------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 3923 at lib/refcount.c:25 refcount_warn_saturate+0x8c/0x140 lib/refcount.c:25
Modules linked in:
CPU: 1 UID: 0 PID: 3923 Comm: syz-executor Not tainted 6.15.0-rc6-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:refcount_warn_saturate+0x8c/0x140 lib/refcount.c:25
Code: ff 90 0f 0b 90 90 e9 d3 b8 5b 01 cc 80 3d 05 05 c6 02 00 75 b8 c6 05 fc 04 c6 02 01 90 48 c7 c7 6b 49 fb 83 e8 d5 ce 57 ff 90 <0f> 0b 90 90 c3 cc cc cc cc cc 80 3d de 04 c6 02 00 75 90 c6 05 d5
RSP: 0018:ffffc90000128c60 EFLAGS: 00010246
RAX: c42bb32bd25bb700 RBX: ffff88811f033200 RCX: 0000000000000100
RDX: 0000000000000002 RSI: 00000000ffffdfff RDI: 00000000ffffffff
RBP: ffff88810c8b5848 R08: 0000000000001fff R09: ffffffff844fda50
R10: 0000000000005ffd R11: 00000000ffffdfff R12: ffff88810c8b5a28
R13: ffff88810c8b5838 R14: ffff8881067c1000 R15: 0000000000000248
FS:  000055556c4ac500(0000) GS:ffff8881b6309000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f98d76cb6b0 CR3: 000000010d292000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 get_net include/net/net_namespace.h:268 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x8ec/0xa10 net/tipc/crypto.c:1761
 tipc_crypto_clone_msg+0x63/0xd0 net/tipc/crypto.c:1656
 tipc_crypto_xmit+0x91e/0xa10 net/tipc/crypto.c:1717
 tipc_bearer_xmit_skb+0x100/0x170 net/tipc/bearer.c:572
 tipc_disc_timeout+0x210/0x2a0 net/tipc/discover.c:338
 call_timer_fn+0xcc/0x2d0 kernel/time/timer.c:1789
 expire_timers kernel/time/timer.c:1840 [inline]
 __run_timers kernel/time/timer.c:2414 [inline]
 __run_timer_base+0x1b5/0x240 kernel/time/timer.c:2426
 run_timer_base kernel/time/timer.c:2435 [inline]
 run_timer_softirq+0x3a/0x70 kernel/time/timer.c:2445
 handle_softirqs+0x11b/0x3a0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x52/0x120 kernel/softirq.c:680
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0x92/0xb0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:create_files fs/sysfs/group.c:54 [inline]
RIP: 0010:internal_create_group+0x218/0x500 fs/sysfs/group.c:183
Code: 8b 44 24 18 89 44 24 10 49 8b 5d 20 48 85 db 0f 84 b1 00 00 00 48 8b 03 48 85 c0 0f 84 a5 00 00 00 31 ed eb 11 48 8b 44 eb 08 <48> ff c5 48 85 c0 0f 84 90 00 00 00 44 0f b7 60 08 45 85 ff 74 0d
RSP: 0018:ffffc90002c97af8 EFLAGS: 00000246
RAX: ffffffff8483a7e0 RBX: ffffffff8414a3b0 RCX: 0000000000000000
RDX: eaa80ef672c38389 RSI: ffffffff840f2807 RDI: 00000000ffffffff
RBP: 0000000000000009 R08: 0000000000000000 R09: ffff888102acd4c0
R10: 0000000000000003 R11: ffff888100a8e800 R12: 0000000000000124
R13: ffffffff83714cf0 R14: ffff8881138cb420 R15: 0000000000000000
 internal_create_groups fs/sysfs/group.c:223 [inline]
 sysfs_create_groups+0x2f/0x80 fs/sysfs/group.c:249
 device_add_groups drivers/base/core.c:2839 [inline]
 device_add_attrs+0x3f/0x1e0 drivers/base/core.c:2903
 device_add+0x1d2/0x440 drivers/base/core.c:3646
 netdev_register_kobject+0x88/0x140 net/core/net-sysfs.c:2336
 register_netdevice+0x46b/0x900 net/core/dev.c:10999
 __ip_tunnel_create+0x1db/0x2a0 net/ipv4/ip_tunnel.c:268
 ip_tunnel_init_net+0x161/0x2f0 net/ipv4/ip_tunnel.c:1161
 ops_init+0x70/0x170 net/core/net_namespace.c:138
 setup_net+0xc4/0x310 net/core/net_namespace.c:364
 copy_net_ns+0x25b/0x390 net/core/net_namespace.c:518
 create_new_namespaces+0x11a/0x210 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x79/0xa0 kernel/nsproxy.c:228
 ksys_unshare+0x1da/0x350 kernel/fork.c:3375
 __do_sys_unshare kernel/fork.c:3446 [inline]
 __se_sys_unshare kernel/fork.c:3444 [inline]
 __x64_sys_unshare+0xd/0x20 kernel/fork.c:3444
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc694990167
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff3c7e6ea8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc694990167
RDX: 0000000000000005 RSI: 0000000000000002 RDI: 0000000040000000
RBP: 00007fff3c7e6f10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 00007fff3c7e6f10
R13: 00007fff3c7e6f18 R14: 0000000000000009 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	8b 44 24 18          	mov    0x18(%rsp),%eax
   4:	89 44 24 10          	mov    %eax,0x10(%rsp)
   8:	49 8b 5d 20          	mov    0x20(%r13),%rbx
   c:	48 85 db             	test   %rbx,%rbx
   f:	0f 84 b1 00 00 00    	je     0xc6
  15:	48 8b 03             	mov    (%rbx),%rax
  18:	48 85 c0             	test   %rax,%rax
  1b:	0f 84 a5 00 00 00    	je     0xc6
  21:	31 ed                	xor    %ebp,%ebp
  23:	eb 11                	jmp    0x36
  25:	48 8b 44 eb 08       	mov    0x8(%rbx,%rbp,8),%rax
* 2a:	48 ff c5             	inc    %rbp <-- trapping instruction
  2d:	48 85 c0             	test   %rax,%rax
  30:	0f 84 90 00 00 00    	je     0xc6
  36:	44 0f b7 60 08       	movzwl 0x8(%rax),%r12d
  3b:	45 85 ff             	test   %r15d,%r15d
  3e:	74 0d                	je     0x4d