------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 24435 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Modules linked in:
CPU: 0 UID: 0 PID: 24435 Comm: syz.6.4822 Not tainted 6.15.0-syzkaller-12293-g7fdaba912981 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Code: 00 00 e8 09 2d ff fc 5b 41 5e e9 d1 4a a7 06 cc e8 fb 2c ff fc c6 05 e3 ca c9 0a 01 90 48 c7 c7 c0 38 e2 8b e8 17 db c2 fc 90 <0f> 0b 90 90 eb d7 e8 db 2c ff fc c6 05 c4 ca c9 0a 01 90 48 c7 c7
RSP: 0000:ffffc9000be77768 EFLAGS: 00010246
RAX: dacf52c8f4729900 RBX: 0000000000000002 RCX: ffff88803ef68000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc9000be778f0 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1bfaa44 R12: ffff88802c1c2080
R13: dffffc0000000000 R14: ffff88802c1c21ec R15: ffff88805a06bc00
FS:  000055557392e500(0000) GS:ffff888125c55000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32017ff8 CR3: 000000004b39e000 CR4: 00000000003526f0
DR0: 0000000000000081 DR1: 2000000000000006 DR2: 0800001000000002
DR3: 0000000000000009 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 get_net include/net/net_namespace.h:268 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x1820/0x22c0 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x245/0x400 net/tipc/bearer.c:572
 tipc_disc_timeout+0x580/0x6d0 net/tipc/discover.c:338
 call_timer_fn+0x17b/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0033:0x7fdba126ea35
Code: 8b 43 28 48 83 c4 38 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 c6 44 24 1e 01 48 89 ee 44 89 e7 4c 89 44 24 10 4c 89 54 24 08 <e8> 66 ef fd ff 4c 8b 54 24 08 4c 8b 44 24 10 84 c0 0f 85 60 ff ff
RSP: 002b:00007fdba16dfa60 EFLAGS: 00000246
RAX: 000000000000a476 RBX: 00007fdba20e5720 RCX: 000000000005e2d1
RDX: ffffffff820bcd5d RSI: ffffffff820bc35f RDI: 0000000000000008
RBP: ffffffff820bc35f R08: 00007fdba15b6038 R09: 00007fdba15a2000
R10: 00007fdba09ff008 R11: 0000000000000008 R12: 0000000000000008
R13: 00000000000001d9 R14: ffffffff820bcd5d R15: 000000000005e2d1
 </TASK>