------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 13900 at lib/refcount.c:28 refcount_warn_saturate+0x140/0x1f0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 13900 Comm: syz-executor.4 Not tainted 6.5.0-rc3-next-20230728-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
RIP: 0010:refcount_warn_saturate+0x140/0x1f0 lib/refcount.c:28
Code: 0a 31 ff 89 de e8 f0 3e 65 fd 84 db 0f 85 6e ff ff ff e8 b3 43 65 fd 48 c7 c7 c0 33 c8 8a c6 05 64 ce 74 0a 01 e8 60 99 2b fd <0f> 0b e9 4f ff ff ff e8 94 43 65 fd 0f b6 1d 4a ce 74 0a 31 ff 89
RSP: 0000:ffffc900001e0d88 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: ffff8880969d9dc0 RSI: ffffffff814d5b56 RDI: 0000000000000001
RBP: ffff8880781e2c60 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 000000000009ced8 R12: ffff8880781e2c60
R13: ffff8880883ea4e8 R14: 0000000000000000 R15: 0000000000000004
FS:  00005555572e6480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6ef7c58fb0 CR3: 000000009936a000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 xp_put_pool+0x8a/0x1e0 net/xdp/xsk_buff_pool.c:286
 xsk_destruct+0x95/0x140 net/xdp/xsk.c:1601
 __sk_destruct+0x4d/0x770 net/core/sock.c:2163
 rcu_do_batch kernel/rcu/tree.c:2139 [inline]
 rcu_core+0x7fb/0x1bb0 kernel/rcu/tree.c:2403
 __do_softirq+0x218/0x965 kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1109
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:__sanitizer_cov_trace_pc+0x60/0x70 kernel/kcov.c:225
Code: 82 e0 15 00 00 83 f8 02 75 20 48 8b 8a e8 15 00 00 8b 92 e4 15 00 00 48 8b 01 48 83 c0 01 48 39 d0 73 07 48 89 01 48 89 34 c1 <c3> 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 41 57
RSP: 0000:ffffc9000315fb50 EFLAGS: 00000293
RAX: 0000000000000000 RBX: ffffea0001840340 RCX: 0000000000000000
RDX: ffff8880969d9dc0 RSI: ffffffff81b40131 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 00007ffe8ef10d98 R12: ffffc9000315fc70
R13: 0000000000000014 R14: 000000000000005f R15: dffffc0000000000
 PageTail include/linux/page-flags.h:284 [inline]
 folio_flags.constprop.0+0x51/0x150 include/linux/page-flags.h:311
 folio_test_uptodate include/linux/page-flags.h:705 [inline]
 next_uptodate_page+0x18b/0x530 mm/filemap.c:3464
 next_map_page mm/filemap.c:3497 [inline]
 filemap_map_pages+0x773/0x1200 mm/filemap.c:3574
 do_fault_around mm/memory.c:4665 [inline]
 do_read_fault mm/memory.c:4698 [inline]
 do_fault mm/memory.c:4845 [inline]
 do_pte_missing mm/memory.c:3818 [inline]
 handle_pte_fault mm/memory.c:5136 [inline]
 __handle_mm_fault+0x2d23/0x4030 mm/memory.c:5276
 handle_mm_fault+0x47a/0xa00 mm/memory.c:5441
 do_user_addr_fault+0x2e7/0xfe0 arch/x86/mm/fault.c:1342
 handle_page_fault arch/x86/mm/fault.c:1483 [inline]
 exc_page_fault+0x5c/0xd0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f6ef7c58fb0
Code: Unable to access opcode bytes at 0x7f6ef7c58f86.
RSP: 002b:00007ffe8ef10d98 EFLAGS: 00010202
RAX: 0000000000000008 RBX: 0000000000000000 RCX: 00007f6ef7c79b8d
RDX: 0000000000000000 RSI: 0000000000000018 RDI: 00005555572e6760
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 00005555572e6750 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e0 15                	loopne 0x17
   2:	00 00                	add    %al,(%rax)
   4:	83 f8 02             	cmp    $0x2,%eax
   7:	75 20                	jne    0x29
   9:	48 8b 8a e8 15 00 00 	mov    0x15e8(%rdx),%rcx
  10:	8b 92 e4 15 00 00    	mov    0x15e4(%rdx),%edx
  16:	48 8b 01             	mov    (%rcx),%rax
  19:	48 83 c0 01          	add    $0x1,%rax
  1d:	48 39 d0             	cmp    %rdx,%rax
  20:	73 07                	jae    0x29
  22:	48 89 01             	mov    %rax,(%rcx)
  25:	48 89 34 c1          	mov    %rsi,(%rcx,%rax,8)
* 29:	c3                   	ret <-- trapping instruction
  2a:	66 66 2e 0f 1f 84 00 	data16 cs nopw 0x0(%rax,%rax,1)
  31:	00 00 00 00
  35:	0f 1f 40 00          	nopl   0x0(%rax)
  39:	f3 0f 1e fa          	endbr64
  3d:	41 57                	push   %r15