program: syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="1800000000000000000000001300040095"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0xf, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r0}, 0x10) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f00000190c0)=0x8) r1 = getpid() sched_setscheduler(r1, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000380)={'vcan0\x00', 0x0}) r6 = socket$can_j1939(0x1d, 0x2, 0x7) bind$can_j1939(r6, &(0x7f0000000080)={0x1d, r5}, 0x18) sendmsg$can_j1939(r6, &(0x7f00000001c0)={&(0x7f0000000040), 0x18, &(0x7f0000000180)={&(0x7f00000000c0)="92", 0x1a000}}, 0xee) sendmsg$can_j1939(r6, &(0x7f00000002c0)={&(0x7f0000000200), 0x18, &(0x7f0000000280)={0x0}}, 0x0) r7 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r7, &(0x7f0000000180)={0x0, 0x0, 0x0}, 0x0) timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) socket$inet6_sctp(0xa, 0x5, 0x84) r8 = getpid() sched_setaffinity(0x0, 0x8, &(0x7f00000002c0)=0x5) sched_setscheduler(r8, 0x2, &(0x7f0000000000)=0x3) syz_open_dev$sndctrl(0x0, 0x0, 0x0) [ 67.948728][ T5299] Bluetooth: hci0: command tx timeout [ 68.356887][ C0] ------------[ cut here ]------------ [ 68.359275][ C0] refcount_t: underflow; use-after-free. [ 68.361761][ C0] WARNING: CPU: 0 PID: 5315 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 [ 68.365586][ C0] Modules linked in: [ 68.366974][ C0] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-11716-gd8b78066f4c9 #0 [ 68.370843][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.374719][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 68.377203][ C0] Code: 60 13 61 8c e8 27 e1 95 fc 90 0f 0b 90 90 eb 99 e8 3b 39 d5 fc c6 05 4c 2d 47 0b 01 90 48 c7 c7 c0 13 61 8c e8 07 e1 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 18 39 d5 fc c6 05 26 2d 47 0b 01 90 [ 68.384499][ C0] RSP: 0018:ffffc900000076c0 EFLAGS: 00010246 [ 68.386937][ C0] RAX: 02fb29e56a92d400 RBX: ffff88803f1ecae4 RCX: ffff88801f1a4880 [ 68.389928][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 68.393041][ C0] RBP: 0000000000000003 R08: ffffffff81568c02 R09: 1ffff11003f8519a [ 68.396221][ C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888045922000 [ 68.399424][ C0] R13: ffff88803f1ecae4 R14: ffff888045922000 R15: ffff888053e3cf18 [ 68.402312][ C0] FS: 00007ff20bd4c6c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 68.405458][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 68.407928][ C0] CR2: 00007ff20bd4bfe0 CR3: 0000000042dbc000 CR4: 0000000000352ef0 [ 68.410461][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 68.413173][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 68.415837][ C0] Call Trace: [ 68.417085][ C0] [ 68.418092][ C0] ? __warn+0x165/0x4d0 [ 68.419531][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 68.421536][ C0] ? report_bug+0x2b3/0x500 [ 68.423195][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 68.425319][ C0] ? handle_bug+0x60/0x90 [ 68.427124][ C0] ? exc_invalid_op+0x1a/0x50 [ 68.428944][ C0] ? asm_exc_invalid_op+0x1a/0x20 [ 68.430791][ C0] ? __warn_printk+0x292/0x360 [ 68.432672][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 68.434827][ C0] j1939_xtp_rx_cts+0x552/0xc70 [ 68.436853][ C0] j1939_tp_recv+0x8ae/0x1050 [ 68.438568][ C0] j1939_can_recv+0x732/0xb20 [ 68.440327][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 68.442155][ C0] ? __lock_acquire+0x1397/0x2100 [ 68.444046][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 68.445970][ C0] can_rcv_filter+0x359/0x7f0 [ 68.447871][ C0] can_receive+0x327/0x480 [ 68.449553][ C0] ? can_receive+0x1c9/0x480 [ 68.451366][ C0] can_rcv+0x144/0x260 [ 68.452892][ C0] ? __pfx_can_rcv+0x10/0x10 [ 68.454599][ C0] __netif_receive_skb+0x2e0/0x650 [ 68.456567][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 68.458572][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 68.460668][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 68.462992][ C0] ? __pfx_lock_release+0x10/0x10 [ 68.464831][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 68.466878][ C0] process_backlog+0x662/0x15b0 [ 68.468925][ C0] ? process_backlog+0x33b/0x15b0 [ 68.470796][ C0] ? __pfx_process_backlog+0x10/0x10 [ 68.472754][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 68.475024][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.477393][ C0] __napi_poll+0xcb/0x490 [ 68.478991][ C0] net_rx_action+0x89b/0x1240 [ 68.481005][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 68.482811][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 68.485003][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.487393][ C0] handle_softirqs+0x2d4/0x9b0 [ 68.489315][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 68.491378][ C0] ? do_softirq+0x11b/0x1e0 [ 68.493072][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 68.495000][ C0] do_softirq+0x11b/0x1e0 [ 68.496638][ C0] [ 68.497744][ C0] [ 68.498902][ C0] ? __pfx_do_softirq+0x10/0x10 [ 68.500743][ C0] ? __pfx_lockdep_softirqs_on+0x10/0x10 [ 68.502787][ C0] ? j1939_sk_sendmsg+0x1293/0x14c0 [ 68.504605][ C0] ? rcu_is_watching+0x15/0xb0 [ 68.506373][ C0] __local_bh_enable_ip+0x1bb/0x200 [ 68.508246][ C0] ? j1939_sk_sendmsg+0x1293/0x14c0 [ 68.510166][ C0] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 68.512365][ C0] j1939_sk_sendmsg+0x1293/0x14c0 [ 68.514277][ C0] ? aa_sk_perm+0x96d/0xab0 [ 68.516000][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 68.518084][ C0] ? __import_iovec+0x590/0x870 [ 68.519949][ C0] ? aa_sock_msg_perm+0x91/0x160 [ 68.521836][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 68.523848][ C0] __sock_sendmsg+0x221/0x270 [ 68.525611][ C0] ____sys_sendmsg+0x52a/0x7e0 [ 68.527448][ C0] ? __pfx_____sys_sendmsg+0x10/0x10 [ 68.529375][ C0] ? __fget_files+0x2a/0x410 [ 68.531166][ C0] ? __fget_files+0x2a/0x410 [ 68.532955][ C0] __sys_sendmsg+0x269/0x350 [ 68.534766][ C0] ? __pfx___sys_sendmsg+0x10/0x10 [ 68.536841][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.539299][ C0] ? do_syscall_64+0x100/0x230 [ 68.541111][ C0] ? do_syscall_64+0xb6/0x230 [ 68.542910][ C0] do_syscall_64+0xf3/0x230 [ 68.544721][ C0] ? clear_bhb_loop+0x35/0x90 [ 68.546569][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.548821][ C0] RIP: 0033:0x7ff20af80849 [ 68.550469][ C0] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.557443][ C0] RSP: 002b:00007ff20bd4c058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.560395][ C0] RAX: ffffffffffffffda RBX: 00007ff20b146160 RCX: 00007ff20af80849 [ 68.563169][ C0] RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000009 [ 68.565987][ C0] RBP: 00007ff20aff3986 R08: 0000000000000000 R09: 0000000000000000 [ 68.569063][ C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.571847][ C0] R13: 0000000000000000 R14: 00007ff20b146160 R15: 00007ffc05324c88 [ 68.574789][ C0] [ 68.575962][ C0] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 68.578688][ C0] CPU: 0 UID: 0 PID: 5315 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-11716-gd8b78066f4c9 #0 [ 68.582130][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.586267][ C0] Call Trace: [ 68.587559][ C0] [ 68.588687][ C0] dump_stack_lvl+0x241/0x360 [ 68.590411][ C0] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.592228][ C0] ? __pfx__printk+0x10/0x10 [ 68.593810][ C0] ? _printk+0xd5/0x120 [ 68.595284][ C0] ? __init_begin+0x41000/0x41000 [ 68.596971][ C0] ? vscnprintf+0x5d/0x90 [ 68.598478][ C0] panic+0x349/0x880 [ 68.599882][ C0] ? __warn+0x174/0x4d0 [ 68.601144][ C0] ? __pfx_panic+0x10/0x10 [ 68.602583][ C0] __warn+0x344/0x4d0 [ 68.603822][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 68.605664][ C0] report_bug+0x2b3/0x500 [ 68.607257][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 68.609317][ C0] handle_bug+0x60/0x90 [ 68.610812][ C0] exc_invalid_op+0x1a/0x50 [ 68.612411][ C0] asm_exc_invalid_op+0x1a/0x20 [ 68.614133][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 68.616332][ C0] Code: 60 13 61 8c e8 27 e1 95 fc 90 0f 0b 90 90 eb 99 e8 3b 39 d5 fc c6 05 4c 2d 47 0b 01 90 48 c7 c7 c0 13 61 8c e8 07 e1 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 18 39 d5 fc c6 05 26 2d 47 0b 01 90 [ 68.623472][ C0] RSP: 0018:ffffc900000076c0 EFLAGS: 00010246 [ 68.625810][ C0] RAX: 02fb29e56a92d400 RBX: ffff88803f1ecae4 