------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 5005 at lib/refcount.c:28 refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 5005 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller-00194-g18a3c5f7abfd #0 Hardware name: riscv-virtio,qemu (DT) epc : refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 ra : refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 epc : ffffffe000977304 ra : ffffffe000977304 sp : ffffffe008193830 gp : ffffffe004588c00 tp : ffffffe025898000 t0 : ffffffe004ffdbb7 t1 : ffffffc4010326a2 t2 : 0000000000000000 s0 : ffffffe008193850 s1 : 0000000000000000 a0 : 0000000000000026 a1 : 00000000000f0000 a2 : 0000000000000002 a3 : ffffffe0000e1458 a4 : a2d87e6261732800 a5 : a2d87e6261732800 a6 : 0000000000f00000 a7 : ffffffe008193517 s2 : ffffffe0044c16ed s3 : ffffffe006fe0018 s4 : ffffffe0220e75b0 s5 : ffffffe0220e75a8 s6 : 00000000000002ff s7 : ffffffe00af5d4c0 s8 : ffffffe007b4e7a0 s9 : ffffffe026b76d38 s10: 0000000000000008 s11: ffffffe006fe0000 t3 : a2d87e6261732800 t4 : ffffffc4010326a1 t5 : ffffffc4010326a3 t6 : ffffffe008193518 status: 0000000000000120 badaddr: 0000000000000000 cause: 0000000000000003 Call Trace: [] refcount_warn_saturate+0x1e4/0x1e8 lib/refcount.c:28 [] __refcount_sub_and_test include/linux/refcount.h:283 [inline] [] __refcount_dec_and_test include/linux/refcount.h:315 [inline] [] refcount_dec_and_test include/linux/refcount.h:333 [inline] [] kref_put include/linux/kref.h:64 [inline] [] nfc_llcp_local_put net/nfc/llcp_core.c:183 [inline] [] nfc_llcp_local_put+0x15c/0x15e net/nfc/llcp_core.c:178 [] nfc_llcp_sock_free+0xfa/0x10c net/nfc/llcp_sock.c:1005 [] llcp_sock_destruct+0x6a/0x112 net/nfc/llcp_sock.c:950 [] __sk_destruct+0x42/0x546 net/core/sock.c:1795 [] sk_destruct net/core/sock.c:1839 [inline] [] __sk_free+0x120/0x29a net/core/sock.c:1850 [] sock_wfree+0x18a/0x1c8 net/core/sock.c:2074 [] skb_release_head_state+0x96/0x1a6 net/core/skbuff.c:712 [] skb_release_all net/core/skbuff.c:723 [inline] [] __kfree_skb net/core/skbuff.c:739 [inline] [] kfree_skb net/core/skbuff.c:757 [inline] [] kfree_skb+0xfc/0x3f8 net/core/skbuff.c:751 [] skb_queue_purge+0x1e/0x44 net/core/skbuff.c:3133 [] nfc_llcp_socket_release+0x3a/0x51c net/nfc/llcp_core.c:73 [] local_cleanup+0x1e/0x9c net/nfc/llcp_core.c:155 [] local_release net/nfc/llcp_core.c:174 [inline] [] kref_put include/linux/kref.h:65 [inline] [] nfc_llcp_local_put net/nfc/llcp_core.c:183 [inline] [] nfc_llcp_local_put+0x136/0x15e net/nfc/llcp_core.c:178 [] nfc_llcp_sock_free+0xfa/0x10c net/nfc/llcp_sock.c:1005 [] llcp_sock_destruct+0x6a/0x112 net/nfc/llcp_sock.c:950 [] __sk_destruct+0x42/0x546 net/core/sock.c:1795 [] sk_destruct net/core/sock.c:1839 [inline] [] __sk_free+0x120/0x29a net/core/sock.c:1850 [] sk_free+0x90/0xa8 net/core/sock.c:1861 [] sock_put include/net/sock.h:1807 [inline] [] llcp_sock_release+0x2c2/0x378 net/nfc/llcp_sock.c:644 [] __sock_release+0x88/0x17e net/socket.c:599 [] sock_close+0x1e/0x2a net/socket.c:1258 [] __fput+0x166/0x49a fs/file_table.c:280 [] ____fput+0x1a/0x24 fs/file_table.c:313 [] task_work_run+0xd0/0x148 kernel/task_work.c:140 [] exit_task_work include/linux/task_work.h:30 [inline] [] do_exit+0x770/0x1846 kernel/exit.c:825 [] do_group_exit+0xa0/0x198 kernel/exit.c:922 [] __do_sys_exit_group kernel/exit.c:933 [inline] [] __wake_up_parent+0x0/0x40 kernel/exit.c:931 [] ret_from_syscall+0x0/0x2