program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000001d40)={0x0, 0x0, &(0x7f0000001d00)={&(0x7f0000001c40)={0x58, 0x2, 0x6, 0x401, 0x0, 0x0, {0x9, 0x0, 0x1}, [@IPSET_ATTR_FAMILY={0x5, 0x5, 0x7}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_REVISION={0x5, 0x4, 0x1}, @IPSET_ATTR_TYPENAME={0x13, 0x3, 'hash:net,iface\x00'}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_MARKMASK={0x8, 0xb, 0x1, 0x0, 0x8}]}, @IPSET_ATTR_PROTOCOL={0x5}]}, 0x58}, 0x1, 0x0, 0x0, 0x14}, 0x0)
r2 = socket$can_j1939(0x1d, 0x2, 0x7)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$ifreq_SIOCGIFINDEX_vcan(r3, 0x8933, &(0x7f0000000140)={'vxcan1\x00', <r4=>0x0})
bind$can_j1939(r2, &(0x7f0000000300)={0x1d, r4}, 0x18)
sendmsg$can_j1939(r2, &(0x7f0000000180)={&(0x7f0000000040), 0x18, &(0x7f0000000100)={&(0x7f00000000c0)="d4", 0x1}}, 0x0)
r5 = syz_genetlink_get_family_id$fou(&(0x7f0000000040), r0)
sendmsg$FOU_CMD_DEL(r0, &(0x7f0000000140)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f00000000c0)={&(0x7f0000000080)={0x30, r5, 0x10, 0x70bd28, 0x25dfdbfc, {}, [@FOU_ATTR_PEER_V6={0x14, 0x9, @empty}, @FOU_ATTR_LOCAL_V4={0x8, 0x6, @broadcast}]}, 0x30}, 0x1, 0x0, 0x0, 0xc0}, 0x44001)
syz_genetlink_get_family_id$batadv(&(0x7f0000000100), 0xffffffffffffffff)
r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r7 = syz_genetlink_get_family_id$ieee802154(&(0x7f0000000ac0), r6)
sendmsg$IEEE802154_LLSEC_SETPARAMS(r6, &(0x7f0000000b00)={0x0, 0x0, &(0x7f0000000b40)={&(0x7f00000003c0)={0x20, r7, 0x5, 0x0, 0x0, {0x22}, [@IEEE802154_ATTR_DEV_NAME={0xa, 0x1, 'wpan1\x00'}]}, 0x20}}, 0x4000000)
r8 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000100)={'netdevsim0\x00', <r9=>0x0})
r10 = bpf$MAP_CREATE(0x0, &(0x7f0000000580)=ANY=[@ANYBLOB="010000000300000001000000b1ee000000000000", @ANYRES32, @ANYBLOB="0000000000000000000000000000000000000000c2562fe9951c07508712", @ANYRES32=r9, @ANYRES32, @ANYBLOB="000000000000000000001000"/28], 0x50)
bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000140)={r10, &(0x7f0000000000), &(0x7f0000000080)=@udp}, 0x20)
bpf$MAP_UPDATE_CONST_STR(0x2, &(0x7f0000000d80)={{r10}, &(0x7f0000000d00), &(0x7f0000000d40)='%+9llu \x00'}, 0x20)
r11 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0)
r12 = dup(r11)
r13 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000280), 0x0, 0x0)
sendmsg$NL80211_CMD_CONNECT(r3, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)={0x30, 0x0, 0x1, 0x0, 0x0, {{}, {@val={0x8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0)
sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000400)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x4000}, 0xc, &(0x7f0000000340)={&(0x7f0000000440)={0x30, 0x0, 0x100, 0x70bd36, 0x25dfdbfc, {{}, {@val={0x8}, @val={0xc, 0x99, {0xffff, 0x3d}}}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x3}, @mon_options]}, 0x30}, 0x1, 0x0, 0x0, 0x4}, 0x4008010)
r14 = ioctl$KVM_CREATE_VM(r13, 0xae01, 0x0)
r15 = ioctl$KVM_CREATE_VCPU(r14, 0xae41, 0x0)
r16 = dup(r15)
ioctl$KVM_SET_CPUID2(r16, 0x4008ae90, &(0x7f0000000100)=ANY=[@ANYBLOB="010000000000000001000080"])
ioctl$KVM_SET_MSRS(r16, 0x4008ae89, &(0x7f0000000480)=ANY=[@ANYBLOB="3b26f1b4e4395ab9d00485dd553b00260279000000000000400101c0000000909820310000"])
sendmsg$BATADV_CMD_GET_MCAST_FLAGS(r12, &(0x7f00000003c0)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f0000000380)={0x0}, 0x1, 0x0, 0x0, 0x4002840}, 0x20054810)

[   58.233089][ T5326] ------------[ cut here ]------------
[   58.235609][ T5326] refcount_t: underflow; use-after-free.
