program: r0 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x3, &(0x7f0000000040)=ANY=[@ANYBLOB="1800000000000000000000001300040095"], &(0x7f0000000180)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0xf, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='sched_switch\x00', r0}, 0x10) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f00000190c0)=0x8) r1 = getpid() sched_setscheduler(r1, 0x2, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r2, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r3, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r2, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$ifreq_SIOCGIFINDEX_vcan(r4, 0x8933, &(0x7f0000000380)={'vcan0\x00', 0x0}) r6 = socket$can_j1939(0x1d, 0x2, 0x7) bind$can_j1939(r6, &(0x7f0000000080)={0x1d, r5}, 0x18) sendmsg$can_j1939(r6, &(0x7f00000001c0)={&(0x7f0000000040), 0x18, &(0x7f0000000180)={&(0x7f00000000c0)="92", 0x1a000}}, 0xee) [ 68.573541][ T4667] Bluetooth: hci0: command tx timeout [ 68.999458][ C0] ------------[ cut here ]------------ [ 69.001690][ C0] refcount_t: underflow; use-after-free. [ 69.004129][ C0] WARNING: CPU: 0 PID: 16 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 [ 69.007458][ C0] Modules linked in: [ 69.008950][ C0] CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0 [ 69.012756][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.016671][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 69.018879][ C0] Code: e0 1e 5f 8c e8 87 c5 95 fc 90 0f 0b 90 90 eb 99 e8 2b 1e d5 fc c6 05 6d 2c 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 67 c5 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 08 1e d5 fc c6 05 47 2c 39 0b 01 90 [ 69.026287][ C0] RSP: 0018:ffffc9000042f460 EFLAGS: 00010246 [ 69.028569][ C0] RAX: 611fb47c35f60c00 RBX: ffff888052aa7224 RCX: ffff88801cae0000 [ 69.031561][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 69.034635][ C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: fffffbfff1cfa210 [ 69.037623][ C0] R10: dffffc0000000000 R11: fffffbfff1cfa210 R12: ffff88804562d400 [ 69.040695][ C0] R13: ffff888052aa7224 R14: ffff88804562d400 R15: ffff888052bc0918 [ 69.043792][ C0] FS: 0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 69.047168][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 69.049634][ C0] CR2: 00007fecde0f9fe0 CR3: 0000000042f8c000 CR4: 0000000000352ef0 [ 69.052662][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 69.055741][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 69.058615][ C0] Call Trace: [ 69.059880][ C0] [ 69.061029][ C0] ? __warn+0x165/0x4d0 [ 69.062634][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 69.064921][ C0] ? report_bug+0x2b3/0x500 [ 69.066807][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 69.068986][ C0] ? handle_bug+0x60/0x90 [ 69.070636][ C0] ? exc_invalid_op+0x1a/0x50 [ 69.072477][ C0] ? asm_exc_invalid_op+0x1a/0x20 [ 69.074527][ C0] ? __warn_printk+0x292/0x360 [ 69.076362][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 69.078431][ C0] j1939_xtp_rx_cts+0x552/0xc70 [ 69.080282][ C0] j1939_tp_recv+0x8ae/0x1050 [ 69.082332][ C0] j1939_can_recv+0x732/0xb20 [ 69.084081][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 69.085881][ C0] ? __lock_acquire+0x1397/0x2100 [ 69.087633][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 69.089457][ C0] can_rcv_filter+0x359/0x7f0 [ 69.091097][ C0] can_receive+0x327/0x480 [ 69.092660][ C0] ? can_receive+0x1c9/0x480 [ 69.094356][ C0] can_rcv+0x144/0x260 [ 69.095770][ C0] ? __pfx_can_rcv+0x10/0x10 [ 69.097420][ C0] __netif_receive_skb+0x2e0/0x650 [ 69.099425][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 69.101353][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 69.103600][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 69.105888][ C0] ? __pfx_lock_release+0x10/0x10 [ 69.107822][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 69.109763][ C0] process_backlog+0x662/0x15b0 [ 69.111621][ C0] ? process_backlog+0x33b/0x15b0 [ 69.113605][ C0] ? __pfx_process_backlog+0x10/0x10 [ 69.115628][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 69.117945][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.120317][ C0] __napi_poll+0xcb/0x490 [ 69.121994][ C0] net_rx_action+0x89b/0x1240 [ 69.123902][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 69.125868][ C0] ? rcu_qs+0xf1/0x190 [ 69.127460][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.129853][ C0] handle_softirqs+0x2d4/0x9b0 [ 69.131750][ C0] ? run_ksoftirqd+0xca/0x130 [ 69.133647][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 69.135674][ C0] run_ksoftirqd+0xca/0x130 [ 69.137381][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 69.139278][ C0] ? __pfx_ksoftirqd_should_run+0x10/0x10 [ 69.141484][ C0] ? smpboot_thread_fn+0x2d3/0xa30 [ 69.143409][ C0] ? smpboot_thread_fn+0x4fb/0xa30 [ 69.145411][ C0] ? smpboot_thread_fn+0x656/0xa30 [ 69.147347][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 69.149290][ C0] smpboot_thread_fn+0x544/0xa30 [ 69.151137][ C0] ? smpboot_thread_fn+0x4e/0xa30 [ 69.153127][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 69.155301][ C0] kthread+0x2f0/0x390 [ 69.158813][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 69.160951][ C0] ? __pfx_kthread+0x10/0x10 [ 69.162741][ C0] ret_from_fork+0x4b/0x80 [ 69.164571][ C0] ? __pfx_kthread+0x10/0x10 [ 69.166346][ C0] ret_from_fork_asm+0x1a/0x30 [ 69.168170][ C0] [ 69.169387][ C0] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 69.172136][ C0] CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0 [ 69.176201][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.180225][ C0] Call Trace: [ 69.181573][ C0] [ 69.182716][ C0] dump_stack_lvl+0x241/0x360 [ 69.184507][ C0] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.186477][ C0] ? __pfx__printk+0x10/0x10 [ 69.188190][ C0] ? _printk+0xd5/0x120 [ 69.189835][ C0] ? __init_begin+0x41000/0x41000 [ 69.191785][ C0] ? vscnprintf+0x5d/0x90 [ 69.193477][ C0] panic+0x349/0x880 [ 69.195003][ C0] ? __warn+0x174/0x4d0 [ 69.196629][ C0] ? __pfx_panic+0x10/0x10 [ 69.198395][ C0] ? ret_from_fork_asm+0x1a/0x30 [ 69.200283][ C0] __warn+0x344/0x4d0 [ 69.201831][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 69.203956][ C0] report_bug+0x2b3/0x500 [ 69.205638][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 69.207721][ C0] handle_bug+0x60/0x90 [ 69.209298][ C0] exc_invalid_op+0x1a/0x50 [ 69.210982][ C0] asm_exc_invalid_op+0x1a/0x20 [ 69.212843][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 69.215177][ C0] Code: e0 1e 5f 8c e8 87 c5 95 fc 90 0f 0b 90 90 eb 99 e8 2b 1e d5 fc c6 05 6d 2c 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 67 c5 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 08 1e d5 fc c6 05 47 2c 39 0b 01 90 [ 69.222214][ C0] RSP: 0018:ffffc9000042f460 EFLAGS: 00010246 [ 69.224426][ C0] RAX: 611fb47c35f60c00 RBX: ffff888052aa7224 RCX: ffff88801cae0000 [ 69.227372][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 69.230409][ C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: fffffbfff1cfa210 [ 69.233420][ C0] R10: dffffc0000000000 R11: fffffbfff1cfa210 R12: ffff88804562d400 [ 69.236440][ C0] R13: ffff888052aa7224 R14: ffff88804562d400 R15: ffff888052bc0918 [ 69.239445][ C0] ? __warn_printk+0x292/0x360 [ 69.241305][ C0] j1939_xtp_rx_cts+0x552/0xc70 [ 69.243195][ C0] j1939_tp_recv+0x8ae/0x1050 [ 69.245008][ C0] j1939_can_recv+0x732/0xb20 [ 69.246840][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 69.248805][ C0] ? __lock_acquire+0x1397/0x2100 [ 69.250572][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 69.252407][ C0] can_rcv_filter+0x359/0x7f0 [ 69.254146][ C0] can_receive+0x327/0x480 [ 69.255869][ C0] ? can_receive+0x1c9/0x480 [ 69.257666][ C0] can_rcv+0x144/0x260 [ 69.259193][ C0] ? __pfx_can_rcv+0x10/0x10 [ 69.260892][ C0] __netif_receive_skb+0x2e0/0x650 [ 69.262919][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 69.264827][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 69.266921][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 69.269269][ C0] ? __pfx_lock_release+0x10/0x10 [ 69.271286][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 69.273282][ C0] process_backlog+0x662/0x15b0 [ 69.275139][ C0] ? process_backlog+0x33b/0x15b0 [ 69.277066][ C0] ? __pfx_process_backlog+0x10/0x10 [ 69.278982][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 69.281077][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.283376][ C0] __napi_poll+0xcb/0x490 [ 69.285085][ C0] net_rx_action+0x89b/0x1240 [ 69.286869][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 69.288840][ C0] ? rcu_qs+0xf1/0x190 [ 69.290416][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 69.292882][ C0] handle_softirqs+0x2d4/0x9b0 [ 69.294664][ C0] ? run_ksoftirqd+0xca/0x130 [ 69.296434][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 69.298415][ C0] run_ksoftirqd+0xca/0x130 [ 69.300117][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 69.302021][ C0] ? __pfx_ksoftirqd_should_run+0x10/0x10 [ 69.304110][ C0] ? smpboot_thread_fn+0x2d3/0xa30 [ 69.305907][ C0] ? smpboot_thread_fn+0x4fb/0xa30 [ 69.307675][ C0] ? smpboot_thread_fn+0x656/0xa30 [ 69.309375][ C0] ? __pfx_run_ksoftirqd+0x10/0x10 [ 69.311154][ C0] smpboot_thread_fn+0x544/0xa30 [ 69.313109][ C0] ? smpboot_thread_fn+0x4e/0xa30 [ 69.314823][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 69.316695][ C0] kthread+0x2f0/0x390 [ 69.318171][ C0] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 69.320252][ C0] ? __pfx_kthread+0x10/0x10 [ 69.321995][ C0] ret_from_fork+0x4b/0x80 [ 69.323701][ C0] ? __pfx_kthread+0x10/0x10 [ 69.325490][ C0] ret_from_fork_asm+0x1a/0x30 [ 69.327328][ C0] [ 69.328838][ C0] Kernel Offset: disabled [ 69.330524][ C0] Rebooting in 86400 seconds..