syzbot

------------[ cut here ]------------
WARNING: CPU: 0 PID: 5750 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28
refcount_t: underflow; use-after-free.
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 5750 Comm: syz.0.386 Not tainted 6.12.0-syzkaller #0
Hardware name: ARM-Versatile Express
Call trace: frame pointer underflow
[<819b7fb8>] (dump_backtrace) from [<819b80b4>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:82623304 r5:00000000 r4:820413b8
[<819b809c>] (show_stack) from [<819d60dc>] (__dump_stack lib/dump_stack.c:94 [inline])
[<819b809c>] (show_stack) from [<819d60dc>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
[<819d6088>] (dump_stack_lvl) from [<819d611c>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
 r5:00000000 r4:82874d18
[<819d6104>] (dump_stack) from [<819b8be0>] (panic+0x120/0x374 kernel/panic.c:354)
[<819b8ac0>] (panic) from [<802426d0>] (check_panic_on_warn kernel/panic.c:243 [inline])
[<819b8ac0>] (panic) from [<802426d0>] (get_taint+0x0/0x1c kernel/panic.c:238)
 r3:8260c604 r2:00000001 r1:82029878 r0:82031344
 r7:8084bbd8
[<8024265c>] (check_panic_on_warn) from [<80242834>] (__warn+0x80/0x188 kernel/panic.c:748)
[<802427b4>] (__warn) from [<80242b24>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:783)
 r8:00000009 r7:8209017c r6:df801c64 r5:84086c00 r4:00000000
[<80242940>] (warn_slowpath_fmt) from [<8084bbd8>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28)
 r10:20000113 r9:848b0d5c r8:85170480 r7:00000000 r6:818444c4 r5:00000002
 r4:85170480
[<8084ba9c>] (refcount_warn_saturate) from [<814aa974>] (__refcount_sub_and_test include/linux/refcount.h:275 [inline])
[<8084ba9c>] (refcount_warn_saturate) from [<814aa974>] (__refcount_dec_and_test include/linux/refcount.h:307 [inline])
[<8084ba9c>] (refcount_warn_saturate) from [<814aa974>] (refcount_dec_and_test include/linux/refcount.h:325 [inline])
[<8084ba9c>] (refcount_warn_saturate) from [<814aa974>] (skb_unref include/linux/skbuff.h:1233 [inline])
[<8084ba9c>] (refcount_warn_saturate) from [<814aa974>] (__sk_skb_reason_drop net/core/skbuff.c:1213 [inline])
[<8084ba9c>] (refcount_warn_saturate) from [<814aa974>] (sk_skb_reason_drop+0x1d8/0x248 net/core/skbuff.c:1241)
[<814aa79c>] (sk_skb_reason_drop) from [<818444c4>] (kfree_skb_reason include/linux/skbuff.h:1263 [inline])
[<814aa79c>] (sk_skb_reason_drop) from [<818444c4>] (kfree_skb include/linux/skbuff.h:1272 [inline])
[<814aa79c>] (sk_skb_reason_drop) from [<818444c4>] (j1939_session_skb_drop_old net/can/j1939/transport.c:347 [inline])
[<814aa79c>] (sk_skb_reason_drop) from [<818444c4>] (j1939_xtp_rx_cts_one net/can/j1939/transport.c:1445 [inline])
[<814aa79c>] (sk_skb_reason_drop) from [<818444c4>] (j1939_xtp_rx_cts+0x220/0x3d0 net/can/j1939/transport.c:1484)
 r9:848b0d5c r8:85170480 r7:85392918 r6:00000df2 r5:848b0d00 r4:848b0d14
