syzbot

------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#0: ktimers/0/16
Modules linked in:
CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)} 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25
Code: eb 66 85 db 74 3e 83 fb 01 75 4c e8 fb c3 32 fd 48 8d 3d 04 7b c1 0a 67 48 0f b9 3a eb 4a e8 e8 c3 32 fd 48 8d 3d 01 7b c1 0a <67> 48 0f b9 3a eb 37 e8 d5 c3 32 fd 48 8d 3d fe 7a c1 0a 67 48 0f
RSP: 0018:ffffc90000157968 EFLAGS: 00010246
RAX: ffffffff84907088 RBX: 0000000000000002 RCX: ffff88801c6ddac0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f51eb90
RBP: 0000000000000000 R08: ffff88801c6ddac0 R09: 0000000000000005
R10: 0000000000000100 R11: 0000000000000004 R12: dffffc0000000000
R13: 0000000000000001 R14: ffff888036cda004 R15: ffff888036cda640
FS:  0000000000000000(0000) GS:ffff8881265c9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000404030 CR3: 000000000d9b4000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 sctp_generate_timeout_event+0x1c8/0x390 net/sctp/sm_sideeffect.c:284
 call_timer_fn+0x192/0x5a0 kernel/time/timer.c:1748
 expire_timers kernel/time/timer.c:1799 [inline]
 __run_timers kernel/time/timer.c:2373 [inline]
 __run_timer_base+0x6a3/0x9f0 kernel/time/timer.c:2385
 run_timer_base kernel/time/timer.c:2394 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2404
 handle_softirqs+0x1de/0x640 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 run_ktimerd+0x69/0x100 kernel/softirq.c:1138
 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
 kthread+0x726/0x8b0 kernel/kthread.c:463
 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
----------------
Code disassembly (best guess):
   0:	eb 66                	jmp    0x68
   2:	85 db                	test   %ebx,%ebx
   4:	74 3e                	je     0x44
   6:	83 fb 01             	cmp    $0x1,%ebx
   9:	75 4c                	jne    0x57
   b:	e8 fb c3 32 fd       	call   0xfd32c40b
  10:	48 8d 3d 04 7b c1 0a 	lea    0xac17b04(%rip),%rdi        # 0xac17b1b
  17:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  1c:	eb 4a                	jmp    0x68
  1e:	e8 e8 c3 32 fd       	call   0xfd32c40b
  23:	48 8d 3d 01 7b c1 0a 	lea    0xac17b01(%rip),%rdi        # 0xac17b2b
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	eb 37                	jmp    0x68
  31:	e8 d5 c3 32 fd       	call   0xfd32c40b
  36:	48 8d 3d fe 7a c1 0a 	lea    0xac17afe(%rip),%rdi        # 0xac17b3b
  3d:	67                   	addr32
  3e:	48                   	rex.W
  3f:	0f                   	.byte 0xf