------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 32116 at lib/refcount.c:28 refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 32116 Comm: syz-executor.0 Not tainted 5.12.0-rc8-syzkaller-00194-g18a3c5f7abfd #0 Hardware name: riscv-virtio,qemu (DT) epc : refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 ra : refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 epc : ffffffe000977304 ra : ffffffe000977304 sp : ffffffe01fabb6c0 gp : ffffffe004588c00 tp : ffffffe02107af80 t0 : ffffffe004ffdbb7 t1 : ffffffc403f57674 t2 : 0000000000000000 s0 : ffffffe01fabb6e0 s1 : 0000000000000000 a0 : 0000000000000026 a1 : 00000000000f0000 a2 : 0000000000000002 a3 : ffffffe0000e1458 a4 : a96d8b6fe9786d00 a5 : a96d8b6fe9786d00 a6 : 0000000000f00000 a7 : ffffffe01fabb3a7 s2 : ffffffe0044c16ed s3 : ffffffe00d60d018 s4 : ffffffe00dc965b0 s5 : ffffffe00dc965a8 s6 : 00000000000002ff s7 : ffffffe00dc954c0 s8 : ffffffe0057a67a0 s9 : ffffffe018b1e5e0 s10: 0000000000000008 s11: ffffffe00d60d000 t3 : a96d8b6fe9786d00 t4 : ffffffc403f57673 t5 : ffffffc403f57675 t6 : ffffffe01fabb3a8 status: 0000000000000120 badaddr: 0000000000000000 cause: 0000000000000003 Call Trace: [] refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 [] __refcount_sub_and_test include/linux/refcount.h:283 [inline] [] __refcount_dec_and_test include/linux/refcount.h:315 [inline] [] refcount_dec_and_test include/linux/refcount.h:333 [inline] [] kref_put include/linux/kref.h:64 [inline] [] nfc_llcp_local_put net/nfc/llcp_core.c:183 [inline] [] nfc_llcp_local_put+0x15c/0x15e net/nfc/llcp_core.c:178 [] nfc_llcp_sock_free+0xfa/0x10c net/nfc/llcp_sock.c:1005 [] llcp_sock_destruct+0x6a/0x112 net/nfc/llcp_sock.c:950 [] __sk_destruct+0x42/0x546 net/core/sock.c:1795 [] sk_destruct net/core/sock.c:1839 [inline] [] __sk_free+0x120/0x29a net/core/sock.c:1850 [] sock_wfree+0x18a/0x1c8 net/core/sock.c:2074 [] skb_release_head_state+0x96/0x1a6 net/core/skbuff.c:712 [] skb_release_all net/core/skbuff.c:723 [inline] [] __kfree_skb net/core/skbuff.c:739 [inline] [] kfree_skb net/core/skbuff.c:757 [inline] [] kfree_skb+0xfc/0x3f8 net/core/skbuff.c:751 [] skb_queue_purge+0x1e/0x44 net/core/skbuff.c:3133 [] nfc_llcp_socket_release+0x3a/0x51c net/nfc/llcp_core.c:73 [] local_cleanup+0x1e/0x9c net/nfc/llcp_core.c:155 [] local_release net/nfc/llcp_core.c:174 [inline] [] kref_put include/linux/kref.h:65 [inline] [] nfc_llcp_local_put net/nfc/llcp_core.c:183 [inline] [] nfc_llcp_local_put+0x136/0x15e net/nfc/llcp_core.c:178 [] nfc_llcp_sock_free+0xfa/0x10c net/nfc/llcp_sock.c:1005 [] llcp_sock_destruct+0x6a/0x112 net/nfc/llcp_sock.c:950 [] __sk_destruct+0x42/0x546 net/core/sock.c:1795 [] sk_destruct net/core/sock.c:1839 [inline] [] __sk_free+0x120/0x29a net/core/sock.c:1850 [] sk_free+0x90/0xa8 net/core/sock.c:1861 [] sock_put include/net/sock.h:1807 [inline] [] llcp_sock_release+0x2c2/0x378 net/nfc/llcp_sock.c:644 [] __sock_release+0x88/0x17e net/socket.c:599 [] sock_close+0x1e/0x2a net/socket.c:1258 [] __fput+0x166/0x49a fs/file_table.c:280 [] ____fput+0x1a/0x24 fs/file_table.c:313 [] task_work_run+0xd0/0x148 kernel/task_work.c:140 [] exit_task_work include/linux/task_work.h:30 [inline] [] do_exit+0x770/0x1846 kernel/exit.c:825 [] do_group_exit+0xa0/0x198 kernel/exit.c:922 [] get_signal+0x31e/0x14ba kernel/signal.c:2781 [] do_signal arch/riscv/kernel/signal.c:271 [inline] [] do_notify_resume+0xa8/0x930 arch/riscv/kernel/signal.c:317 [] ret_from_exception+0x0/0x14