==================================================================
BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3204 [inline]
BUG: KASAN: double-free or invalid-free in kfree+0xd5/0x320 mm/slub.c:4192

CPU: 0 PID: 714 Comm: kworker/0:7 Not tainted 5.10.76-syzkaller-01178-g4944ec82ebb9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events delayed_fput
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
 print_address_description+0x8d/0x3d0 mm/kasan/report.c:233
 kasan_report_invalid_free+0x58/0x130 mm/kasan/report.c:358
 ____kasan_slab_free+0x14b/0x170 mm/kasan/common.c:362
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:1596 [inline]
 slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1622
 slab_free mm/slub.c:3204 [inline]
 kfree+0xd5/0x320 mm/slub.c:4192
 io_put_identity fs/io_uring.c:1262 [inline]
 io_req_clean_work fs/io_uring.c:1300 [inline]
 io_dismantle_req+0x9b0/0xd90 fs/io_uring.c:1896
 io_req_free_batch fs/io_uring.c:2200 [inline]
 io_iopoll_complete fs/io_uring.c:2375 [inline]
 io_do_iopoll+0x13b4/0x23f0 fs/io_uring.c:2431
 io_iopoll_try_reap_events+0x116/0x290 fs/io_uring.c:2470
 io_ring_ctx_wait_and_kill+0x295/0x670 fs/io_uring.c:8575
 io_uring_release+0x5b/0x70 fs/io_uring.c:8602
 __fput+0x348/0x7d0 fs/file_table.c:281
 delayed_fput+0x61/0x90 fs/file_table.c:309
 process_one_work+0x6b4/0xfb0 kernel/workqueue.c:2289
 worker_thread+0xb15/0x1600 kernel/workqueue.c:2435
 kthread+0x371/0x390 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Allocated by task 2036:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516
 kasan_kmalloc include/linux/kasan.h:269 [inline]
 kmem_cache_alloc_trace+0x210/0x3a0 mm/slub.c:2975
 kmalloc include/linux/slab.h:552 [inline]
 io_uring_alloc_task_context+0x57/0x550 fs/io_uring.c:7901
 io_uring_add_task_file+0x1f7/0x290 fs/io_uring.c:8779
 io_uring_install_fd fs/io_uring.c:9313 [inline]
 io_uring_create+0x2195/0x3490 fs/io_uring.c:9515
 io_uring_setup fs/io_uring.c:9554 [inline]
 __do_sys_io_uring_setup fs/io_uring.c:9560 [inline]
 __se_sys_io_uring_setup fs/io_uring.c:9557 [inline]
 __x64_sys_io_uring_setup+0x1ce/0x290 fs/io_uring.c:9557
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88811aeb3d00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 88 bytes inside of
 192-byte region [ffff88811aeb3d00, ffff88811aeb3dc0)
The buggy address belongs to the page:
page:ffffea00046bacc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11aeb3
flags: 0x8000000000000200(slab)
raw: 8000000000000200 ffffea00043f8e80 0000000500000005 ffff888100043380
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 437, ts 93066862570, free_ts 93066636512
 set_page_owner include/linux/page_owner.h:35 [inline]
 post_alloc_hook mm/page_alloc.c:2385 [inline]
 prep_new_page mm/page_alloc.c:2391 [inline]
 get_page_from_freelist+0xa74/0xa90 mm/page_alloc.c:4063
 __alloc_pages_nodemask+0x3c8/0x820 mm/page_alloc.c:5106
 alloc_slab_page mm/slub.c:1807 [inline]
 allocate_slab+0x6b/0x350 mm/slub.c:1809
 new_slab mm/slub.c:1870 [inline]
 new_slab_objects mm/slub.c:2629 [inline]
 ___slab_alloc+0x143/0x2f0 mm/slub.c:2792
 __slab_alloc mm/slub.c:2832 [inline]
 slab_alloc_node mm/slub.c:2914 [inline]
 slab_alloc mm/slub.c:2956 [inline]
 kmem_cache_alloc_trace+0x278/0x3a0 mm/slub.c:2973
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:664 [inline]
 kernfs_fop_open+0x328/0xac0 fs/kernfs/file.c:628
 do_dentry_open+0x7a5/0x1090 fs/open.c:819
 vfs_open+0x73/0x80 fs/open.c:942
 do_open fs/namei.c:3327 [inline]
 path_openat+0x264d/0x3500 fs/namei.c:3444
 do_filp_open+0x200/0x440 fs/namei.c:3471
 do_sys_openat2+0x13b/0x470 fs/open.c:1211
 do_sys_open fs/open.c:1227 [inline]
 __do_sys_openat fs/open.c:1243 [inline]
 __se_sys_openat fs/open.c:1238 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1238
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:28 [inline]
 free_pages_prepare mm/page_alloc.c:1331 [inline]
 free_pcp_prepare+0x18f/0x1c0 mm/page_alloc.c:1405
 free_unref_page_prepare mm/page_alloc.c:3291 [inline]
 free_unref_page mm/page_alloc.c:3341 [inline]