[<818442a4>] (j1939_xtp_rx_cts) from [<81845438>] (j1939_tp_cmd_recv net/can/j1939/transport.c:2089 [inline])
[<818442a4>] (j1939_xtp_rx_cts) from [<81845438>] (j1939_tp_recv+0x3f4/0x530 net/can/j1939/transport.c:2161)
 r10:dddd0e88 r9:00000040 r8:85392910 r7:840f4000 r6:840f4008 r5:840f4000
 r4:850af180
[<81845044>] (j1939_tp_recv) from [<8183eed0>] (j1939_can_recv+0x1e4/0x2dc net/can/j1939/main.c:108)
 r7:840f4000 r6:840f4008 r5:840f4810 r4:850af180
[<8183ecec>] (j1939_can_recv) from [<81834b94>] (deliver net/can/af_can.c:573 [inline])
[<8183ecec>] (j1939_can_recv) from [<81834b94>] (can_rcv_filter+0x9c/0x218 net/can/af_can.c:607)
 r9:00000040 r8:853c86c0 r7:98c80000 r6:850af000 r5:00000001 r4:847a26c0
[<81834af8>] (can_rcv_filter) from [<81835610>] (can_receive+0xb4/0xf0 net/can/af_can.c:664)
 r9:00000040 r8:00000000 r7:853c8000 r6:8472fa40 r5:84af0d40 r4:850af000
[<8183555c>] (can_receive) from [<818356d0>] (can_rcv+0x84/0xac net/can/af_can.c:688)
 r9:00000040 r8:00000001 r7:00000000 r6:00000000 r5:8183564c r4:850af000
[<8183564c>] (can_rcv) from [<814cc17c>] (__netif_receive_skb_one_core+0x5c/0x80 net/core/dev.c:5672)
 r5:8183564c r4:853c8000
[<814cc120>] (__netif_receive_skb_one_core) from [<814cc1e8>] (__netif_receive_skb+0x18/0x5c net/core/dev.c:5785)
 r5:dddd0f70 r4:850af000
[<814cc1d0>] (__netif_receive_skb) from [<814cc4f0>] (process_backlog+0xa0/0x17c net/core/dev.c:6117)
 r5:dddd0f70 r4:850af000
[<814cc450>] (process_backlog) from [<814cd3f0>] (__napi_poll+0x34/0x240 net/core/dev.c:6877)
 r10:dddd0e80 r9:dddd10c0 r8:df801ea0 r7:df801e9b r6:00000040 r5:dddd0f70
 r4:00000001
[<814cd3bc>] (__napi_poll) from [<814cdc64>] (napi_poll net/core/dev.c:6946 [inline])
[<814cd3bc>] (__napi_poll) from [<814cdc64>] (net_rx_action+0x358/0x440 net/core/dev.c:7068)
 r9:dddd10c0 r8:df801ea0 r7:0000012c r6:00001b83 r5:dddd0f70 r4:00000000
[<814cd90c>] (net_rx_action) from [<8024ba68>] (handle_softirqs+0x158/0x464 kernel/softirq.c:554)
 r10:00000008 r9:84086c00 r8:00000101 r7:00400140 r6:00000003 r5:00000004
 r4:8260408c
[<8024b910>] (handle_softirqs) from [<8024bed0>] (__do_softirq kernel/softirq.c:588 [inline])
[<8024b910>] (handle_softirqs) from [<8024bed0>] (invoke_softirq kernel/softirq.c:428 [inline])
[<8024b910>] (handle_softirqs) from [<8024bed0>] (__irq_exit_rcu+0x110/0x1d0 kernel/softirq.c:655)
 r10:20080000 r9:84086c00 r8:00000000 r7:dfb29c90 r6:821e34dc r5:82223e4c
 r4:84086c00
[<8024bdc0>] (__irq_exit_rcu) from [<8024c248>] (irq_exit+0x10/0x18 kernel/softirq.c:683)
 r5:82223e4c r4:824bca74
[<8024c238>] (irq_exit) from [<819d6ab8>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
[<819d6a3c>] (generic_handle_arch_irq) from [<8198744c>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:84086c00 r8:844e9b40 r7:dfb29cc4 r6:ffffffff r5:20000113 r4:8027c76c
[<81987430>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:227)
Exception stack(0xdfb29c90 to 0xdfb29cd8)
