------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0x107/0x1f0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc1-syzkaller-00116-g150aae354b81 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:refcount_warn_saturate+0x107/0x1f0 lib/refcount.c:28
Code: 1d db a3 52 0a 31 ff 89 de e8 a5 42 76 fd 84 db 75 a3 e8 2c 46 76 fd 48 c7 c7 60 78 a6 8a c6 05 bb a3 52 0a 01 e8 b9 45 b4 05 <0f> 0b eb 87 e8 10 46 76 fd 0f b6 1d a4 a3 52 0a 31 ff 89 de e8 70
RSP: 0018:ffffc90000528d88 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888012cbd7c0 RSI: ffffffff8166721c RDI: fffff520000a51a3
RBP: ffff888000d46228 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000010002 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888000d46228 R14: ffff888022ba9400 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88802c700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020003000 CR3: 000000007545c000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
__refcount_sub_and_test include/linux/refcount.h:283 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
p9_req_put+0x1f6/0x250 net/9p/client.c:397
req_done+0x1e2/0x2e0 net/9p/trans_virtio.c:147
vring_interrupt drivers/virtio/virtio_ring.c:2470 [inline]
vring_interrupt+0x2a1/0x3d0 drivers/virtio/virtio_ring.c:2445
__handle_irq_event_percpu+0x264/0x970 kernel/irq/handle.c:158
handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
handle_edge_irq+0x263/0xd00 kernel/irq/chip.c:819
generic_handle_irq_desc include/linux/irqdesc.h:158 [inline]
handle_irq arch/x86/kernel/irq.c:231 [inline]
__common_interrupt+0xa1/0x210 arch/x86/kernel/irq.c:250
common_interrupt+0xa8/0xd0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:default_idle+0xf/0x10 arch/x86/kernel/process.c:731
Code: e8 f6 20 c6 f7 e9 8c fd ff ff 4c 89 f7 e8 e9 20 c6 f7 e9 3a fd ff ff cc cc cc cc f3 0f 1e fa 66 90 0f 00 2d e3 49 3d 00 fb f4 f3 0f 1e fa 41 54 be 08 00 00 00 53 65 48 8b 1c 25 00 ac 03 00
RSP: 0018:ffffc9000045fdf8 EFLAGS: 00000242
RAX: 00000000001fe4ab RBX: ffff888012cbd7c0 RCX: ffffffff8a061cf5
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff88802c73602b
R10: ffffed10058e6c05 R11: 0000000000000001 R12: 0000000000000001
R13: 0000000000000001 R14: ffffffff8e72d690 R15: 0000000000000000
default_idle_call+0x84/0xc0 kernel/sched/idle.c:109
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x410/0x590 kernel/sched/idle.c:303
cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:400
start_secondary+0x256/0x300 arch/x86/kernel/smpboot.c:264
secondary_startup_64_no_verify+0xce/0xdb
----------------
Code disassembly (best guess):
0: e8 f6 20 c6 f7 callq 0xf7c620fb
5: e9 8c fd ff ff jmpq 0xfffffd96
a: 4c 89 f7 mov %r14,%rdi
d: e8 e9 20 c6 f7 callq 0xf7c620fb
12: e9 3a fd ff ff jmpq 0xfffffd51
17: cc int3
18: cc int3
19: cc int3
1a: cc int3
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d e3 49 3d 00 verw 0x3d49e3(%rip) # 0x3d4a0b
28: fb sti
29: f4 hlt
* 2a: c3 retq <-- trapping instruction
2b: f3 0f 1e fa endbr64
2f: 41 54 push %r12
31: be 08 00 00 00 mov $0x8,%esi
36: 53 push %rbx
37: 65 48 8b 1c 25 00 ac mov %gs:0x3ac00,%rbx
3e: 03 00