 free_the_page mm/page_alloc.c:5165 [inline]
 __free_pages+0x2e3/0x4a0 mm/page_alloc.c:5173
 free_pages+0x7c/0x90 mm/page_alloc.c:5184
 selinux_genfs_get_sid security/selinux/hooks.c:1318 [inline]
 inode_doinit_with_dentry+0xb4e/0x11f0 security/selinux/hooks.c:1515
 selinux_d_instantiate+0x27/0x40 security/selinux/hooks.c:6349
 security_d_instantiate+0xa5/0x100 security/security.c:1948
 d_splice_alias+0x74/0x590 fs/dcache.c:3029
 kernfs_iop_lookup+0x18c/0x210 fs/kernfs/dir.c:1108
 __lookup_slow+0x2b3/0x400 fs/namei.c:1628
 lookup_slow fs/namei.c:1645 [inline]
 walk_component+0x516/0x790 fs/namei.c:1940
 lookup_last fs/namei.c:2389 [inline]
 path_lookupat+0x19d/0x6c0 fs/namei.c:2413
 filename_lookup+0x23f/0x6c0 fs/namei.c:2446
 user_path_at_empty+0x40/0x50 fs/namei.c:2726
 user_path_at include/linux/namei.h:59 [inline]
 vfs_statx+0x10a/0x3f0 fs/stat.c:193
 vfs_fstatat fs/stat.c:215 [inline]
 __do_sys_newfstatat fs/stat.c:384 [inline]
 __se_sys_newfstatat+0xc8/0x760 fs/stat.c:378
 __x64_sys_newfstatat+0x9b/0xb0 fs/stat.c:378

Memory state around the buggy address:
 ffff88811aeb3c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88811aeb3c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88811aeb3d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    ^
 ffff88811aeb3d80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ffff88811aeb3e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 714 at lib/refcount.c:28 refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 714 Comm: kworker/0:7 Tainted: G    B             5.10.76-syzkaller-01178-g4944ec82ebb9 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events delayed_fput
RIP: 0010:refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28
Code: c7 e0 b2 49 85 31 c0 e8 99 7b eb fe 0f 0b eb 83 e8 f0 98 18 ff c6 05 9e cc 68 04 01 48 c7 c7 40 b3 49 85 31 c0 e8 7b 7b eb fe <0f> 0b e9 62 ff ff ff e8 cf 98 18 ff c6 05 7e cc 68 04 01 48 c7 c7
RSP: 0018:ffffc9000e047830 EFLAGS: 00010246
RAX: 3e6b853894a38f00 RBX: 0000000000000003 RCX: 1ffff92001c08ec0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000e047840 R08: ffffffff81545288 R09: ffffed103ee095d8
R10: ffffed103ee095d8 R11: 0000000000000000 R12: ffff88811aeb3d58
R13: ffff8881683050c8 R14: 0000000000000003 R15: 00000000ffffffff
FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fda525bc000 CR3: 000000010d100000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 io_put_identity fs/io_uring.c:1261 [inline]
 io_req_clean_work fs/io_uring.c:1300 [inline]
 io_dismantle_req+0xa72/0xd90 fs/io_uring.c:1896
 io_req_free_batch fs/io_uring.c:2200 [inline]
 io_iopoll_complete fs/io_uring.c:2375 [inline]
 io_do_iopoll+0x13b4/0x23f0 fs/io_uring.c:2431
 io_iopoll_try_reap_events+0x116/0x290 fs/io_uring.c:2470
 io_ring_ctx_wait_and_kill+0x295/0x670 fs/io_uring.c:8575
 io_uring_release+0x5b/0x70 fs/io_uring.c:8602
 __fput+0x348/0x7d0 fs/file_table.c:281
 delayed_fput+0x61/0x90 fs/file_table.c:309
 process_one_work+0x6b4/0xfb0 kernel/workqueue.c:2289
 worker_thread+0xb15/0x1600 kernel/workqueue.c:2435
 kthread+0x371/0x390 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296
---[ end trace bdbc0110533aa35b ]---
usb 4-1: new high-speed USB device number 16 using dummy_hcd
usb 4-1: Using ep0 maxpacket: 16
usb 4-1: unable to read config index 0 descriptor/start: -61
usb 4-1: can't read configurations, error -61
usb 4-1: new high-speed USB device number 17 using dummy_hcd
usb 4-1: Using ep0 maxpacket: 16
usb 4-1: unable to read config index 0 descriptor/start: -61
usb 4-1: can't read configurations, error -61
usb usb4-port1: attempt power cycle
usb 4-1: new high-speed USB device number 18 using dummy_hcd
usb 4-1: Using ep0 maxpacket: 16
usb 4-1: unable to read config index 0 descriptor/start: -61
usb 4-1: can't read configurations, error -61
usb 4-1: new high-speed USB device number 19 using dummy_hcd
usb 4-1: Using ep0 maxpacket: 16
usb 4-1: unable to read config index 0 descriptor/start: -61
usb 4-1: can't read configurations, error -61
usb usb4-port1: unable to enumerate USB device