------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 7483 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 3 UID: 0 PID: 7483 Comm: syz.3.429 Not tainted 6.16.0-rc2-syzkaller-00071-g74b4cc9b8780 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 28 f8 df fc 84 db 0f 85 66 ff ff ff e8 3b fd df fc c6 05 f0 5b b4 0b 01 90 48 c7 c7 a0 25 15 8c e8 a7 c1 9e fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 18 fd df fc 0f b6 1d cb 5b b4 0b 31
RSP: 0018:ffffc900006f8d90 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248
RDX: ffff88805934c880 RSI: ffffffff817ae255 RDI: 0000000000000001
RBP: ffff88803b7d4558 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88803b7d4558
R13: ffff888035bc3400 R14: 0000000000000015 R15: 1ffff110209e600c
FS:  00007f3785bc56c0(0000) GS:ffff8880d6a53000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000020000006d000 CR3: 000000002bcd4000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 p9_req_put+0x1ec/0x250 net/9p/client.c:404
 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2715 [inline]
 vring_interrupt+0x31e/0x400 drivers/virtio/virtio_ring.c:2690
 __handle_irq_event_percpu+0x229/0x7d0 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210
 handle_edge_irq+0x28e/0xab0 kernel/irq/chip.c:789
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:266 [inline]
 __common_interrupt+0xdf/0x250 arch/x86/kernel/irq.c:292
 common_interrupt+0xba/0xe0 arch/x86/kernel/irq.c:285
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693
RIP: 0010:orc_ip arch/x86/kernel/unwind_orc.c:80 [inline]
RIP: 0010:__orc_find+0x70/0xf0 arch/x86/kernel/unwind_orc.c:102
Code: ec 72 4e 4c 89 e2 48 29 ea 48 89 d6 48 c1 ea 3f 48 c1 fe 02 48 01 f2 48 d1 fa 48 8d 5c 95 00 48 89 da 48 c1 ea 03 0f b6 34 0a <48> 89 da 83 e2 07 83 c2 03 40 38 f2 7c 05 40 84 f6 75 4b 48 63 13
RSP: 0018:ffffc9000d0c6b60 EFLAGS: 00000a02
RAX: ffffffff91775086 RBX: ffffffff90e01d70 RCX: dffffc0000000000
RDX: 1ffffffff21c03ae RSI: 0000000000000000 RDI: ffffffff90e01d60
RBP: ffffffff90e01d60 R08: ffffffff917750bc R09: 0000000000000000
R10: 0000000000000000 R11: 000000000003b723 R12: ffffffff90e01d80
R13: ffffffff84b7234b R14: ffffffff90e01d60 R15: ffffffff90e01d60
 orc_find arch/x86/kernel/unwind_orc.c:227 [inline]
 unwind_next_frame+0x2ec/0x20a0 arch/x86/kernel/unwind_orc.c:494
 arch_stack_walk+0x94/0x100 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 save_stack+0x160/0x1f0 mm/page_owner.c:156
 __set_page_owner+0x91/0x550 mm/page_owner.c:329
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
 folio_alloc_mpol_noprof+0x36/0x2f0 mm/mempolicy.c:2438
 vma_alloc_folio_noprof+0xed/0x1e0 mm/mempolicy.c:2473
 folio_prealloc mm/memory.c:1066 [inline]
 alloc_anon_folio mm/memory.c:5034 [inline]
 do_anonymous_page mm/memory.c:5091 [inline]
 do_pte_missing mm/memory.c:4249 [inline]
 handle_pte_fault mm/memory.c:6089 [inline]
 __handle_mm_fault+0x2f21/0x5490 mm/memory.c:6232
 handle_mm_fault+0x589/0xd10 mm/memory.c:6401
 do_user_addr_fault+0x7a6/0x1370 arch/x86/mm/fault.c:1387
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x5c/0xb0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
RIP: 0010:raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
RIP: 0010:copy_to_user_iter lib/iov_iter.c:25 [inline]
RIP: 0010:iterate_iovec include/linux/iov_iter.h:52 [inline]
RIP: 0010:iterate_and_advance2 include/linux/iov_iter.h:302 [inline]
RIP: 0010:iterate_and_advance include/linux/iov_iter.h:328 [inline]
RIP: 0010:_copy_to_iter+0x4e6/0x16f0 lib/iov_iter.c:185
Code: 45 e8 ce 75 e1 fc 48 8b 4c 24 18 48 8b 44 24 28 89 ee 4c 8d 34 01 4c 89 f7 e8 76 55 48 fd 0f 01 cb 48 89 e9 4c 89 ff 4c 89 f6 <f3> a4 0f 1f 00 0f 01 ca 48 89 e8 48 29 eb 48 29 c8 48 01 44 24 28
RSP: 0018:ffffc9000d0c7768 EFLAGS: 00050246
RAX: 0000000000000001 RBX: 0000000000001000 RCX: 00000000000002c0
RDX: 0000000000000000 RSI: ffff88803baa8d40 RDI: 000020000006d000
RBP: 0000000000001000 R08: 0000000000000000 R09: ffffed10077551ff
R10: ffff88803baa8fff R11: 0000000000000000 R12: 000000000006b000
R13: ffff8880310bdc10 R14: ffff88803baa8000 R15: 000020000006c2c0
 copy_page_to_iter lib/iov_iter.c:362 [inline]
 copy_page_to_iter+0x12a/0x1e0 lib/iov_iter.c:349
 copy_folio_to_iter include/linux/uio.h:204 [inline]
 filemap_read+0x6b1/0xe40 mm/filemap.c:2762
 blkdev_read_iter+0x1ac/0x500 block/fops.c:833
 do_iter_readv_writev+0x738/0x950 fs/read_write.c:825
 vfs_readv+0x4cb/0x8b0 fs/read_write.c:1018
 do_readv+0x132/0x340 fs/read_write.c:1080
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3784d8e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3785bc5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000013
RAX: ffffffffffffffda RBX: 00007f3784fb5fa0 RCX: 00007f3784d8e929
RDX: 0000000000000009 RSI: 00002000000025c0 RDI: 0000000000000003
RBP: 00007f3784e10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f3784fb5fa0 R15: 00007ffed6d12a88
 </TASK>
----------------
Code disassembly (best guess):
   0:	ec                   	in     (%dx),%al
   1:	72 4e                	jb     0x51
   3:	4c 89 e2             	mov    %r12,%rdx
   6:	48 29 ea             	sub    %rbp,%rdx
   9:	48 89 d6             	mov    %rdx,%rsi
   c:	48 c1 ea 3f          	shr    $0x3f,%rdx
  10:	48 c1 fe 02          	sar    $0x2,%rsi
  14:	48 01 f2             	add    %rsi,%rdx
  17:	48 d1 fa             	sar    %rdx
  1a:	48 8d 5c 95 00       	lea    0x0(%rbp,%rdx,4),%rbx
  1f:	48 89 da             	mov    %rbx,%rdx
  22:	48 c1 ea 03          	shr    $0x3,%rdx
  26:	0f b6 34 0a          	movzbl (%rdx,%rcx,1),%esi
* 2a:	48 89 da             	mov    %rbx,%rdx <-- trapping instruction
  2d:	83 e2 07             	and    $0x7,%edx
  30:	83 c2 03             	add    $0x3,%edx
  33:	40 38 f2             	cmp    %sil,%dl
  36:	7c 05                	jl     0x3d
  38:	40 84 f6             	test   %sil,%sil
  3b:	75 4b                	jne    0x88
  3d:	48 63 13             	movslq (%rbx),%rdx