------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 12182 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 3 UID: 0 PID: 12182 Comm: syz.4.972 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 98 08 d8 fc 84 db 0f 85 66 ff ff ff e8 ab 0d d8 fc c6 05 b6 37 b0 0b 01 90 48 c7 c7 c0 99 15 8c e8 27 b1 96 fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 88 0d d8 fc 0f b6 1d 91 37 b0 0b 31
RSP: 0018:ffffc900006f8d88 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817a3388
RDX: ffff88802c188000 RSI: ffffffff817a3395 RDI: 0000000000000001
RBP: ffff88805acf2228 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88805acf2228
R13: ffff88804a01b000 R14: 0000000000000009 R15: 1ffff110202f380c
FS:  0000000000000000(0000) GS:ffff8880d69b8000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f56d91def98 CR3: 000000004b5ad000 CR4: 0000000000352ef0
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 p9_req_put+0x1ec/0x250 net/9p/client.c:404
 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2719 [inline]
 vring_interrupt+0x31b/0x400 drivers/virtio/virtio_ring.c:2694
 __handle_irq_event_percpu+0x22c/0x7d0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x3ca/0x9e0 kernel/irq/chip.c:855
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:310 [inline]
 __common_interrupt+0xcd/0x2f0 arch/x86/kernel/irq.c:325
 common_interrupt+0xba/0xe0 arch/x86/kernel/irq.c:318
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:stack_trace_consume_entry+0x73/0x170 kernel/stacktrace.c:89
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ad 00 00 00 31 c0 3b 6b 08 0f 83 81 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 0c <48> 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0
RSP: 0018:ffffc9000fd06fd8 EFLAGS: 00000287
RAX: dffffc0000000000 RBX: ffffc9000fd070b8 RCX: ffffc9000fd06f4c
RDX: 1ffff92001fa0e18 RSI: ffffffff815d060f RDI: ffffc9000fd070c4
RBP: 000000000000000f R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000007f67 R12: ffffffff81a6ddf0
R13: ffffc9000fd070b8 R14: 0000000000000000 R15: ffff88802c188000
 arch_stack_walk+0x88/0x100 arch/x86/kernel/stacktrace.c:27
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 save_stack+0x160/0x1f0 mm/page_owner.c:156
 __reset_page_owner+0x84/0x1a0 mm/page_owner.c:308
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 free_unref_folios+0xa61/0x16b0 mm/page_alloc.c:2952
 folios_put_refs+0x56f/0x740 mm/swap.c:997
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x58f/0x1150 mm/shmem.c:1157
 shmem_truncate_range mm/shmem.c:1269 [inline]
 shmem_evict_inode+0x3a1/0xbe0 mm/shmem.c:1397
 evict+0x3e3/0x920 fs/inode.c:810
 iput_final fs/inode.c:1897 [inline]
 iput fs/inode.c:1923 [inline]
 iput+0x521/0x880 fs/inode.c:1909
 dentry_unlink_inode+0x29c/0x480 fs/dcache.c:466
 __dentry_kill+0x1d0/0x600 fs/dcache.c:669
 dput.part.0+0x4b1/0x9b0 fs/dcache.c:911
 dput+0x1f/0x30 fs/dcache.c:901
 __fput+0x51c/0xb70 fs/file_table.c:476
 task_work_run+0x150/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x86f/0x2bf0 kernel/exit.c:961
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:40
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2401f8ebe9
Code: Unable to access opcode bytes at 0x7f2401f8ebbf.
RSP: 002b:00007f2402db00e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f24021c5fa8 RCX: 00007f2401f8ebe9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f24021c5fa8
RBP: 00007f24021c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f24021c6038 R14: 00007fffa73f6860 R15: 00007fffa73f6948
 </TASK>
----------------
Code disassembly (best guess):
   0:	03 0f                	add    (%rdi),%ecx
   2:	b6 04                	mov    $0x4,%dh
   4:	02 84 c0 74 08 3c 03 	add    0x33c0874(%rax,%rax,8),%al
   b:	0f 8e ad 00 00 00    	jle    0xbe
  11:	31 c0                	xor    %eax,%eax
  13:	3b 6b 08             	cmp    0x8(%rbx),%ebp
  16:	0f 83 81 00 00 00    	jae    0x9d
  1c:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  23:	fc ff df
  26:	48 8d 7b 0c          	lea    0xc(%rbx),%rdi
* 2a:	48 89 fa             	mov    %rdi,%rdx <-- trapping instruction
  2d:	48 c1 ea 03          	shr    $0x3,%rdx
  31:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
  35:	48 89 f8             	mov    %rdi,%rax
  38:	83 e0 07             	and    $0x7,%eax
  3b:	83 c0 03             	add    $0x3,%eax
  3e:	38 d0                	cmp    %dl,%al