==================================================================
BUG: KASAN: use-after-free in io_rsrc_node_ref_zero+0x5a/0x2cd
Read of size 8 at addr ffff888047ea4300 by task syz-executor.2/33061

CPU: 1 PID: 33061 Comm: syz-executor.2 Not tainted 5.17.0-rc4-next-20220217 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
 <IRQ>
 dump_stack_lvl+0x8b/0xb3
 print_address_description.constprop.0+0x1f/0x190
 kasan_report.cold+0x7f/0x11b
 io_rsrc_node_ref_zero+0x5a/0x2cd
 percpu_ref_put_many.constprop.0+0x235/0x270
 rcu_core+0x7e5/0x1ff0
 __do_softirq+0x270/0x8c7
 __irq_exit_rcu+0x113/0x170
 irq_exit_rcu+0x5/0x20
 sysvec_apic_timer_interrupt+0x8e/0xc0
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x7/0x60
Code: 31 00 be 03 00 00 00 5d e9 76 2b bd 00 66 0f 1f 44 00 00 48 8b be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 65 8b 05 99 2a bf 7e <89> c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 40 6f 02 00 a9
RSP: 0018:ffff88802bb9f6d8 EFLAGS: 00000202
RAX: 0000000080000001 RBX: ffffea0000f9f7c0 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffff888045569ac0 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff8170feca R11: 0000000000000000 R12: ffffea0000f9f7c8
R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
 PageHuge+0x98/0x230
 page_remove_rmap+0x1e2/0x490
 unmap_page_range+0xd3e/0x2380
 unmap_single_vma+0x198/0x310
 unmap_vmas+0x16b/0x2f0
 exit_mmap+0x192/0x460
 mmput+0xc8/0x380
 do_exit+0xa05/0x2810
 do_group_exit+0xd2/0x2f0
 get_signal+0x494/0x26e0
 arch_do_signal_or_restart+0x2b0/0x1720
 exit_to_user_mode_prepare+0x143/0x1c0
 syscall_exit_to_user_mode+0x19/0x50
 do_syscall_64+0x48/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fd41d6a4b19
Code: Unable to access opcode bytes at RIP 0x7fd41d6a4aef.
RSP: 002b:00007fd41abf9218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fd41d7b8028 RCX: 00007fd41d6a4b19
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fd41d7b802c
RBP: 00007fd41d7b8020 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000246 R12: 00007fd41d7b802c
R13: 00007ffe0554754f R14: 00007fd41abf9300 R15: 0000000000022000
 </TASK>

Allocated by task 33062:
 kasan_save_stack+0x1e/0x40
 __kasan_kmalloc+0x81/0xa0
 io_rsrc_data_alloc+0x3e/0x3c3
 io_sqe_files_register.cold+0x1e/0x67c
 __do_sys_io_uring_register+0xc61/0x1100
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 33062:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0x108/0x170
 kfree+0xcf/0x410
 __io_sqe_files_unregister+0xce/0x186
 __do_sys_io_uring_register.cold+0x90/0xf8c
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x97/0xa0
 insert_work+0x44/0x290
 __queue_work+0x61f/0x10a0
 queue_work_on+0xae/0xc0
 call_usermodehelper_exec+0x329/0x490
 __request_module+0x414/0xa10
 dev_load+0x1ea/0x200
 dev_ioctl+0x496/0xfd0
 sock_do_ioctl+0x160/0x230
 sock_ioctl+0x41c/0x670
 __x64_sys_ioctl+0x196/0x210
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888047ea4300
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 192-byte region [ffff888047ea4300, ffff888047ea43c0)
The buggy address belongs to the page:
page:0000000046f91c22 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47ea4
flags: 0x100000000000200(slab|node=0|zone=1)
raw: 0100000000000200 ffffea00003ec380 dead000000000007 ffff888007841a00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888047ea4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888047ea4280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888047ea4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888047ea4380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888047ea4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	31 00                	xor    %eax,(%rax)
   2:	be 03 00 00 00       	mov    $0x3,%esi
   7:	5d                   	pop    %rbp
   8:	e9 76 2b bd 00       	jmpq   0xbd2b83
   d:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  13:	48 8b be b0 01 00 00 	mov    0x1b0(%rsi),%rdi
  1a:	e8 b4 ff ff ff       	callq  0xffffffd3
  1f:	31 c0                	xor    %eax,%eax
  21:	c3                   	retq
  22:	90                   	nop
  23:	65 8b 05 99 2a bf 7e 	mov    %gs:0x7ebf2a99(%rip),%eax        # 0x7ebf2ac3
* 2a:	89 c1                	mov    %eax,%ecx <-- trapping instruction
  2c:	48 8b 34 24          	mov    (%rsp),%rsi
  30:	81 e1 00 01 00 00    	and    $0x100,%ecx
  36:	65 48 8b 14 25 40 6f 	mov    %gs:0x26f40,%rdx
  3d:	02 00
  3f:	a9                   	.byte 0xa9