==================================================================
BUG: KFENCE: use-after-free read in arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
BUG: KFENCE: use-after-free read in atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
BUG: KFENCE: use-after-free read in refcount_read include/linux/refcount.h:147 [inline]
BUG: KFENCE: use-after-free read in rxrpc_destroy_all_locals+0x127/0x180 net/rxrpc/local_object.c:434

Use-after-free read at 0xffff88807ebb8014 (in kfence-#219):
 arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
 refcount_read include/linux/refcount.h:147 [inline]
 rxrpc_destroy_all_locals+0x127/0x180 net/rxrpc/local_object.c:434
 rxrpc_exit_net+0x174/0x300 net/rxrpc/net_ns.c:128
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:606
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x669/0x1090 kernel/workqueue.c:2436
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

kfence-#219: 0xffff88807ebb8000-0xffff88807ebb823f, size=576, cache=kmalloc-1k

allocated by task 19653 on cpu 3 at 3272.321444s:
 kfence_alloc include/linux/kfence.h:128 [inline]
 slab_alloc_node mm/slub.c:3438 [inline]
 __kmem_cache_alloc_node+0x29c/0x430 mm/slub.c:3491
 kmalloc_trace+0x26/0x60 mm/slab_common.c:1062
 kmalloc include/linux/slab.h:580 [inline]
 kzalloc include/linux/slab.h:720 [inline]
 rxrpc_alloc_local net/rxrpc/local_object.c:93 [inline]
 rxrpc_lookup_local+0x4d9/0xfb0 net/rxrpc/local_object.c:249
 rxrpc_bind+0x35e/0x5c0 net/rxrpc/af_rxrpc.c:150
 afs_open_socket+0x1b4/0x360 fs/afs/rxrpc.c:64
 afs_net_init+0xa79/0xed0 fs/afs/main.c:126
 ops_init+0xb9/0x680 net/core/net_namespace.c:135
 setup_net+0x793/0xe60 net/core/net_namespace.c:333
 copy_net_ns+0x31b/0x6b0 net/core/net_namespace.c:483
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 copy_namespaces+0x3b3/0x4a0 kernel/nsproxy.c:179
 copy_process+0x30d2/0x7200 kernel/fork.c:2269
 kernel_clone+0xeb/0x990 kernel/fork.c:2686
 __do_sys_clone3+0x1cd/0x2e0 kernel/fork.c:2985
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x70/0x82

freed by task 33 on cpu 3 at 3272.399244s:
 rcu_do_batch kernel/rcu/tree.c:2244 [inline]
 rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2504
 __do_softirq+0x1fb/0xadc kernel/softirq.c:571
 run_ksoftirqd kernel/softirq.c:934 [inline]
 run_ksoftirqd+0x31/0x60 kernel/softirq.c:926
 smpboot_thread_fn+0x659/0xa20 kernel/smpboot.c:164
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308

CPU: 3 PID: 6406 Comm: kworker/u16:6 Not tainted 6.1.0-syzkaller-13031-g77856d911a8c #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
RIP: 0010:refcount_read include/linux/refcount.h:147 [inline]
RIP: 0010:rxrpc_destroy_all_locals+0x127/0x180 net/rxrpc/local_object.c:434
Code: be 04 00 00 00 48 89 ef e8 e6 d1 df f8 48 89 e8 48 c1 e8 03 42 0f b6 14 28 48 89 e8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3b <8b> 53 14 48 c7 c7 60 0e 56 8b 48 89 de e8 db 10 c4 00 48 8d 7b 20
RSP: 0018:ffffc90028337be0 EFLAGS: 00010246
RAX: 0000000000000007 RBX: ffff88807ebb8000 RCX: ffffffff88ef860a
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807ebb8014
RBP: ffff88807ebb8014 R08: 0000000000000000 R09: ffff88807ebb8017
R10: ffffed100fd77002 R11: 1ffffffff2106fe3 R12: ffff88805b21c2e8
R13: dffffc0000000000 R14: dffffc0000000000 R15: fffffbfff1c303a0
FS:  0000000000000000(0000) GS:ffff88802c900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88807ebb8014 CR3: 0000000051af8000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rxrpc_exit_net+0x174/0x300 net/rxrpc/net_ns.c:128
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:606
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x669/0x1090 kernel/workqueue.c:2436
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	be 04 00 00 00       	mov    $0x4,%esi
   5:	48 89 ef             	mov    %rbp,%rdi
   8:	e8 e6 d1 df f8       	callq  0xf8dfd1f3
   d:	48 89 e8             	mov    %rbp,%rax
  10:	48 c1 e8 03          	shr    $0x3,%rax
  14:	42 0f b6 14 28       	movzbl (%rax,%r13,1),%edx
  19:	48 89 e8             	mov    %rbp,%rax
  1c:	83 e0 07             	and    $0x7,%eax
  1f:	83 c0 03             	add    $0x3,%eax
  22:	38 d0                	cmp    %dl,%al
  24:	7c 04                	jl     0x2a
  26:	84 d2                	test   %dl,%dl
  28:	75 3b                	jne    0x65
* 2a:	8b 53 14             	mov    0x14(%rbx),%edx <-- trapping instruction
  2d:	48 c7 c7 60 0e 56 8b 	mov    $0xffffffff8b560e60,%rdi
  34:	48 89 de             	mov    %rbx,%rsi
  37:	e8 db 10 c4 00       	callq  0xc41117
  3c:	48 8d 7b 20          	lea    0x20(%rbx),%rdi