Extracting prog: 2m23.408408327s
Minimizing prog: 28m43.046467237s
Simplifying prog options: 5m38.135546699s
Extracting C: 1m48.59953445s
Simplifying C: 0s


extracting reproducer from 5 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-timer_settime-writev-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
writev(r2, &(0x7f0000000080)=[{&(0x7f0000000300)="f1", 0x1}], 0x1)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
single: successfully extracted reproducer
found reproducer with 14 syscalls
minimizing guilty program
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-timer_settime-writev-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
writev(r2, &(0x7f0000000080)=[{&(0x7f0000000300)="f1", 0x1}], 0x1)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-timer_settime-writev-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
writev(r2, &(0x7f0000000080)=[{&(0x7f0000000300)="f1", 0x1}], 0x1)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-timer_settime-writev-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
writev(r2, &(0x7f0000000080)=[{&(0x7f0000000300)="f1", 0x1}], 0x1)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-timer_settime-writev-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040))
r1 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r1, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r1, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
writev(r1, &(0x7f0000000080)=[{&(0x7f0000000300)="f1", 0x1}], 0x1)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-timer_settime-writev-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
writev(r2, &(0x7f0000000080)=[{&(0x7f0000000300)="f1", 0x1}], 0x1)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_create-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-gettid-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
gettid()
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-connect$inet-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
connect$inet(r2, &(0x7f0000000040)={0x2, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x10)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-setsockopt$SO_BINDTODEVICE-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$SO_BINDTODEVICE(r2, 0x1, 0x19, &(0x7f0000000180)='syz_tun\x00', 0x10)
r3 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r3}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in bt_tags_iter
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-socket$inet_tcp-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
socket$inet_tcp(0x2, 0x1, 0x0)
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
r1 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, 0xffffffffffffffff)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r0=>0xffffffffffffffff})
r1 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(0xffffffffffffffff, 0xab00, r0)
ioctl$NBD_SET_SIZE_BLOCKS(0xffffffffffffffff, 0xab07, 0x4)
ioctl$NBD_DO_IT(0xffffffffffffffff, 0xab03)
ioctl$NBD_CLEAR_SOCK(0xffffffffffffffff, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(0x0, 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, 0x0)
r1 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, 0xffffffffffffffff)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
gettid()
timer_create(0x0, 0x0, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, 0x0)
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, 0x0, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, &(0x7f0000000080)={0x1})
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in bt_tags_iter
extracting C reproducer
testing compiled C program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program crashed: WARNING: refcount bug in blk_done_softirq
a never seen crash title: WARNING: refcount bug in blk_done_softirq, ignore
simplifying guilty program options
testing program (duration=47.272835253s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
extracting C reproducer
testing compiled C program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
program did not crash
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in blk_done_softirq
validation run: crashed=true
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program crashed: WARNING: refcount bug in blk_mq_dispatch_rq_list
validation run: crashed=true
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
testing program (duration=47.272835253s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_open_dev$ndb-socketpair$nbd-gettid-timer_create-timer_settime-ioctl$BTRFS_IOC_QUOTA_CTL-ioctl$NBD_SET_SOCK-ioctl$NBD_SET_SIZE_BLOCKS-ioctl$NBD_DO_IT-ioctl$NBD_CLEAR_SOCK
detailed listing:
executing program 0:
r0 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={<r1=>0xffffffffffffffff})
r2 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$BTRFS_IOC_QUOTA_CTL(0xffffffffffffffff, 0xc0109428, 0x0)
ioctl$NBD_SET_SOCK(r0, 0xab00, r1)
ioctl$NBD_SET_SIZE_BLOCKS(r0, 0xab07, 0x4)
ioctl$NBD_DO_IT(r0, 0xab03)
ioctl$NBD_CLEAR_SOCK(r0, 0xab04)

program did not crash
validation run: crashed=false
reproducing took 51m26.238402689s
repro crashed as (corrupted=false):
blk_update_request: I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Buffer I/O error on dev nbd0, logical block 0, async page read
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 264 at lib/refcount.c:28 refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 264 Comm: kworker/0:1H Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: kblockd blk_mq_run_work_fn
RIP: 0010:refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Code: 09 01 48 c7 c7 40 ab 59 8a e8 31 4e bc 05 0f 0b eb c4 e8 48 f2 9c fd c6 05 04 b7 7a 09 01 48 c7 c7 a0 ab 59 8a e8 15 4e bc 05 <0f> 0b eb a8 e8 2c f2 9c fd c6 05 e5 b6 7a 09 01 48 c7 c7 e0 aa 59
RSP: 0018:ffffc900025a77e8 EFLAGS: 00010246
RAX: 960d08f1daac6c00 RBX: 0000000000000003 RCX: ffff88801da01dc0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc900025a7990 R08: dffffc0000000000 R09: fffff520004b4e61
R10: fffff520004b4e61 R11: 1ffff920004b4e60 R12: ffffc900025a7aa0
R13: ffff8880206bba50 R14: 0000000000000003 R15: 1ffff110040d7749
FS:  0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f02765d3f98 CR3: 000000007e70b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blk_mq_end_request block/blk-mq.c:577 [inline]
 blk_mq_dispatch_rq_list+0xb8b/0x1dd0 block/blk-mq.c:1408
 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:200 [inline]
 blk_mq_do_dispatch_sched+0xabc/0xc40 block/blk-mq-sched.c:214
 __blk_mq_sched_dispatch_requests+0x311/0x3f0 block/blk-mq-sched.c:-1
 blk_mq_sched_dispatch_requests+0xf4/0x1b0 block/blk-mq-sched.c:366
 __blk_mq_run_hw_queue+0xbb/0xf0 block/blk-mq.c:1511
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

final repro crashed as (corrupted=false):
blk_update_request: I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
Buffer I/O error on dev nbd0, logical block 0, async page read
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 264 at lib/refcount.c:28 refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 264 Comm: kworker/0:1H Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: kblockd blk_mq_run_work_fn
RIP: 0010:refcount_warn_saturate+0x11b/0x1a0 lib/refcount.c:28
Code: 09 01 48 c7 c7 40 ab 59 8a e8 31 4e bc 05 0f 0b eb c4 e8 48 f2 9c fd c6 05 04 b7 7a 09 01 48 c7 c7 a0 ab 59 8a e8 15 4e bc 05 <0f> 0b eb a8 e8 2c f2 9c fd c6 05 e5 b6 7a 09 01 48 c7 c7 e0 aa 59
RSP: 0018:ffffc900025a77e8 EFLAGS: 00010246
RAX: 960d08f1daac6c00 RBX: 0000000000000003 RCX: ffff88801da01dc0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc900025a7990 R08: dffffc0000000000 R09: fffff520004b4e61
R10: fffff520004b4e61 R11: 1ffff920004b4e60 R12: ffffc900025a7aa0
R13: ffff8880206bba50 R14: 0000000000000003 R15: 1ffff110040d7749
FS:  0000000000000000(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f02765d3f98 CR3: 000000007e70b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blk_mq_end_request block/blk-mq.c:577 [inline]
 blk_mq_dispatch_rq_list+0xb8b/0x1dd0 block/blk-mq.c:1408
 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:200 [inline]
 blk_mq_do_dispatch_sched+0xabc/0xc40 block/blk-mq-sched.c:214
 __blk_mq_sched_dispatch_requests+0x311/0x3f0 block/blk-mq-sched.c:-1
 blk_mq_sched_dispatch_requests+0xf4/0x1b0 block/blk-mq-sched.c:366
 __blk_mq_run_hw_queue+0xbb/0xf0 block/blk-mq.c:1511
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>