9c80:                                     00000001 820413b8 00000000 00000000
9ca0: 84086c00 dddd0180 00000001 853be700 844e9b40 dee5800c 20080000 dfb29d04
9cc0: dfb29cd0 dfb29ce0 80284ce4 8027c76c 20000113 ffffffff
[<80284c10>] (migrate_enable) from [<80492dac>] (kunmap_local_indexed+0x13c/0x224 mm/highmem.c:631)
 r5:84086c00 r4:ffefd000
[<80492c70>] (kunmap_local_indexed) from [<80499cb0>] (__kunmap_local include/linux/highmem-internal.h:94 [inline])
[<80492c70>] (kunmap_local_indexed) from [<80499cb0>] (finish_fault+0x1a0/0x3a0 mm/memory.c:5167)
 r7:853be700 r6:00000003 r5:00000000 r4:dfb29da0
[<80499b10>] (finish_fault) from [<8049b224>] (do_read_fault mm/memory.c:5301 [inline])
[<80499b10>] (finish_fault) from [<8049b224>] (do_fault mm/memory.c:5431 [inline])
[<80499b10>] (finish_fault) from [<8049b224>] (do_pte_missing mm/memory.c:3965 [inline])
[<80499b10>] (finish_fault) from [<8049b224>] (handle_pte_fault mm/memory.c:5766 [inline])
[<80499b10>] (finish_fault) from [<8049b224>] (__handle_mm_fault mm/memory.c:5909 [inline])
[<80499b10>] (finish_fault) from [<8049b224>] (handle_mm_fault+0xc18/0x135c mm/memory.c:6077)
 r10:00000000 r9:853be700 r8:00000200 r7:00000000 r6:20080000 r5:84086c00
 r4:00000014
[<8049a60c>] (handle_mm_fault) from [<8048ed3c>] (faultin_page mm/gup.c:1187 [inline])
[<8049a60c>] (handle_mm_fault) from [<8048ed3c>] (__get_user_pages+0x23c/0x664 mm/gup.c:1485)
 r10:00000080 r9:20080000 r8:84086c00 r7:00000000 r6:00000014 r5:844e9b40
 r4:00210008
[<8048eb00>] (__get_user_pages) from [<8049145c>] (populate_vma_page_range+0xd8/0x140 mm/gup.c:1923)
 r10:20000000 r9:853be784 r8:853be700 r7:dfb29ec0 r6:20000000 r5:844e9b40
 r4:00b36000
[<80491384>] (populate_vma_page_range) from [<804919d0>] (__mm_populate+0x11c/0x1b8 mm/gup.c:2026)
 r8:00000001 r7:853be700 r6:20b36000 r5:20b36000 r4:844e9b40
[<804918b4>] (__mm_populate) from [<80474568>] (mm_populate include/linux/mm.h:3384 [inline])
[<804918b4>] (__mm_populate) from [<80474568>] (vm_mmap_pgoff+0x128/0x18c mm/util.c:593)
 r10:853be700 r9:00b36000 r8:20000000 r7:00000000 r6:dfb29f20 r5:06ebbeee
 r4:20000000
[<80474440>] (vm_mmap_pgoff) from [<804a33b0>] (ksys_mmap_pgoff+0x48/0xec mm/mmap.c:542)
 r10:000000c0 r9:84086c00 r8:8020029c r7:20000000 r6:00b36000 r5:06ebbeee
 r4:00008031
[<804a3368>] (ksys_mmap_pgoff) from [<804a3470>] (__do_sys_mmap_pgoff mm/mmap.c:553 [inline])
[<804a3368>] (ksys_mmap_pgoff) from [<804a3470>] (sys_mmap_pgoff+0x1c/0x24 mm/mmap.c:549)
 r8:8020029c r7:000000c0 r6:002862fc r5:00000000 r4:ffffffff
[<804a3454>] (sys_mmap_pgoff) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfb29fa8 to 0xdfb29ff0)
9fa0:                   ffffffff 00000000 20000000 00b36000 06ebbeee 00008031
9fc0: ffffffff 00000000 002862fc 000000c0 00000000 00006364 003d0f00 76b2e0bc
9fe0: 76b2dec0 76b2deb0 00018af0 00133450
Rebooting in 86400 seconds..