syzbot

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 86 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 3 UID: 0 PID: 86 Comm: kworker/u32:5 Not tainted 6.16.0-rc2-syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 48 f5 df fc 84 db 0f 85 66 ff ff ff e8 5b fa df fc c6 05 50 58 b4 0b 01 90 48 c7 c7 60 24 15 8c e8 07 bf 9e fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 38 fa df fc 0f b6 1d 2b 58 b4 0b 31
RSP: 0018:ffffc900006f8d90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248
RDX: ffff888022eb8000 RSI: ffffffff817ae255 RDI: 0000000000000001
RBP: ffff888039f44888 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888039f44888
R13: ffff888052344800 R14: 0000000000000015 R15: 1ffff1100458800c
FS:  0000000000000000(0000) GS:ffff8880d6a53000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88ffd10f98 CR3: 000000000e382000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 p9_req_put+0x1ec/0x250 net/9p/client.c:404
 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2715 [inline]
 vring_interrupt+0x31e/0x400 drivers/virtio/virtio_ring.c:2690
 __handle_irq_event_percpu+0x229/0x7d0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x28e/0xab0 kernel/irq/chip.c:789
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:266 [inline]
 __common_interrupt+0xdf/0x250 arch/x86/kernel/irq.c:292
 common_interrupt+0xba/0xe0 arch/x86/kernel/irq.c:285
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:arch_static_branch arch/x86/include/asm/jump_label.h:36 [inline]
RIP: 0010:native_write_msr arch/x86/include/asm/msr.h:139 [inline]
RIP: 0010:wrmsrq arch/x86/include/asm/msr.h:199 [inline]
RIP: 0010:native_x2apic_icr_write arch/x86/include/asm/apic.h:233 [inline]
RIP: 0010:__x2apic_send_IPI_shorthand arch/x86/kernel/apic/x2apic_phys.c:92 [inline]
RIP: 0010:x2apic_send_IPI_allbutself+0x21/0x40 arch/x86/kernel/apic/x2apic_phys.c:97
Code: 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 89 f8 83 ff 02 74 29 0d 00 00 0c 00 89 c6 0f ae f0 0f ae e8 b9 30 08 00 00 31 d2 0f 30 <66> 90 c3 cc cc cc cc 31 d2 bf 30 08 00 00 e9 bc 27 a6 03 be 00 04
RSP: 0018:ffffc9000167f860 EFLAGS: 00000246
RAX: 00000000000c00fc RBX: ffff88806a73cf50 RCX: 0000000000000830
RDX: 0000000000000000 RSI: 00000000000c00fc RDI: 00000000000000fc
RBP: 0000000000000003 R08: 0000000000000000 R09: ffffed100d4e79ea
R10: ffff88806a73cf57 R11: 0000000000000001 R12: ffffed100d4c874c
R13: 0000000000000000 R14: ffff88806a73cf50 R15: ffff88806a73cf40
 kvm_smp_send_call_func_ipi+0x1e/0x250 arch/x86/kernel/kvm.c:640
 arch_send_call_function_ipi_mask arch/x86/include/asm/smp.h:100 [inline]
 send_call_function_ipi_mask kernel/smp.c:127 [inline]
 smp_call_function_many_cond+0xc1e/0x1510 kernel/smp.c:869
 on_each_cpu_cond_mask+0x40/0x90 kernel/smp.c:1052
 on_each_cpu include/linux/smp.h:71 [inline]
 smp_text_poke_sync_each_cpu arch/x86/kernel/alternative.c:2660 [inline]
 smp_text_poke_batch_finish+0x5ae/0xdb0 arch/x86/kernel/alternative.c:2932
 arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
 jump_label_update+0x376/0x550 kernel/jump_label.c:919
 static_key_enable_cpuslocked+0x1b7/0x270 kernel/jump_label.c:210
 static_key_enable+0x1a/0x20 kernel/jump_label.c:223
 toggle_allocation_gate mm/kfence/core.c:850 [inline]
 toggle_allocation_gate+0xfa/0x280 mm/kfence/core.c:842
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	f3 0f 1e fa          	endbr64
   d:	89 f8                	mov    %edi,%eax
   f:	83 ff 02             	cmp    $0x2,%edi
  12:	74 29                	je     0x3d
  14:	0d 00 00 0c 00       	or     $0xc0000,%eax
  19:	89 c6                	mov    %eax,%esi
  1b:	0f ae f0             	mfence
  1e:	0f ae e8             	lfence
  21:	b9 30 08 00 00       	mov    $0x830,%ecx
  26:	31 d2                	xor    %edx,%edx
  28:	0f 30                	wrmsr
* 2a:	66 90                	xchg   %ax,%ax <-- trapping instruction
  2c:	c3                   	ret
  2d:	cc                   	int3
  2e:	cc                   	int3
  2f:	cc                   	int3
  30:	cc                   	int3
  31:	31 d2                	xor    %edx,%edx
  33:	bf 30 08 00 00       	mov    $0x830,%edi
  38:	e9 bc 27 a6 03       	jmp    0x3a627f9
  3d:	be                   	.byte 0xbe
  3e:	00                   	.byte 0x0
  3f:	04                   	.byte 0x4