program: r0 = socket$can_j1939(0x1d, 0x2, 0x7) r1 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0x1b, 0x0, 0x0, 0x8000, 0x0, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000240)=ANY=[@ANYBLOB="1800000000000000000000000000000018120000", @ANYRES32=r1, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000002010000850000004300000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000240)=ANY=[], &(0x7f00000002c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000001c0)={&(0x7f0000000080)='kmem_cache_free\x00', r2}, 0x10) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000000)={'vcan0\x00', 0x0}) bind$can_j1939(r0, &(0x7f00000000c0)={0x1d, r3}, 0x18) connect$can_j1939(r0, &(0x7f0000000140)={0x1d, r3}, 0x18) sendmmsg(r0, &(0x7f0000003e40)=[{{0x0, 0x0, &(0x7f0000000100)=[{&(0x7f00000001c0)="b875a1431a05b9319c", 0x9}], 0x1}}], 0x1, 0x0) recvmmsg(r0, &(0x7f0000000180)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000200)=""/189}, {&(0x7f00000002c0)=""/182}, {&(0x7f0000000380)=""/4096}, {&(0x7f0000001380)=""/198}, {&(0x7f0000001480)=""/169}, {&(0x7f0000001540)=""/4096}], 0x10, &(0x7f0000002540)=""/216}}], 0x2, 0x0, 0x0) sendmmsg$inet(r0, &(0x7f0000002880)=[{{0x0, 0x0, &(0x7f00000027c0)=[{&(0x7f0000000180)="f102", 0x2}, {&(0x7f0000002640)="f5f2de5f96a1ca", 0x7}], 0x2}}], 0x1, 0x0) [ 71.117258][ T5299] Bluetooth: hci0: command tx timeout [ 71.213127][ C0] ------------[ cut here ]------------ [ 71.215297][ C0] refcount_t: underflow; use-after-free. [ 71.217686][ C0] WARNING: CPU: 0 PID: 16 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 [ 71.221308][ C0] Modules linked in: [ 71.222751][ C0] CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0 [ 71.226502][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 71.230501][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 71.232934][ C0] Code: e0 1e 5f 8c e8 87 c5 95 fc 90 0f 0b 90 90 eb 99 e8 2b 1e d5 fc c6 05 6d 2c 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 67 c5 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 08 1e d5 fc c6 05 47 2c 39 0b 01 90 [ 71.240387][ C0] RSP: 0018:ffffc9000042f4c0 EFLAGS: 00010246 [ 71.242847][ C0] RAX: 1c352f075146b500 RBX: ffff88803f1ee724 RCX: ffff88801cad8000 [ 71.246046][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 71.249048][ C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: 1ffff11003f8519a [ 71.252223][ C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888043286868 [ 71.255283][ C0] R13: ffff88803f1ee724 R14: 1ffff11008650d18 R15: ffff888043286800 [ 71.258062][ C0] FS: 0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 71.261647][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.264091][ C0] CR2: 0000000020003e40 CR3: 000000003ac6a000 CR4: 0000000000352ef0 [ 71.267137][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 71.270087][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 71.273143][ C0] Call Trace: [ 71.274442][ C0] [ 71.275665][ C0] ? __warn+0x165/0x4d0 [ 71.277239][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 71.279333][ C0] ? report_bug+0x2b3/0x500 [ 71.281223][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 71.283287][ C0] ? handle_bug+0x60/0x90 [ 71.285005][ C0] ? exc_invalid_op+0x1a/0x50 [ 71.286785][ C0] ? asm_exc_invalid_op+0x1a/0x20 [ 71.288626][ C0] ? __warn_printk+0x292/0x360 [ 71.290853][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 71.293660][ C0] j1939_session_put+0x1ed/0x440 [ 71.295738][ C0] j1939_tp_recv+0x7fe/0x1050 [ 71.297649][ C0] j1939_can_recv+0x732/0xb20 [ 71.299469][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 71.301686][ C0] ? __lock_acquire+0x1397/0x2100 [ 71.303883][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 71.306103][ C0] can_rcv_filter+0x359/0x7f0 [ 71.307862][ C0] can_receive+0x327/0x480 [ 71.309500][ C0] ? can_receive+0x1c9/0x480 [ 71.311315][ C0] can_rcv+0x144/0x260 [ 71.312892][ C0] ? __pfx_can_rcv+0x10/0x10 [ 71.314588][ C0] __netif_receive_skb+0x2e0/0x650 [ 71.316607][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 71.318514][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 71.320669][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 71.323089][ C0] ? __pfx_lock_release+0x10/0x10 [ 71.324951][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 71.326952][ C0] process_backlog+0x662/0x15b0 [ 71.328816][ C0] ? process_backlog+0x33b/0x15b0 [ 71.330676][ C0] ? __pfx_process_backlog+0x10/0x10 [ 71.332720][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 71.334880][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 71.337448][ C0] __napi_poll+0xcb/0x490 [ 71.339120][ C0] net_rx_action+0x89b/0x1240 [ 71.340909][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 71.343028][ C0] ? rcu_qs+0xf1/0x190 [ 71.344588][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 71.347040][ C0] handle_softirqs+0x2d4/0x9b0 [ 71.349059][ C0] ? run_ksoftirqd+0xca/0x130 [ 71.351362][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 71.353560][ C0] run_ksoftirqd+0xca/0x130 [ 71.355183][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 71.357008][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 71.358961][ C0] smpboot_thread_fn+0x544/0xa30 [ 71.360887][ C0] ? smpboot_thread_fn+0x4e/0xa30 [ 71.362698][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 71.364589][ C0] kthread+0x2f0/0x390 [ 71.365988][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 71.368077][ C0] ? __pfx_kthread+0x10/0x10 [ 71.369876][ C0] ret_from_fork+0x4b/0x80 [ 71.371694][ C0] ? __pfx_kthread+0x10/0x10 [ 71.373461][ C0] ret_from_fork_asm+0x1a/0x30 [ 71.375348][ C0] [ 71.376566][ C0] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 71.379287][ C0] CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0 [ 71.383247][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 71.387268][ C0] Call Trace: [ 71.388585][ C0] [ 71.389758][ C0] dump_stack_lvl+0x241/0x360 [ 71.391589][ C0] ? __pfx_dump_stack_lvl+0x10/0x10 [ 71.393571][ C0] ? __pfx__printk+0x10/0x10 [ 71.395422][ C0] ? _printk+0xd5/0x120 [ 71.397083][ C0] ? __init_begin+0x41000/0x41000 [ 71.399015][ C0] ? vscnprintf+0x5d/0x90 [ 71.400715][ C0] panic+0x349/0x880 [ 71.402221][ C0] ? __warn+0x174/0x4d0 [ 71.403836][ C0] ? __pfx_panic+0x10/0x10 [ 71.405630][ C0] ? ret_from_fork_asm+0x1a/0x30 [ 71.407540][ C0] __warn+0x344/0x4d0 [ 71.409081][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 71.411113][ C0] report_bug+0x2b3/0x500 [ 71.412746][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 71.414826][ C0] handle_bug+0x60/0x90 [ 71.416340][ C0] exc_invalid_op+0x1a/0x50 [ 71.418099][ C0] asm_exc_invalid_op+0x1a/0x20 [ 71.420120][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 71.422520][ C0] Code: e0 1e 5f 8c e8 87 c5 95 fc 90 0f 0b 90 90 eb 99 e8 2b 1e d5 fc c6 05 6d 2c 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 67 c5 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 08 1e d5 fc c6 05 47 2c 39 0b 01 90 [ 71.429828][ C0] RSP: 0018:ffffc9000042f4c0 EFLAGS: 00010246 [ 71.432168][ C0] RAX: 1c352f075146b500 RBX: ffff88803f1ee724 RCX: ffff88801cad8000 [ 71.435243][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 71.438229][ C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: 1ffff11003f8519a [ 71.441153][ C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888043286868 [ 71.444050][ C0] R13: ffff88803f1ee724 R14: 1ffff11008650d18 R15: ffff888043286800 [ 71.447190][ C0] ? __warn_printk+0x292/0x360 [ 71.449094][ C0] j1939_session_put+0x1ed/0x440 [ 71.451172][ C0] j1939_tp_recv+0x7fe/0x1050 [ 71.452928][ C0] j1939_can_recv+0x732/0xb20 [ 71.454757][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 71.456789][ C0] ? __lock_acquire+0x1397/0x2100 [ 71.458704][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 71.460775][ C0] can_rcv_filter+0x359/0x7f0 [ 71.462541][ C0] can_receive+0x327/0x480 [ 71.464283][ C0] ? can_receive+0x1c9/0x480 [ 71.466070][ C0] can_rcv+0x144/0x260 [ 71.467655][ C0] ? __pfx_can_rcv+0x10/0x10 [ 71.469479][ C0] __netif_receive_skb+0x2e0/0x650 [ 71.471481][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 71.473450][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 71.475694][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 71.477826][ C0] ? __pfx_lock_release+0x10/0x10 [ 71.479820][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 71.481939][ C0] process_backlog+0x662/0x15b0 [ 71.483812][ C0] ? process_backlog+0x33b/0x15b0 [ 71.485701][ C0] ? __pfx_process_backlog+0x10/0x10 [ 71.487672][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 71.489835][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 71.492278][ C0] __napi_poll+0xcb/0x490 [ 71.493866][ C0] net_rx_action+0x89b/0x1240 [ 71.495708][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 71.497675][ C0] ? rcu_qs+0xf1/0x190 [ 71.499256][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 71.501617][ C0] handle_softirqs+0x2d4/0x9b0 [ 71.503372][ C0] ? run_ksoftirqd+0xca/0x130 [ 71.505142][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 71.507127][ C0] run_ksoftirqd+0xca/0x130 [ 71.508903][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 71.510822][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 71.512719][ C0] smpboot_thread_fn+0x544/0xa30 [ 71.514608][ C0] ? smpboot_thread_fn+0x4e/0xa30 [ 71.516564][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 71.518696][ C0] kthread+0x2f0/0x390 [ 71.520281][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 71.522359][ C0] ? __pfx_kthread+0x10/0x10 [ 71.524124][ C0] ret_from_fork+0x4b/0x80 [ 71.525797][ C0] ? __pfx_kthread+0x10/0x10 [ 71.527517][ C0] ret_from_fork_asm+0x1a/0x30 [ 71.529338][ C0] [ 71.530743][ C0] Kernel Offset: disabled [ 71.532407][ C0] Rebooting in 86400 seconds..