------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 5779 at lib/refcount.c:25 refcount_warn_saturate+0xf3/0x1b0 lib/refcount.c:25
Modules linked in:
CPU: 1 PID: 5779 Comm: kworker/u5:4 Not tainted 6.6.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: hci0 hci_rx_work
RIP: 0010:refcount_warn_saturate+0xf3/0x1b0 lib/refcount.c:25
Code: 15 0a 01 0f 85 98 00 00 00 e8 39 41 66 fd 5b 41 5e c3 e8 30 41 66 fd c6 05 e1 00 15 0a 01 48 c7 c7 40 0f fc 8a e8 0d a5 30 fd <0f> 0b eb e0 e8 14 41 66 fd c6 05 c6 00 15 0a 01 48 c7 c7 a0 0f fc
RSP: 0018:ffffc900001f0848 EFLAGS: 00010246
RAX: d9ccdf6376e47e00 RBX: 0000000000000002 RCX: ffff88802fa91e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc900001f09d0 R08: ffff8880b8f28c13 R09: 1ffff110171e5182
R10: dffffc0000000000 R11: ffffed10171e5183 R12: ffff888078f11d40
R13: dffffc0000000000 R14: ffff888078f11e94 R15: ffff88802d2e7400
FS:  0000000000000000(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000006c750000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_net include/net/net_namespace.h:261 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x17cf/0x2250 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x246/0x3f0 net/tipc/bearer.c:572
 tipc_disc_timeout+0x581/0x6d0 net/tipc/discover.c:338
 call_timer_fn+0x16e/0x530 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x52d/0x7d0 kernel/time/timer.c:2022
 run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2035
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:console_flush_all+0x889/0xd00 arch/x86/include/asm/irqflags.h:-1
Code: ed 01 00 00 e8 78 39 1b 00 4d 85 ff 48 8b 5c 24 38 75 07 e8 69 39 1b 00 eb 06 e8 62 39 1b 00 fb 49 bf 00 00 00 00 00 fc ff df <48> 8b 44 24 50 42 0f b6 04 38 84 c0 0f 85 2f 02 00 00 80 3b 01 0f
RSP: 0018:ffffc90003e473e0 EFLAGS: 00000287
RAX: ffffffff816a5d7e RBX: ffffc90003e4757f RCX: 0000000000100000
RDX: ffffc9001839b000 RSI: 0000000000001dbc RDI: 0000000000001dbd
RBP: ffffc90003e47550 R08: ffffffff90d84527 R09: 1ffffffff21b08a4
R10: dffffc0000000000 R11: fffffbfff21b08a5 R12: ffffffff8d4b6760
R13: 1ffffffff1979228 R14: ffffffff8d4b67b8 R15: dffffc0000000000
 console_unlock+0xae/0x340 kernel/printk/printk.c:3069
 vprintk_emit+0x477/0x600 kernel/printk/printk.c:2341
 _printk+0xd0/0x110 kernel/printk/printk.c:2366
 bt_warn+0x10c/0x160 net/bluetooth/lib.c:235
 hci_cc_func net/bluetooth/hci_event.c:4194 [inline]
 hci_cmd_complete_evt+0x46a/0x950 net/bluetooth/hci_event.c:4218
 hci_event_func net/bluetooth/hci_event.c:7433 [inline]
 hci_event_packet+0x795/0x1210 net/bluetooth/hci_event.c:7488
 hci_rx_work+0x43a/0xd80 net/bluetooth/hci_core.c:3998
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
----------------
Code disassembly (best guess):
   0:	ed                   	in     (%dx),%eax
   1:	01 00                	add    %eax,(%rax)
   3:	00 e8                	add    %ch,%al
   5:	78 39                	js     0x40
   7:	1b 00                	sbb    (%rax),%eax
   9:	4d 85 ff             	test   %r15,%r15
   c:	48 8b 5c 24 38       	mov    0x38(%rsp),%rbx
  11:	75 07                	jne    0x1a
  13:	e8 69 39 1b 00       	call   0x1b3981
  18:	eb 06                	jmp    0x20
  1a:	e8 62 39 1b 00       	call   0x1b3981
  1f:	fb                   	sti
  20:	49 bf 00 00 00 00 00 	movabs $0xdffffc0000000000,%r15
  27:	fc ff df
* 2a:	48 8b 44 24 50       	mov    0x50(%rsp),%rax <-- trapping instruction
  2f:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax
  34:	84 c0                	test   %al,%al
  36:	0f 85 2f 02 00 00    	jne    0x26b
  3c:	80 3b 01             	cmpb   $0x1,(%rbx)
  3f:	0f                   	.byte 0xf