 74 64 bf 01 00 00 00 e8 7b 23 32 f6 e8 d6 ad 6a f6 fb bf 01 00 00 00 <e8> ab a7 ff ff 48 c7 44 24 40 00 00 00 00 9c 8f 44 24 40 8b 44 24
RSP: 0000:ffffc900033e7d40 EFLAGS: 00000286
RAX: 9038d9e07a2b5100 RBX: 0000000000000000 RCX: 9038d9e07a2b5100
RDX: 0000000000000000 RSI: ffffffff8d997e54 RDI: 0000000000000001
RBP: ffffc900033e7de0 R08: ffffffff8fa22f77 R09: 1ffffffff1f445ee
R10: dffffc0000000000 R11: fffffbfff1f445ef R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff9200067cfa8
 irqentry_exit+0x5d8/0x660 kernel/entry/common.c:216
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:704
RIP: 0010:__exit_to_user_mode_loop kernel/entry/common.c:-1 [inline]
RIP: 0010:exit_to_user_mode_loop kernel/entry/common.c:75 [inline]
RIP: 0010:__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
RIP: 0010:irqentry_exit_to_user_mode_prepare include/linux/irq-entry-common.h:270 [inline]
RIP: 0010:irqentry_exit_to_user_mode include/linux/irq-entry-common.h:339 [inline]
RIP: 0010:irqentry_exit+0x14a/0x660 kernel/entry/common.c:196
Code: cc cc cc b8 00 00 00 c0 48 8d a8 00 e0 ff 3f 41 bc ff ff ff 9f 4c 8d 7c 24 18 f7 c7 37 03 00 00 74 59 49 89 fd e8 46 c0 4d f6 <4c> 89 e8 a8 30 74 08 e8 7a 22 01 00 4c 89 e8 a9 00 01 00 00 74 0b
RSP: 0000:ffffc900033e7ef0 EFLAGS: 00000282
RAX: 9038d9e07a2b5100 RBX: ffff88802585bd00 RCX: 9038d9e07a2b5100
RDX: 0000000000000000 RSI: ffffffff8d997e54 RDI: ffffffff8be07960
RBP: 00000000ffffe000 R08: ffffffff8fa22f77 R09: 1ffffffff1f445ee
R10: dffffc0000000000 R11: fffffbfff1f445ef R12: 000000009fffffff
R13: 0000000000000010 R14: ffffc900033e7f48 R15: ffffc900033e7f08
 asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:704
RIP: 0033:0x7fd82f86f00c
Code: 31 c0 48 81 ce ff ff ff 3f 48 3b 34 c1 0f 84 3b 01 00 00 48 83 c0 01 48 83 f8 04 75 ec 31 f6 80 7c 24 1e 00 0f 85 8e 01 00 00 <41> 83 c7 01 45 3b 78 04 0f 82 6c ff ff ff 80 7b 4e 00 0f 84 17 03
RSP: 002b:00007ffe419dd060 EFLAGS: 00000202
RAX: 0000000000000001 RBX: 00007fd830715720 RCX: ffffffff8170bf10
RDX: 0000000000001f10 RSI: ffffffff8170bf10 RDI: 000000000000000d
RBP: ffffffff8170bf10 R08: 00007fd82fbe6038 R09: 00007fd82fbd2000
R10: 00007fd82f3f7008 R11: 000000000000000d R12: 000000000000000d
R13: 0000000000000000 R14: ffffffff8170b7a5 R15: 00000000000126f0
 </TASK>
----------------
Code disassembly (best guess):
   0:	34 cc                	xor    $0xcc,%al
   2:	1c 0b                	sbb    $0xb,%al
   4:	67 48 0f b9 3a       	ud1    (%edx),%rdi
   9:	eb 4a                	jmp    0x55
   b:	e8 f8 f6 31 fd       	call   0xfd31f708
  10:	48 8d 3d 31 cc 1c 0b 	lea    0xb1ccc31(%rip),%rdi        # 0xb1ccc48
  17:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  1c:	eb 37                	jmp    0x55
  1e:	e8 e5 f6 31 fd       	call   0xfd31f708
  23:	48 8d 3d 2e cc 1c 0b 	lea    0xb1ccc2e(%rip),%rdi        # 0xb1ccc58
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	eb 24                	jmp    0x55
  31:	e8 d2 f6 31 fd       	call   0xfd31f708
  36:	48 8d 3d 2b cc 1c 0b 	lea    0xb1ccc2b(%rip),%rdi        # 0xb1ccc68
  3d:	67                   	addr32
  3e:	48                   	rex.W
  3f:	0f                   	.byte 0xf