==================================================================
BUG: KASAN: user-memory-access in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: user-memory-access in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:167 [inline]
BUG: KASAN: user-memory-access in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: user-memory-access in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: user-memory-access in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: user-memory-access in posix_acl_release include/linux/posix_acl.h:57 [inline]
BUG: KASAN: user-memory-access in __destroy_inode+0x4b4/0x89c fs/inode.c:273
Write of size 4 at addr 0000000b00000000 by task syz-executor/4025

CPU: 1 PID: 4025 Comm: syz-executor Not tainted 5.15.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 __kasan_report mm/kasan/report.c:438 [inline]
 kasan_report+0x168/0x1e4 mm/kasan/report.c:451
 kasan_check_range+0x274/0x2b4 mm/kasan/generic.c:189
 __kasan_check_write+0x44/0x54 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:167 [inline]
 __refcount_sub_and_test include/linux/refcount.h:272 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 posix_acl_release include/linux/posix_acl.h:57 [inline]
 __destroy_inode+0x4b4/0x89c fs/inode.c:273
 destroy_inode fs/inode.c:284 [inline]
 evict+0x714/0x894 fs/inode.c:637
 dispose_list fs/inode.c:655 [inline]
 evict_inodes+0x6dc/0x774 fs/inode.c:709
 generic_shutdown_super+0x9c/0x2f0 fs/super.c:454
 kill_block_super+0x70/0xdc fs/super.c:1427
 deactivate_locked_super+0xb8/0x13c fs/super.c:335
 deactivate_super+0x108/0x128 fs/super.c:366
 cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
 __cleanup_mnt+0x20/0x30 fs/namespace.c:1150
 task_work_run+0x130/0x1e4 kernel/task_work.c:188
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
 el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
==================================================================
Unable to handle kernel paging request at virtual address 0000000b00000000
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005
  CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=0000000124f6e000
[0000000b00000000] pgd=080000010a2dc003, p4d=080000010a2dc003, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4025 Comm: syz-executor Tainted: G    B             5.15.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lse_atomic_fetch_sub_release arch/arm64/include/asm/atomic_lse.h:161 [inline]
pc : arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline]
pc : atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline]
pc : __refcount_sub_and_test include/linux/refcount.h:272 [inline]
pc : __refcount_dec_and_test include/linux/refcount.h:315 [inline]
pc : refcount_dec_and_test include/linux/refcount.h:333 [inline]
pc : posix_acl_release include/linux/posix_acl.h:57 [inline]
pc : __destroy_inode+0x4c8/0x89c fs/inode.c:273
lr : arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline]
lr : atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline]
lr : __refcount_sub_and_test include/linux/refcount.h:272 [inline]
lr : __refcount_dec_and_test include/linux/refcount.h:315 [inline]
lr : refcount_dec_and_test include/linux/refcount.h:333 [inline]
lr : posix_acl_release include/linux/posix_acl.h:57 [inline]
lr : __destroy_inode+0x4c0/0x89c fs/inode.c:273
sp : ffff80001fb876d0
x29: ffff80001fb876d0 x28: dfff800000000000 x27: 1fffe0001d0ea8d0
x26: 0000000000000000 x25: 1fffe0001d0ea8d3 x24: dfff800000000000
x23: ffff0000e8754578 x22: ffff0000cbbe6060 x21: 0000000000000001
x20: 00000000ffffffff x19: 0000000b00000000 x18: 1fffe0003683318e
x17: 1fffe0003683318e x16: ffff800011b4b268 x15: ffff800014bffac0
x14: ffff0001b4198c80 x13: ffff0001b4198c7c x12: ffff700002e38564
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c9f09b40
x8 : ffff8000089e97cc x7 : 0000000000000000 x6 : ffff80000826abdc
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff80000819c3ec
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
 __lse_atomic_fetch_sub_release arch/arm64/include/asm/atomic_lse.h:161 [inline]
 arch_atomic_fetch_sub_release arch/arm64/include/asm/atomic.h:51 [inline]
 atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline]
 __refcount_sub_and_test include/linux/refcount.h:272 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 posix_acl_release include/linux/posix_acl.h:57 [inline]
 __destroy_inode+0x4c8/0x89c fs/inode.c:273
 destroy_inode fs/inode.c:284 [inline]
 evict+0x714/0x894 fs/inode.c:637
 dispose_list fs/inode.c:655 [inline]
 evict_inodes+0x6dc/0x774 fs/inode.c:709
 generic_shutdown_super+0x9c/0x2f0 fs/super.c:454
 kill_block_super+0x70/0xdc fs/super.c:1427
 deactivate_locked_super+0xb8/0x13c fs/super.c:335
 deactivate_super+0x108/0x128 fs/super.c:366
 cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
 __cleanup_mnt+0x20/0x30 fs/namespace.c:1150
 task_work_run+0x130/0x1e4 kernel/task_work.c:188
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
 exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
 el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: d503201f 97eb6b0a 52800034 4b1403f4 (b8740274) 
---[ end trace bab80d29ab9c9c1a ]---
----------------
Code disassembly (best guess):
   0:	d503201f 	nop
   4:	97eb6b0a 	bl	0xffffffffffadac2c
   8:	52800034 	mov	w20, #0x1                   	// #1
   c:	4b1403f4 	neg	w20, w20
* 10:	b8740274 	ldaddl	w20, w20, [x19] <-- trapping instruction