Dear developers and maintainers,

We encountered a kernel warning in the function free_event() while
using our modified syzkaller. It was tested on the latest upstream
linux(6.9-rc4). C repro and kernel config are attached to this email.
Kernel dump log is listed below.
```

------------[ cut here ]------------
unexpected event refcount: 2; ptr=ffff88801931e0c0
WARNING: CPU: 0 PID: 8082 at kernel/events/core.c:5254
free_event+0xa3/0xc0 kernel/events/core.c:5254
Modules linked in:
CPU: 0 PID: 8082 Comm: syz-executor381 Not tainted 6.7.0-rc7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:free_event+0xa3/0xc0 kernel/events/core.c:5254
Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 25 48 8b
b5 38 02 00 00 48 89 ea 48 c7 c7 c0 38 b7 8a e8 6e 30 9e ff 90 <0f> 0b
90 90 5d 41 5c 41 5d e9 bf 45 d7 ff 4c 89 ef e8 d7 e9 2b 00
RSP: 0018:ffffc9000176f9e8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff814c00fa
RDX: ffff888063d919c0 RSI: ffffffff814c0107 RDI: 0000000000000001
RBP: ffff88801931e0c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000002
R13: ffff88801931e2f8 R14: ffff88801931e3a0 R15: ffff88801931e0c0
FS:  0000000000000000(0000) GS:ffff888044200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000008 CR3: 000000000cd78000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 perf_event_release_kernel+0x5d4/0x8f0 kernel/events/core.c:5421
 perf_release+0x37/0x50 kernel/events/core.c:5442
 __fput+0x282/0xbb0 fs/file_table.c:394
 task_work_run+0x168/0x260 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xaf0/0x2a40 kernel/exit.c:869
 do_group_exit+0xd4/0x2a0 kernel/exit.c:1018
 get_signal+0x243c/0x2630 kernel/signal.c:2904
 arch_do_signal_or_restart+0x81/0x7d0 arch/x86/kernel/signal.c:309
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0x121/0x240 kernel/entry/common.c:204
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1e/0x60 kernel/entry/common.c:296
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
 </TASK>
```
If you have any questions, please contact us.
Reported by: Yue Sun <samsun1006219@gmail.com>
Reported by: xingwei lee <xrivendell7@gmail.com>

Best Regards,
Yue