------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 112 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 112 Comm: kswapd0 Not tainted 6.11.0-rc3-syzkaller-00066-g1fb918967b56 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 58 e9 0b fd 84 db 0f 85 66 ff ff ff e8 6b e7 0b fd c6 05 cf c3 7a 0b 01 90 48 c7 c7 60 f6 af 8b e8 67 97 ce fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 48 e7 0b fd 0f b6 1d aa c3 7a 0b 31
RSP: 0018:ffffc90000007d90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff814dd779
RDX: ffff88801b6f0000 RSI: ffffffff814dd786 RDI: 0000000000000001
RBP: ffff88805f228668 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88805f228668 R14: ffff88801ee1e800 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88802c000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002f607ff8 CR3: 000000005b1a6000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:275 [inline]
 __refcount_dec_and_test include/linux/refcount.h:307 [inline]
 refcount_dec_and_test include/linux/refcount.h:325 [inline]
 p9_req_put+0x1f4/0x250 net/9p/client.c:404
 req_done+0x1e7/0x2f0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2595 [inline]
 vring_interrupt+0x31b/0x400 drivers/virtio/virtio_ring.c:2570
 __handle_irq_event_percpu+0x229/0x7c0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x263/0xd10 kernel/irq/chip.c:831
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:247 [inline]
 call_irq_handler arch/x86/kernel/irq.c:259 [inline]
 __common_interrupt+0xdf/0x250 arch/x86/kernel/irq.c:285
 common_interrupt+0xab/0xd0 arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:preempt_schedule_irq+0x4c/0x90 kernel/sched/core.c:6851
Code: df 55 65 48 8b 2d a4 d9 fb 74 53 48 89 eb 48 c1 eb 03 48 01 c3 bf 01 00 00 00 e8 ff 9c 53 f6 e8 8a 6c 8a f6 fb bf 01 00 00 00 <e8> 4f a3 ff ff 9c 58 fa f6 c4 02 75 1e bf 01 00 00 00 e8 2d 41 53
RSP: 0018:ffffc90000e9f668 EFLAGS: 00000206
RAX: 00000000003ca503 RBX: ffffed10036de000 RCX: 1ffffffff28b8360
RDX: 0000000000000000 RSI: ffffffff8b4cd020 RDI: 0000000000000001
RBP: ffff88801b6f0000 R08: 0000000000000001 R09: fffffbfff28b70da
R10: ffffffff945b86d7 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 irqentry_exit+0x36/0x90 kernel/entry/common.c:354
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x1f2/0x560 kernel/locking/lockdep.c:5727
Code: c1 05 ea 2e 99 7e 83 f8 01 0f 85 ea 02 00 00 9c 58 f6 c4 02 0f 85 d5 02 00 00 48 85 ed 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24
RSP: 0018:ffffc90000e9f730 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ffff920001d3ee8 RCX: 0000000000000001
RDX: 0000000000000001 RSI: ffffffff8b4cd320 RDI: ffffffff8bb050e0
RBP: 0000000000000200 R08: 0000000000000000 R09: fffffbfff28b70d8
R10: ffffffff945b86c7 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff8ddb9320 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
 rcu_read_lock include/linux/rcupdate.h:838 [inline]
 shrink_slab+0x1d9/0x1300 mm/shrinker.c:667
 shrink_one+0x47e/0x7b0 mm/vmscan.c:4815
 shrink_many mm/vmscan.c:4876 [inline]
 lru_gen_shrink_node+0x69f/0x1510 mm/vmscan.c:4954
 shrink_node mm/vmscan.c:5934 [inline]
 kswapd_shrink_node mm/vmscan.c:6762 [inline]
 balance_pgdat+0x110f/0x1950 mm/vmscan.c:6954
 kswapd+0x5ea/0xbf0 mm/vmscan.c:7223
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
----------------
Code disassembly (best guess):
   0:	df 55 65             	fists  0x65(%rbp)
   3:	48 8b 2d a4 d9 fb 74 	mov    0x74fbd9a4(%rip),%rbp        # 0x74fbd9ae
   a:	53                   	push   %rbx
   b:	48 89 eb             	mov    %rbp,%rbx
   e:	48 c1 eb 03          	shr    $0x3,%rbx
  12:	48 01 c3             	add    %rax,%rbx
  15:	bf 01 00 00 00       	mov    $0x1,%edi
  1a:	e8 ff 9c 53 f6       	call   0xf6539d1e
  1f:	e8 8a 6c 8a f6       	call   0xf68a6cae
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 4f a3 ff ff       	call   0xffffa37e <-- trapping instruction
  2f:	9c                   	pushf
  30:	58                   	pop    %rax
  31:	fa                   	cli
  32:	f6 c4 02             	test   $0x2,%ah
  35:	75 1e                	jne    0x55
  37:	bf 01 00 00 00       	mov    $0x1,%edi
  3c:	e8                   	.byte 0xe8
  3d:	2d                   	.byte 0x2d
  3e:	41 53                	push   %r11