RCX: ffff88801f1a4880 [ 68.628836][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 68.631476][ C0] RBP: 0000000000000003 R08: ffffffff81568c02 R09: 1ffff11003f8519a [ 68.634103][ C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888045922000 [ 68.636767][ C0] R13: ffff88803f1ecae4 R14: ffff888045922000 R15: ffff888053e3cf18 [ 68.639611][ C0] ? __warn_printk+0x292/0x360 [ 68.641291][ C0] j1939_xtp_rx_cts+0x552/0xc70 [ 68.643097][ C0] j1939_tp_recv+0x8ae/0x1050 [ 68.644859][ C0] j1939_can_recv+0x732/0xb20 [ 68.646785][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 68.648842][ C0] ? __lock_acquire+0x1397/0x2100 [ 68.650770][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 68.652738][ C0] can_rcv_filter+0x359/0x7f0 [ 68.654536][ C0] can_receive+0x327/0x480 [ 68.656325][ C0] ? can_receive+0x1c9/0x480 [ 68.658114][ C0] can_rcv+0x144/0x260 [ 68.659498][ C0] ? __pfx_can_rcv+0x10/0x10 [ 68.660974][ C0] __netif_receive_skb+0x2e0/0x650 [ 68.662721][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 68.664469][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 68.666409][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 68.668492][ C0] ? __pfx_lock_release+0x10/0x10 [ 68.670252][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 68.672083][ C0] process_backlog+0x662/0x15b0 [ 68.673750][ C0] ? process_backlog+0x33b/0x15b0 [ 68.675675][ C0] ? __pfx_process_backlog+0x10/0x10 [ 68.677611][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 68.679855][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.681912][ C0] __napi_poll+0xcb/0x490 [ 68.683260][ C0] net_rx_action+0x89b/0x1240 [ 68.684903][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 68.686678][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 68.688701][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.690963][ C0] handle_softirqs+0x2d4/0x9b0 [ 68.692503][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 68.694154][ C0] ? do_softirq+0x11b/0x1e0 [ 68.695700][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 68.697512][ C0] do_softirq+0x11b/0x1e0 [ 68.698924][ C0] [ 68.699978][ C0] [ 68.701071][ C0] ? __pfx_do_softirq+0x10/0x10 [ 68.702934][ C0] ? __pfx_lockdep_softirqs_on+0x10/0x10 [ 68.704875][ C0] ? j1939_sk_sendmsg+0x1293/0x14c0 [ 68.706943][ C0] ? rcu_is_watching+0x15/0xb0 [ 68.708756][ C0] __local_bh_enable_ip+0x1bb/0x200 [ 68.710748][ C0] ? j1939_sk_sendmsg+0x1293/0x14c0 [ 68.712510][ C0] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 68.714683][ C0] j1939_sk_sendmsg+0x1293/0x14c0 [ 68.716688][ C0] ? aa_sk_perm+0x96d/0xab0 [ 68.718393][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 68.720338][ C0] ? __import_iovec+0x590/0x870 [ 68.722103][ C0] ? aa_sock_msg_perm+0x91/0x160 [ 68.723839][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 68.725751][ C0] __sock_sendmsg+0x221/0x270 [ 68.727513][ C0] ____sys_sendmsg+0x52a/0x7e0 [ 68.729321][ C0] ? __pfx_____sys_sendmsg+0x10/0x10 [ 68.731378][ C0] ? __fget_files+0x2a/0x410 [ 68.733008][ C0] ? __fget_files+0x2a/0x410 [ 68.734743][ C0] __sys_sendmsg+0x269/0x350 [ 68.736422][ C0] ? __pfx___sys_sendmsg+0x10/0x10 [ 68.738302][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.740619][ C0] ? do_syscall_64+0x100/0x230 [ 68.742376][ C0] ? do_syscall_64+0xb6/0x230 [ 68.744032][ C0] do_syscall_64+0xf3/0x230 [ 68.745600][ C0] ? clear_bhb_loop+0x35/0x90 [ 68.747317][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.749537][ C0] RIP: 0033:0x7ff20af80849 [ 68.751171][ C0] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.758426][ C0] RSP: 002b:00007ff20bd4c058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.761677][ C0] RAX: ffffffffffffffda RBX: 00007ff20b146160 RCX: 00007ff20af80849 [ 68.764698][ C0] RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000009 [ 68.767771][ C0] RBP: 00007ff20aff3986 R08: 0000000000000000 R09: 0000000000000000 [ 68.770733][ C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.773663][ C0] R13: 0000000000000000 R14: 00007ff20b146160 R15: 00007ffc05324c88 [ 68.776470][ C0] [ 68.777668][ C0] Kernel Offset: disabled [ 68.779123][ C0] Rebooting in 86400 seconds..