------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 5852 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Modules linked in:
CPU: 1 UID: 0 PID: 5852 Comm: syz-executor Not tainted 6.15.0-syzkaller-12293-g7fdaba912981 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25
Code: 00 00 e8 09 2d ff fc 5b 41 5e e9 d1 4a a7 06 cc e8 fb 2c ff fc c6 05 e3 ca c9 0a 01 90 48 c7 c7 c0 38 e2 8b e8 17 db c2 fc 90 <0f> 0b 90 90 eb d7 e8 db 2c ff fc c6 05 c4 ca c9 0a 01 90 48 c7 c7
RSP: 0018:ffffc90000a08668 EFLAGS: 00010246
RAX: f504383b4c030900 RBX: 0000000000000002 RCX: ffff8880322ada00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc90000a087e8 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1bfaa44 R12: ffff888078ad2080
R13: dffffc0000000000 R14: ffff888078ad21ec R15: ffff8880592d8400
FS:  0000000000000000(0000) GS:ffff888125d55000(0063) knlGS:00000000572da440
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f50e5ffc CR3: 00000000333d8000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 get_net include/net/net_namespace.h:268 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x1820/0x22c0 net/tipc/crypto.c:1761
 tipc_crypto_clone_msg+0x90/0x170 net/tipc/crypto.c:1656
 tipc_crypto_xmit+0x1998/0x22c0 net/tipc/crypto.c:1717
 tipc_bearer_xmit_skb+0x245/0x400 net/tipc/bearer.c:572
 tipc_disc_timeout+0x580/0x6d0 net/tipc/discover.c:338
 call_timer_fn+0x17b/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:trace_lock_acquire include/trace/events/lock.h:24 [inline]
RIP: 0010:lock_acquire+0x58/0x360 kernel/locking/lockdep.c:5834
Code: 8b 05 7c 7b fe 10 48 89 44 24 58 0f 1f 44 00 00 65 8b 05 7f 7b fe 10 83 f8 08 0f 83 b8 01 00 00 89 c0 48 0f a3 05 28 cc 02 0e <73> 16 e8 71 f1 08 00 84 c0 75 0d f6 05 6f b8 ec 0d 01 0f 84 d7 01
RSP: 0018:ffffc90004536e38 EFLAGS: 00000297
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8e13f060
RBP: ffffffff81729de5 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90004536ff8 R11: ffffffff81acf670 R12: 0000000000000002
R13: ffffffff8e13f060 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
 kmalloc_node_noprof include/linux/slab.h:932 [inline]
 __vmalloc_area_node mm/vmalloc.c:3690 [inline]
 __vmalloc_node_range_noprof+0x5a9/0x12f0 mm/vmalloc.c:3885
 __vmalloc_node_noprof mm/vmalloc.c:3948 [inline]
 vmalloc_noprof+0xb2/0xf0 mm/vmalloc.c:3981
 xt_compat_init_offsets+0xd3/0x1c0 net/netfilter/x_tables.c:733
 ebt_compat_init_offsets net/bridge/netfilter/ebtables.c:1832 [inline]
 compat_table_info+0xc0/0xd80 net/bridge/netfilter/ebtables.c:1843
 compat_do_ebt_get_ctl net/bridge/netfilter/ebtables.c:2397 [inline]
 do_ebt_get_ctl+0x8bb/0x1c50 net/bridge/netfilter/ebtables.c:2460
 nf_getsockopt+0x26b/0x290 net/netfilter/nf_sockopt.c:116
 ip_getsockopt+0x1c4/0x220 net/ipv4/ip_sockglue.c:1777
 do_sock_getsockopt+0x360/0x650 net/socket.c:2357
 __sys_getsockopt+0x128/0x1d0 net/socket.c:2386
 __do_compat_sys_socketcall net/compat.c:494 [inline]
 __se_compat_sys_socketcall net/compat.c:423 [inline]
 __ia32_compat_sys_socketcall+0x824/0x9c0 net/compat.c:423
 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
 __do_fast_syscall_32+0xb6/0x2b0 arch/x86/entry/syscall_32.c:306
 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:331
 entry_SYSENTER_compat_after_hwframe+0x84/0x8e
RIP: 0023:0xf706e539
Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000f752f670 EFLAGS: 00000206 ORIG_RAX: 0000000000000066
RAX: ffffffffffffffda RBX: 000000000000000f RCX: 00000000f752f6a8
RDX: 00000000f752f72c RSI: 00000000f752f730 RDI: 00000000f73d2ff4
RBP: 00000000f752f730 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	8b 05 7c 7b fe 10    	mov    0x10fe7b7c(%rip),%eax        # 0x10fe7b82
   6:	48 89 44 24 58       	mov    %rax,0x58(%rsp)
   b:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  10:	65 8b 05 7f 7b fe 10 	mov    %gs:0x10fe7b7f(%rip),%eax        # 0x10fe7b96
  17:	83 f8 08             	cmp    $0x8,%eax
  1a:	0f 83 b8 01 00 00    	jae    0x1d8
  20:	89 c0                	mov    %eax,%eax
  22:	48 0f a3 05 28 cc 02 	bt     %rax,0xe02cc28(%rip)        # 0xe02cc52
  29:	0e
* 2a:	73 16                	jae    0x42 <-- trapping instruction
  2c:	e8 71 f1 08 00       	call   0x8f1a2
  31:	84 c0                	test   %al,%al
  33:	75 0d                	jne    0x42
  35:	f6 05 6f b8 ec 0d 01 	testb  $0x1,0xdecb86f(%rip)        # 0xdecb8ab
  3c:	0f                   	.byte 0xf
  3d:	84 d7                	test   %dl,%bh
  3f:	01                   	.byte 0x1