------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 8015 at lib/refcount.c:25 refcount_warn_saturate+0xf3/0x1b0 lib/refcount.c:25
Modules linked in:
CPU: 1 PID: 8015 Comm: kworker/u4:12 Not tainted 6.6.93-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: bat_events batadv_nc_worker
RIP: 0010:refcount_warn_saturate+0xf3/0x1b0 lib/refcount.c:25
Code: 15 0a 01 0f 85 98 00 00 00 e8 39 41 66 fd 5b 41 5e c3 e8 30 41 66 fd c6 05 e1 00 15 0a 01 48 c7 c7 40 0f fc 8a e8 0d a5 30 fd <0f> 0b eb e0 e8 14 41 66 fd c6 05 c6 00 15 0a 01 48 c7 c7 a0 0f fc
RSP: 0018:ffffc900001f0848 EFLAGS: 00010246
RAX: 6a4e2df2779efb00 RBX: 0000000000000002 RCX: ffff88802e9a8000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffc900001f09d0 R08: ffffc900001f0447 R09: 1ffff9200003e088
R10: dffffc0000000000 R11: fffff5200003e089 R12: ffff88806ab03a80
R13: dffffc0000000000 R14: ffff88806ab03bd4 R15: ffff88805f141800
FS:  0000000000000000(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6e4b6ec368 CR3: 000000002ffae000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_net include/net/net_namespace.h:261 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x17cf/0x2250 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x246/0x3f0 net/tipc/bearer.c:572
 tipc_disc_timeout+0x581/0x6d0 net/tipc/discover.c:338
 call_timer_fn+0x16e/0x530 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x52d/0x7d0 kernel/time/timer.c:2022
 run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2035
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:should_resched arch/x86/include/asm/preempt.h:104 [inline]
RIP: 0010:__local_bh_enable_ip+0x136/0x1c0 kernel/softirq.c:413
Code: 8a e8 5e ac 14 09 65 66 8b 05 e6 38 b2 7e 66 85 c0 75 54 bf 01 00 00 00 e8 a7 e2 09 00 e8 82 78 3a 00 fb 65 8b 05 b2 38 b2 7e <85> c0 75 05 e8 91 1a af ff 48 c7 04 24 0e 36 e0 45 4b c7 04 37 00
RSP: 0018:ffffc9000434fa20 EFLAGS: 00000282
RAX: 0000000080000000 RBX: 0000000000000201 RCX: 6a4e2df2779efb00
RDX: dffffc0000000000 RSI: ffffffff8aaab2c0 RDI: ffffffff8afc6780
RBP: ffffc9000434fab8 R08: ffffffff90d845ff R09: 1ffffffff21b08bf
R10: dffffc0000000000 R11: fffffbfff21b08c0 R12: ffffffff8a2ed261
R13: dffffc0000000000 R14: dffffc0000000000 R15: 1ffff92000869f44
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 batadv_nc_purge_paths+0x311/0x3a0 net/batman-adv/network-coding.c:471
 batadv_nc_worker+0x328/0x610 net/batman-adv/network-coding.c:720
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
----------------
Code disassembly (best guess):
   0:	8a e8                	mov    %al,%ch
   2:	5e                   	pop    %rsi
   3:	ac                   	lods   %ds:(%rsi),%al
   4:	14 09                	adc    $0x9,%al
   6:	65 66 8b 05 e6 38 b2 	mov    %gs:0x7eb238e6(%rip),%ax        # 0x7eb238f4
   d:	7e
   e:	66 85 c0             	test   %ax,%ax
  11:	75 54                	jne    0x67
  13:	bf 01 00 00 00       	mov    $0x1,%edi
  18:	e8 a7 e2 09 00       	call   0x9e2c4
  1d:	e8 82 78 3a 00       	call   0x3a78a4
  22:	fb                   	sti
  23:	65 8b 05 b2 38 b2 7e 	mov    %gs:0x7eb238b2(%rip),%eax        # 0x7eb238dc
* 2a:	85 c0                	test   %eax,%eax <-- trapping instruction
  2c:	75 05                	jne    0x33
  2e:	e8 91 1a af ff       	call   0xffaf1ac4
  33:	48 c7 04 24 0e 36 e0 	movq   $0x45e0360e,(%rsp)
  3a:	45
  3b:	4b                   	rex.WXB
  3c:	c7                   	.byte 0xc7
  3d:	04 37                	add    $0x37,%al