[   58.255507][ T5326] WARNING: CPU: 0 PID: 5326 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0
[   58.259021][ T5326] Modules linked in:
[   58.260516][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
[   58.263512][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.266785][ T5326] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0
[   58.268785][ T5326] Code: 00 d5 60 8c e8 47 b6 97 fc 90 0f 0b 90 90 eb 99 e8 cb c6 d6 fc c6 05 9d f6 48 0b 01 90 48 c7 c7 60 d5 60 8c e8 27 b6 97 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 a8 c6 d6 fc c6 05 77 f6 48 0b 01 90
[   58.275720][ T5326] RSP: 0018:ffffc9000d4878e8 EFLAGS: 00010246
[   58.277857][ T5326] RAX: ac5646813a95ec00 RBX: ffff888042cfa0e4 RCX: 0000000000040000
[   58.280498][ T5326] RDX: ffffc9000db71000 RSI: 0000000000000a42 RDI: 0000000000000a43
[   58.283198][ T5326] RBP: 0000000000000003 R08: ffffffff8155e312 R09: 1ffff11003f8519a
[   58.286352][ T5326] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff88801218f868
[   58.289254][ T5326] R13: ffff888042cfa0e4 R14: 1ffff11002431f18 R15: ffff88801218f800
[   58.292135][ T5326] FS:  00007f04021406c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   58.295494][ T5326] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   58.297905][ T5326] CR2: 0000000020000140 CR3: 0000000040a60000 CR4: 0000000000352ef0
[   58.300746][ T5326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   58.303589][ T5326] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   58.306680][ T5326] Call Trace:
[   58.307952][ T5326]  <TASK>
[   58.309045][ T5326]  ? __warn+0x168/0x4e0
[   58.310622][ T5326]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.312630][ T5326]  ? report_bug+0x2b3/0x500
[   58.314576][ T5326]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.316589][ T5326]  ? handle_bug+0x60/0x90
[   58.318328][ T5326]  ? exc_invalid_op+0x1a/0x50
[   58.320129][ T5326]  ? asm_exc_invalid_op+0x1a/0x20
[   58.322153][ T5326]  ? __warn_printk+0x292/0x360
[   58.324275][ T5326]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.326558][ T5326]  ? refcount_warn_saturate+0x159/0x1d0
[   58.328766][ T5326]  j1939_session_put+0x1ed/0x440
[   58.330689][ T5326]  j1939_sk_sendmsg+0x121b/0x14c0
[   58.332652][ T5326]  ? __pfx_j1939_sk_sendmsg+0x10/0x10
[   58.334938][ T5326]  ? __import_iovec+0x590/0x870
[   58.336841][ T5326]  ? aa_sock_msg_perm+0x91/0x160
[   58.338557][ T5326]  ? __pfx_j1939_sk_sendmsg+0x10/0x10
[   58.340495][ T5326]  __sock_sendmsg+0x221/0x270
[   58.342310][ T5326]  ____sys_sendmsg+0x52a/0x7e0
[   58.344301][ T5326]  ? __pfx_____sys_sendmsg+0x10/0x10
[   58.346615][ T5326]  ? __fget_files+0x2a/0x410
[   58.348487][ T5326]  ? __fget_files+0x2a/0x410
[   58.350423][ T5326]  __sys_sendmsg+0x269/0x350
[   58.352243][ T5326]  ? __pfx___sys_sendmsg+0x10/0x10
[   58.354032][ T5326]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   58.357015][ T5326]  ? do_syscall_64+0x100/0x230
[   58.358860][ T5326]  ? do_syscall_64+0xb6/0x230
[   58.360618][ T5326]  do_syscall_64+0xf3/0x230
[   58.362350][ T5326]  ? clear_bhb_loop+0x35/0x90
[   58.364034][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.366242][ T5326] RIP: 0033:0x7f040137e759
[   58.367913][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   58.374990][ T5326] RSP: 002b:00007f0402140038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   58.378053][ T5326] RAX: ffffffffffffffda RBX: 00007f0401535f80 RCX: 00007f040137e759
[   58.380879][ T5326] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000005
[   58.383508][ T5326] RBP: 00007f04013f175e R08: 0000000000000000 R09: 0000000000000000
[   58.386238][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   58.388840][ T5326] R13: 0000000000000000 R14: 00007f0401535f80 R15: 00007ffe875a7a98
