------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 14621 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 14621 Comm: syz-executor Not tainted 6.16.0-rc6-syzkaller-00253-g4871b7cb27f4 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 68 fb e3 fc 84 db 0f 85 66 ff ff ff e8 7b 00 e4 fc c6 05 2d 5b ba 0b 01 90 48 c7 c7 a0 08 15 8c e8 77 5a a3 fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 58 00 e4 fc 0f b6 1d 08 5b ba 0b 31
RSP: 0018:ffffc90000007d90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ab108
RDX: ffff88801dae2440 RSI: ffffffff817ab115 RDI: 0000000000000001
RBP: ffff88804ac69438 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88804ac69438
R13: ffff888013ad1400 R14: 0000000000000015 R15: 1ffff1100972500c
FS:  0000000000000000(0000) GS:ffff88809752e000(0063) knlGS:00000000571b1440
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f7fc55c0 CR3: 000000006691f000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 00000000000032e7 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 p9_req_put+0x1ec/0x250 net/9p/client.c:404
 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2715 [inline]
 vring_interrupt+0x31e/0x400 drivers/virtio/virtio_ring.c:2690
 __handle_irq_event_percpu+0x22c/0x7d0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x28e/0xab0 kernel/irq/chip.c:797
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:266 [inline]
 __common_interrupt+0xdf/0x250 arch/x86/kernel/irq.c:292
 common_interrupt+0xba/0xe0 arch/x86/kernel/irq.c:285
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline]
RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline]
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]
RIP: 0010:test_ti_thread_flag include/linux/thread_info.h:126 [inline]
RIP: 0010:test_tsk_thread_flag include/linux/sched.h:2059 [inline]
RIP: 0010:task_sigpending include/linux/sched/signal.h:379 [inline]
RIP: 0010:fatal_signal_pending include/linux/sched/signal.h:401 [inline]
RIP: 0010:dup_mmap+0x80c/0x21d0 mm/mmap.c:1772
Code: 24 18 4c 29 a0 88 02 00 00 e9 f2 fc ff ff e8 bb 05 b2 ff 48 8b 7c 24 20 be 08 00 00 00 e8 9c 67 16 00 48 8b 44 24 58 80 38 00 <0f> 85 96 17 00 00 48 8b 44 24 20 31 ff 4c 8b 20 49 c1 ec 02 41 83
RSP: 0018:ffffc900030e7990 EFLAGS: 00000246
RAX: ffffed1003b5c488 RBX: ffff888013cd7900 RCX: ffffffff82094fb4
RDX: ffffed1003b5c489 RSI: 0000000000000008 RDI: ffff88801dae2440
RBP: ffff888013cd7920 R08: 0000000000000000 R09: ffffed1003b5c488
R10: ffff88801dae2447 R11: 0000000000000001 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880277e67a8
 dup_mm kernel/fork.c:1477 [inline]
 copy_mm kernel/fork.c:1529 [inline]
 copy_process+0x4081/0x7650 kernel/fork.c:2169
 kernel_clone+0xfc/0x960 kernel/fork.c:2599
 __do_compat_sys_ia32_clone+0xcb/0x110 arch/x86/kernel/sys_ia32.c:254
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf7fd1579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000ffbfb9ec EFLAGS: 00000292 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000571b14a8
RBP: 00000000f7464ff4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	24 18                	and    $0x18,%al
   2:	4c 29 a0 88 02 00 00 	sub    %r12,0x288(%rax)
   9:	e9 f2 fc ff ff       	jmp    0xfffffd00
   e:	e8 bb 05 b2 ff       	call   0xffb205ce
  13:	48 8b 7c 24 20       	mov    0x20(%rsp),%rdi
  18:	be 08 00 00 00       	mov    $0x8,%esi
  1d:	e8 9c 67 16 00       	call   0x1667be
  22:	48 8b 44 24 58       	mov    0x58(%rsp),%rax
  27:	80 38 00             	cmpb   $0x0,(%rax)
* 2a:	0f 85 96 17 00 00    	jne    0x17c6 <-- trapping instruction
  30:	48 8b 44 24 20       	mov    0x20(%rsp),%rax
  35:	31 ff                	xor    %edi,%edi
  37:	4c 8b 20             	mov    (%rax),%r12
  3a:	49 c1 ec 02          	shr    $0x2,%r12
  3e:	41                   	rex.B
  3f:	83                   	.byte 0x83