syzbot

May 18 03:33:47 [  681.482455][    C3] WARNING: CPU: 3 PID: 26421 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
syzkaller kern.a[  681.485466][    C3] Modules linked in:
lert kernel: [  [  681.487011][    C3] CPU: 3 UID: 0 PID: 26421 Comm: syz-executor Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
681.469552][    [  681.492321][    C3] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
C3] vxcan1: j193[  681.492349][    C3] Code: ff 89 de e8 28 01 03 fd 84 db 0f 85 66 ff ff ff e8 3b ff 02 fd c6 05 01 0e 7c 0b 01 90 48 c7 c7 a0 ec b0 8b e8 67 7e c4 fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 18 ff 02 fd 0f b6 1d dc 0d 7c 0b 31
9_tp_rxtimer: 0x[  681.492359][    C3] RSP: 0018:ffffc900005f0920 EFLAGS: 00010286
ffff888011d9d000[  681.507008][    C3] RDX: ffff8880267e2440 RSI: ffffffff814e2566 RDI: 0000000000000001
: rx timeout, se[  681.510069][    C3] RBP: ffff88804e3e5624 R08: 0000000000000001 R09: 0000000000000000
nd abort
May 18[  681.512777][    C3] R10: 0000000000000000 R11: ffffffff815f473e R12: 0000000000000002
 03:33:47 syzkal[  681.519452][    C3] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
ler kern.info ke[  681.521645][    C3] CR2: 00000000f74a5004 CR3: 000000006a3c6000 CR4: 0000000000352ef0
rnel: [  681.474[  681.524255][    C3] DR0: 0000000000000003 DR1: 0000000000000004 DR2: 0000000100000000
648][    C3] vxc[  681.524272][    C3] Call Trace:
an1: j1939_xtp_r[  681.524283][    C3]  ? __warn+0xea/0x3d0 kernel/panic.c:746
x_abort_one: 0xf[  681.524300][    C3]  ? refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
fff888011d9d000:[  681.536018][    C3]  ? handle_bug+0x54/0xa0 arch/x86/kernel/traps.c:285
 0x00000: (3) A [  681.537512][    C3]  ? exc_invalid_op+0x17/0x50 arch/x86/kernel/traps.c:309
timeout occurred[  681.540561][    C3]  ? rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
timeout occurred[  681.540561][    C3]  ? rcu_read_lock include/linux/rcupdate.h:849 [inline]
timeout occurred[  681.540561][    C3]  ? select_task_rq_fair+0x36e/0x44e0 kernel/sched/fair.c:8620
 and this is the[  681.540578][    C3]  ? warn_rcu_exit include/linux/context_tracking.h:161 [inline]
 and this is the[  681.540578][    C3]  ? __warn_printk+0x199/0x350 kernel/panic.c:799
 connection abor[  681.540604][    C3]  ? refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
t to close the s[  681.547673][    C3]  __refcount_sub_and_test include/linux/refcount.h:275 [inline]
t to close the s[  681.547673][    C3]  __refcount_dec_and_test include/linux/refcount.h:307 [inline]
t to close the s[  681.547673][    C3]  refcount_dec_and_test include/linux/refcount.h:325 [inline]
t to close the s[  681.547673][    C3]  skb_unref include/linux/skbuff.h:1232 [inline]
t to close the s[  681.547673][    C3]  __sk_skb_reason_drop net/core/skbuff.c:1213 [inline]
t to close the s[  681.547673][    C3]  sk_skb_reason_drop+0x183/0x1a0 net/core/skbuff.c:1241
ession.
May 18 [  681.550796][    C3]  __j1939_session_release net/can/j1939/transport.c:294 [inline]
May 18 [  681.550796][    C3]  kref_put include/linux/kref.h:65 [inline]
May 18 [  681.550796][    C3]  j1939_session_put net/can/j1939/transport.c:299 [inline]
May 18 [  681.550796][    C3]  j1939_xtp_rx_abort_one+0x3f9/0x560 net/can/j1939/transport.c:1354
03:33:47 syzkall[  681.552588][    C3]  j1939_xtp_rx_abort net/can/j1939/transport.c:1362 [inline]
03:33:47 syzkall[  681.552588][    C3]  j1939_tp_cmd_recv net/can/j1939/transport.c:2128 [inline]
03:33:47 syzkall[  681.552588][    C3]  j1939_tp_recv+0xcf8/0xf50 net/can/j1939/transport.c:2161
er kern.warn kernel: [  681.479227][    C3] ------------[ cut he[  681.555827][    C3]  j1939_can_recv net/can/j1939/main.c:108 [inline]
er kern.warn kernel: [  681.479227][    C3] ------------[ cut he[  681.555827][    C3]  j1939_can_recv+0x78f/0xa50 net/can/j1939/main.c:34
re ]------------[  681.557185][    C3]  ? __pfx_j1939_can_recv+0x10/0x10 include/linux/netdevice.h:2554

May 18 03:33:4[  681.558915][    C3]  ? __pfx_lock_acquire.part.0+0x10/0x10 kernel/locking/lockdep.c:122
7 syzkaller kern[  681.562072][    C3]  ? trace_lock_acquire+0x14a/0x1d0 include/trace/events/lock.h:24
.warn kernel: [ [  681.563804][    C3]  ? __pfx_j1939_can_recv+0x10/0x10 include/linux/netdevice.h:2554
 681.480722][   [  681.565655][    C3]  deliver net/can/af_can.c:572 [inline]
 681.480722][   [  681.565655][    C3]  can_rcv_filter+0x2a8/0x900 net/can/af_can.c:606
 C3] refcount_t:[  681.567342][    C3]  can_receive+0x320/0x5c0 net/can/af_can.c:663
 underflow; use-[  681.568913][    C3]  ? __pfx_can_rcv+0x10/0x10 net/can/af_can.c:309
after-free.
May[  681.570504][    C3]  can_rcv+0x1e2/0x280 net/can/af_can.c:687
 18 03:33:47 syz[  681.571970][    C3]  __netif_receive_skb_one_core+0x1b1/0x1e0 net/core/dev.c:5670
kaller kern.warn[  681.571990][    C3]  ? __pfx___netif_receive_skb_one_core+0x10/0x10 net/core/dev.c:5712
 kernel: [  681.[  681.572007][    C3]  ? trace_lock_acquire+0x14a/0x1d0 include/trace/events/lock.h:24
482455][    C3] [  681.572035][    C3]  ? local_lock_release include/linux/local_lock_internal.h:38 [inline]
482455][    C3] [  681.572035][    C3]  ? process_backlog+0x3f1/0x15f0 net/core/dev.c:6113
WARNING: CPU: 3 [  681.581352][    C3]  __netif_receive_skb+0x1d/0x160 net/core/dev.c:5783
PID: 26421 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
May 18 03:33:47 syzkaller kern.warn kerne[l :  681.585407][    C3]  __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6779