------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 29 at lib/refcount.c:28 refcount_warn_saturate+0x11a/0x1d0 lib/refcount.c:28
Modules linked in:
CPU: 1 UID: 0 PID: 29 Comm: ktimers/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:refcount_warn_saturate+0x11a/0x1d0 lib/refcount.c:28
Code: c0 2e 3d 8b e8 a7 9d 09 fd 90 0f 0b 90 90 eb d7 e8 6b 56 45 fd c6 05 30 22 47 0a 01 90 48 c7 c7 20 2f 3d 8b e8 87 9d 09 fd 90 <0f> 0b 90 90 eb b7 e8 4b 56 45 fd c6 05 0d 22 47 0a 01 90 48 c7 c7
RSP: 0000:ffffc90000a3f7a8 EFLAGS: 00010246
RAX: b3930126bc6a1200 RBX: 0000000000000003 RCX: ffff88801be99e00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000100
R10: dffffc0000000000 R11: ffffed101712487b R12: ffffffff99096901
R13: ffff888050bae000 R14: ffff888050bae080 R15: ffff888050bae070
FS:  0000000000000000(0000) GS:ffff888126ef7000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f117ff8 CR3: 000000000d3a6000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __inet_csk_reqsk_queue_drop+0x2c3/0x340 net/ipv4/inet_connection_sock.c:1039
 reqsk_timer_handler+0x80b/0xcd0 net/ipv4/inet_connection_sock.c:1166
 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x648/0x970 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0x67/0x180 kernel/time/timer.c:2401
 handle_softirqs+0x22f/0x710 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 run_ktimerd+0xcf/0x190 kernel/softirq.c:1138
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>