------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 7697 at lib/refcount.c:25 refcount_warn_saturate+0x1ca/0x210 lib/refcount.c:25
Modules linked in:
CPU: 0 UID: 0 PID: 7697 Comm: kworker/u8:14 Not tainted 6.15.0-syzkaller-08297-ge0797d3b91de #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: netns cleanup_net
RIP: 0010:refcount_warn_saturate+0x1ca/0x210 lib/refcount.c:25
Code: ff 89 de e8 68 c2 e2 fc 84 db 0f 85 e6 fe ff ff e8 7b c7 e2 fc c6 05 11 0b 97 0b 01 90 48 c7 c7 40 da f4 8b e8 67 f6 a1 fc 90 <0f> 0b 90 90 e9 c3 fe ff ff e8 58 c7 e2 fc c6 05 ec 0a 97 0b 01 90
RSP: 0018:ffffc900000078b0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ad908
RDX: ffff888058a6a440 RSI: ffffffff817ad915 RDI: 0000000000000001
RBP: ffff88802523016c R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000075588 R12: ffff88802523016c
R13: ffff888025230000 R14: ffff888143298400 R15: ffff88805b622a00
FS:  0000000000000000(0000) GS:ffff888124970000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000001000 CR3: 0000000079b8d000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_add include/linux/refcount.h:289 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 get_net include/net/net_namespace.h:268 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x20c1/0x2550 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x15f/0x430 net/tipc/bearer.c:572
 tipc_disc_timeout+0x5b2/0x850 net/tipc/discover.c:338
 call_timer_fn+0x197/0x620 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers+0x6ef/0x960 kernel/time/timer.c:2372
 __run_timer_base kernel/time/timer.c:2384 [inline]
 __run_timer_base kernel/time/timer.c:2376 [inline]
 run_timer_base+0x114/0x190 kernel/time/timer.c:2393
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:rol32 include/linux/bitops.h:127 [inline]
RIP: 0010:jhash2 include/linux/jhash.h:129 [inline]
RIP: 0010:hash_stack lib/stackdepot.c:514 [inline]
RIP: 0010:stack_depot_save_flags+0xc5/0xa40 lib/stackdepot.c:615
Code: c7 08 31 f8 89 c7 29 c2 44 01 c8 c1 c7 10 31 fa 89 d7 41 29 d1 44 8d 2c 02 c1 cf 0d 41 31 f9 44 29 c8 89 c7 44 89 c8 45 01 e9 <c1> c0 04 31 f8 83 fe 03 77 92 83 fe 02 0f 84 0b 01 00 00 83 fe 03
RSP: 0018:ffffc900057a7660 EFLAGS: 00000287
RAX: 00000000ea76c37c RBX: 0000000000000013 RCX: ffffc900057a7704
RDX: 00000000e069a213 RSI: 0000000000000017 RDI: 00000000f86d6873
RBP: 0000000000000000 R08: ffffffff9116648c R09: 00000000adc4917e
R10: 0000000000000000 R11: 0000000000002be0 R12: 0000000000000000
R13: 00000000c34dce02 R14: ffffc900057a76c8 R15: 0000000000000013
 kasan_save_stack+0x42/0x60 mm/kasan/common.c:48
 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:548
 __call_rcu_common.constprop.0+0x9a/0x9f0 kernel/rcu/tree.c:3090
 sk_destruct+0x92/0xf0 net/core/sock.c:2407
 __sk_free+0xf4/0x3e0 net/core/sock.c:2420
 sk_free+0x6a/0x90 net/core/sock.c:2431
 sock_put include/net/sock.h:1960 [inline]
 sk_common_release+0x21c/0x330 net/core/sock.c:3979
 inet_release+0x13c/0x280 net/ipv4/af_inet.c:435
 inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487
 __sock_release net/socket.c:647 [inline]
 sock_release+0x91/0x1d0 net/socket.c:675
 sock_free drivers/net/wireguard/socket.c:339 [inline]
 wg_socket_reinit+0x218/0x3d0 drivers/net/wireguard/socket.c:436
 wg_netns_pre_exit+0x10d/0x230 drivers/net/wireguard/device.c:423
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 ops_undo_list+0x187/0xab0 net/core/net_namespace.c:235
 cleanup_net+0x408/0x890 net/core/net_namespace.c:686
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	08 31                	or     %dh,(%rcx)
   2:	f8                   	clc
   3:	89 c7                	mov    %eax,%edi
   5:	29 c2                	sub    %eax,%edx
   7:	44 01 c8             	add    %r9d,%eax
   a:	c1 c7 10             	rol    $0x10,%edi
   d:	31 fa                	xor    %edi,%edx
   f:	89 d7                	mov    %edx,%edi
  11:	41 29 d1             	sub    %edx,%r9d
  14:	44 8d 2c 02          	lea    (%rdx,%rax,1),%r13d
  18:	c1 cf 0d             	ror    $0xd,%edi
  1b:	41 31 f9             	xor    %edi,%r9d
  1e:	44 29 c8             	sub    %r9d,%eax
  21:	89 c7                	mov    %eax,%edi
  23:	44 89 c8             	mov    %r9d,%eax
  26:	45 01 e9             	add    %r13d,%r9d
* 29:	c1 c0 04             	rol    $0x4,%eax <-- trapping instruction
  2c:	31 f8                	xor    %edi,%eax
  2e:	83 fe 03             	cmp    $0x3,%esi
  31:	77 92                	ja     0xffffffc5
  33:	83 fe 02             	cmp    $0x2,%esi
  36:	0f 84 0b 01 00 00    	je     0x147
  3c:	83 fe 03             	cmp    $0x3,%esi