------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 6607 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 6607 Comm: syz.2.158 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 38 e4 ec fc 84 db 0f 85 66 ff ff ff e8 4b e9 ec fc c6 05 c1 c1 9f 0b 01 90 48 c7 c7 e0 1e f4 8b e8 27 cc ac fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 28 e9 ec fc 0f b6 1d 9c c1 9f 0b 31
RSP: 0018:ffffc90000007d90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817a94a8
RDX: ffff8880210d0000 RSI: ffffffff817a94b5 RDI: 0000000000000001
RBP: ffff88806ab12448 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88806ab12448
R13: ffff88801fee5400 R14: 0000000000000007 R15: 1ffff1100472900c
FS:  0000000000000000(0000) GS:ffff8880977ea000(0063) knlGS:00000000f5065b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f5004da4 CR3: 000000006d451000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 p9_req_put+0x1ec/0x250 net/9p/client.c:404
 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2715 [inline]
 vring_interrupt+0x31e/0x400 drivers/virtio/virtio_ring.c:2690
 __handle_irq_event_percpu+0x22c/0x7d0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x263/0xd10 kernel/irq/chip.c:831
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:266 [inline]
 __common_interrupt+0xe2/0x250 arch/x86/kernel/irq.c:292
 common_interrupt+0xba/0xe0 arch/x86/kernel/irq.c:285
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:239 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
RIP: 0010:cpumask_test_cpu include/linux/cpumask.h:587 [inline]
RIP: 0010:cpu_online include/linux/cpumask.h:1143 [inline]
RIP: 0010:trace_lock_release include/trace/events/lock.h:69 [inline]
RIP: 0010:lock_release+0x3b/0x2f0 kernel/locking/lockdep.c:5877
Code: 89 fb 48 83 ec 18 65 48 8b 05 99 b6 0b 12 48 89 44 24 10 31 c0 0f 1f 44 00 00 65 8b 05 b2 b6 0b 12 83 f8 07 0f 87 38 02 00 00 <89> c0 48 0f a3 05 7b 74 ed 0e 0f 82 b1 01 00 00 8b 3d f3 a3 ed 0e
RSP: 0018:ffffc90030a8e9c0 EFLAGS: 00000297
RAX: 0000000000000000 RBX: ffffffff8e3bfa80 RCX: ffffc90024c31000
RDX: 0000000000080000 RSI: ffffffff825d08fe RDI: ffffffff8e3bfa80
RBP: ffff88801ca98800 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff825d08fe
R13: ffff88801ca988d8 R14: 0000000000000000 R15: ffff88801ca988d8
 rcu_lock_release include/linux/rcupdate.h:341 [inline]
 rcu_read_unlock include/linux/rcupdate.h:871 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1155 [inline]
 kernfs_root+0xf3/0x2a0 fs/kernfs/kernfs-internal.h:73
 kernfs_next_descendant_post+0x1bb/0x420 fs/kernfs/dir.c:1371
 kernfs_activate fs/kernfs/dir.c:1426 [inline]
 kernfs_add_one+0x368/0x840 fs/kernfs/dir.c:834
 __kernfs_create_file+0x295/0x350 fs/kernfs/file.c:1067
 sysfs_add_file_mode_ns+0x207/0x3c0 fs/sysfs/file.c:319
 create_files fs/sysfs/group.c:76 [inline]
 internal_create_group+0x578/0xf30 fs/sysfs/group.c:183
 internal_create_groups+0x9d/0x150 fs/sysfs/group.c:223
 setup_port+0x404/0x1720 drivers/infiniband/core/sysfs.c:1247
 ib_setup_port_attrs+0x201/0x600 drivers/infiniband/core/sysfs.c:1433
 add_one_compat_dev+0x558/0x7d0 drivers/infiniband/core/device.c:968
 add_compat_devs drivers/infiniband/core/device.c:1026 [inline]
 enable_device_and_get+0x336/0x3f0 drivers/infiniband/core/device.c:1337
 ib_register_device drivers/infiniband/core/device.c:1447 [inline]
 ib_register_device+0x87f/0xe00 drivers/infiniband/core/device.c:1393
 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
 rdma_nl_rcv_msg+0x38a/0x6e0 drivers/infiniband/core/netlink.c:195
 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 drivers/infiniband/core/netlink.c:239
 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
 netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg net/socket.c:727 [inline]
 ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566
 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
 __sys_sendmsg+0x16d/0x220 net/socket.c:2652
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x73/0x120 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7f64579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f506555c EFLAGS: 00000296 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 0000000080000240
RDX: 0000000000000810 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	89 fb                	mov    %edi,%ebx
   2:	48 83 ec 18          	sub    $0x18,%rsp
   6:	65 48 8b 05 99 b6 0b 	mov    %gs:0x120bb699(%rip),%rax        # 0x120bb6a7
   d:	12
   e:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
  13:	31 c0                	xor    %eax,%eax
  15:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1a:	65 8b 05 b2 b6 0b 12 	mov    %gs:0x120bb6b2(%rip),%eax        # 0x120bb6d3
  21:	83 f8 07             	cmp    $0x7,%eax
  24:	0f 87 38 02 00 00    	ja     0x262
* 2a:	89 c0                	mov    %eax,%eax <-- trapping instruction
  2c:	48 0f a3 05 7b 74 ed 	bt     %rax,0xeed747b(%rip)        # 0xeed74af
  33:	0e
  34:	0f 82 b1 01 00 00    	jb     0x1eb
  3a:	8b 3d f3 a3 ed 0e    	mov    0xeeda3f3(%rip),%edi        # 0xeeda433