syzbot

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 7138 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 3 UID: 0 PID: 7138 Comm: syz.1.329 Not tainted 6.16.0-rc2-syzkaller-00045-g4663747812d1 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 28 f8 df fc 84 db 0f 85 66 ff ff ff e8 3b fd df fc c6 05 30 5c b4 0b 01 90 48 c7 c7 a0 25 15 8c e8 e7 c1 9e fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 18 fd df fc 0f b6 1d 0b 5c b4 0b 31
RSP: 0018:ffffc900006f8d90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248
RDX: ffff888029d68000 RSI: ffffffff817ae255 RDI: 0000000000000001
RBP: ffff88802b5adcb8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802b5adcb8
R13: ffff888031046800 R14: 0000000000000015 R15: 1ffff11020a7100c
FS:  0000555569bfe500(0000) GS:ffff8880d6a53000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f47e20a3d58 CR3: 000000002cb2f000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 p9_req_put+0x1ec/0x250 net/9p/client.c:404
 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2715 [inline]
 vring_interrupt+0x31e/0x400 drivers/virtio/virtio_ring.c:2690
 __handle_irq_event_percpu+0x229/0x7d0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x28e/0xab0 kernel/irq/chip.c:789
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:266 [inline]
 __common_interrupt+0xdf/0x250 arch/x86/kernel/irq.c:292
 common_interrupt+0xba/0xe0 arch/x86/kernel/irq.c:285
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 76 c0 15 f6 48 89 df e8 5e 14 16 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 95 34 06 f6 65 8b 05 8e 1a 4a 08 85 c0 74 16 5b
RSP: 0018:ffffc900073a7b88 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffff8880517c0a10 RCX: ffffffff81c3eb9f
RDX: 0000000000000000 RSI: ffffffff8de19da0 RDI: ffffffff8c1579e0
RBP: 0000000000000206 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90a81557 R11: 0000000000000000 R12: ffff8880517c0a10
R13: ffffffff93ce8c80 R14: ffff8880517c0000 R15: ffffc900073a7be0
 class_raw_spinlock_irqsave_destructor include/linux/spinlock.h:557 [inline]
 try_to_wake_up+0xa25/0x1680 kernel/sched/core.c:4226
 wake_up_process kernel/sched/core.c:4475 [inline]
 wake_up_q+0xa3/0x160 kernel/sched/core.c:1081
 futex_wake+0x460/0x530 kernel/futex/waitwake.c:198
 do_futex+0x1e3/0x350 kernel/futex/syscalls.c:107
 __do_sys_futex kernel/futex/syscalls.c:179 [inline]
 __se_sys_futex kernel/futex/syscalls.c:160 [inline]
 __x64_sys_futex+0x1e0/0x4c0 kernel/futex/syscalls.c:160
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f47e118e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc285c81e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 00007f47e13b6088 RCX: 00007f47e118e929
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f47e13b6088
RBP: 0000000000000001 R08: 000000000000000d R09: 00000010285c84df
R10: 00007f47e13b5fa0 R11: 0000000000000246 R12: 00007f47e13b608c
R13: 00007f47e13b6080 R14: 0000000000001053 R15: 0000000000000005
 </TASK>
----------------
Code disassembly (best guess):
   0:	f5                   	cmc
   1:	53                   	push   %rbx
   2:	48 8b 74 24 10       	mov    0x10(%rsp),%rsi
   7:	48 89 fb             	mov    %rdi,%rbx
   a:	48 83 c7 18          	add    $0x18,%rdi
   e:	e8 76 c0 15 f6       	call   0xf615c089
  13:	48 89 df             	mov    %rbx,%rdi
  16:	e8 5e 14 16 f6       	call   0xf6161479
  1b:	f7 c5 00 02 00 00    	test   $0x200,%ebp
  21:	75 23                	jne    0x46
  23:	9c                   	pushf
  24:	58                   	pop    %rax
  25:	f6 c4 02             	test   $0x2,%ah
  28:	75 37                	jne    0x61
* 2a:	bf 01 00 00 00       	mov    $0x1,%edi <-- trapping instruction
  2f:	e8 95 34 06 f6       	call   0xf60634c9
  34:	65 8b 05 8e 1a 4a 08 	mov    %gs:0x84a1a8e(%rip),%eax        # 0x84a1ac9
  3b:	85 c0                	test   %eax,%eax
  3d:	74 16                	je     0x55
  3f:	5b                   	pop    %rbx