[   58.391353][ T5326]  </TASK>
[   58.392415][ T5326] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   58.394816][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
[   58.398347][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.402127][ T5326] Call Trace:
[   58.403349][ T5326]  <TASK>
[   58.404358][ T5326]  dump_stack_lvl+0x241/0x360
[   58.405924][ T5326]  ? __pfx_dump_stack_lvl+0x10/0x10
[   58.407698][ T5326]  ? __pfx__printk+0x10/0x10
[   58.409358][ T5326]  ? vscnprintf+0x5d/0x90
[   58.410846][ T5326]  panic+0x349/0x880
[   58.412252][ T5326]  ? __warn+0x177/0x4e0
[   58.413811][ T5326]  ? __pfx_panic+0x10/0x10
[   58.415590][ T5326]  __warn+0x34b/0x4e0
[   58.417047][ T5326]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.419176][ T5326]  report_bug+0x2b3/0x500
[   58.420809][ T5326]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.422678][ T5326]  handle_bug+0x60/0x90
[   58.424218][ T5326]  exc_invalid_op+0x1a/0x50
[   58.425994][ T5326]  asm_exc_invalid_op+0x1a/0x20
[   58.427772][ T5326] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0
[   58.430039][ T5326] Code: 00 d5 60 8c e8 47 b6 97 fc 90 0f 0b 90 90 eb 99 e8 cb c6 d6 fc c6 05 9d f6 48 0b 01 90 48 c7 c7 60 d5 60 8c e8 27 b6 97 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 a8 c6 d6 fc c6 05 77 f6 48 0b 01 90
[   58.436847][ T5326] RSP: 0018:ffffc9000d4878e8 EFLAGS: 00010246
[   58.439091][ T5326] RAX: ac5646813a95ec00 RBX: ffff888042cfa0e4 RCX: 0000000000040000
[   58.442026][ T5326] RDX: ffffc9000db71000 RSI: 0000000000000a42 RDI: 0000000000000a43
[   58.444897][ T5326] RBP: 0000000000000003 R08: ffffffff8155e312 R09: 1ffff11003f8519a
[   58.447637][ T5326] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff88801218f868
[   58.450438][ T5326] R13: ffff888042cfa0e4 R14: 1ffff11002431f18 R15: ffff88801218f800
[   58.453359][ T5326]  ? __warn_printk+0x292/0x360
[   58.455057][ T5326]  ? refcount_warn_saturate+0x159/0x1d0
[   58.457315][ T5326]  j1939_session_put+0x1ed/0x440
[   58.459211][ T5326]  j1939_sk_sendmsg+0x121b/0x14c0
[   58.461129][ T5326]  ? __pfx_j1939_sk_sendmsg+0x10/0x10
[   58.463029][ T5326]  ? __import_iovec+0x590/0x870
[   58.464810][ T5326]  ? aa_sock_msg_perm+0x91/0x160
[   58.466668][ T5326]  ? __pfx_j1939_sk_sendmsg+0x10/0x10
[   58.468684][ T5326]  __sock_sendmsg+0x221/0x270
[   58.470459][ T5326]  ____sys_sendmsg+0x52a/0x7e0
[   58.472253][ T5326]  ? __pfx_____sys_sendmsg+0x10/0x10
[   58.474126][ T5326]  ? __fget_files+0x2a/0x410
[   58.475874][ T5326]  ? __fget_files+0x2a/0x410
[   58.477558][ T5326]  __sys_sendmsg+0x269/0x350
[   58.479257][ T5326]  ? __pfx___sys_sendmsg+0x10/0x10
[   58.481178][ T5326]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   58.483552][ T5326]  ? do_syscall_64+0x100/0x230
[   58.485307][ T5326]  ? do_syscall_64+0xb6/0x230
[   58.487135][ T5326]  do_syscall_64+0xf3/0x230
[   58.488816][ T5326]  ? clear_bhb_loop+0x35/0x90
[   58.490631][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   58.492853][ T5326] RIP: 0033:0x7f040137e759
[   58.494534][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   58.501472][ T5326] RSP: 002b:00007f0402140038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   58.504428][ T5326] RAX: ffffffffffffffda RBX: 00007f0401535f80 RCX: 00007f040137e759
[   58.507360][ T5326] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000005
[   58.510155][ T5326] RBP: 00007f04013f175e R08: 0000000000000000 R09: 0000000000000000
[   58.513120][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   58.516307][ T5326] R13: 0000000000000000 R14: 00007f0401535f80 R15: 00007ffe875a7a98
[   58.519182][ T5326]  </TASK>
[   58.520573][ T5326] Kernel Offset: disabled
[   58.522269][ T5326] Rebooting in 86400 seconds..