program: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) bind$inet6(r0, &(0x7f0000000500)={0xa, 0x2, 0x0, @empty}, 0x1c) r1 = syz_open_dev$sg(&(0x7f0000000080), 0xf9ba, 0x14b082) write$binfmt_aout(r1, &(0x7f0000000840)={{0x108, 0x7, 0xa4, 0x20d, 0x27c, 0xa, 0x310}, "84117b9c9707d52dae1447d1d0411c741b84a955a1e9635a"}, 0x38) ioctl$SG_IO(r1, 0x2285, &(0x7f0000000580)={0x53, 0x0, 0x6, 0x4, @buffer={0x0, 0x1004, &(0x7f00000018c0)=""/4100}, &(0x7f0000000440)="1518a7a093f1", 0x0, 0x84, 0x10005, 0x0, 0x0}) shutdown(r0, 0x1) listen(r0, 0x0) r2 = socket$inet6_mptcp(0xa, 0x1, 0x106) r3 = socket(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'lo\x00', 0x0}) r6 = eventfd2(0x0, 0x0) r7 = socket$can_j1939(0x1d, 0x2, 0x7) r8 = socket$nl_route(0x10, 0x3, 0x0) r9 = openat$vcsu(0xffffffffffffff9c, &(0x7f00000000c0), 0x101000, 0x0) accept4$tipc(r9, &(0x7f0000000100)=@id, &(0x7f0000000180)=0x10, 0x0) r10 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000340), 0x0, 0x0) ioctl$FBIOPUT_VSCREENINFO(r10, 0x4601, &(0x7f0000000940)={0x60, 0x124, 0x690, 0x0, 0x4, 0x20, 0x0, 0x0, {}, {}, {}, {0x0, 0xfffffffc, 0x20}, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, 0xfffffffe, 0x0, 0x0, 0x0, 0x9}) dup3(r7, r6, 0x0) setsockopt$sock_int(r7, 0x1, 0x6, &(0x7f0000000040)=0x1, 0x4) ioctl$ifreq_SIOCGIFINDEX_vcan(r8, 0x8933, &(0x7f0000000000)={'vcan0\x00', 0x0}) bind$can_j1939(r7, &(0x7f0000000240)={0x1d, r11, 0x0, {0x0, 0x0, 0x4}}, 0x18) write$binfmt_aout(r6, &(0x7f0000002e80)={{0x10b, 0x56, 0x4e, 0x360, 0x277, 0x7, 0x2b3, 0x1}, "4cecb1633acc8e1e1098b7bd64cf7c13f3297b892c9f461f126188ba5b8ef9ac6a1404025df7964f20177d4545a4881928dd9c37c3464bd192cca651a154eb5dc2933afaf58a026750ebd850fcd552bf7aad54a604c7f80782601accd14bce0050679430824be5b81677ef0d2c84fa0cbc63f499acd7f430d730b8789986b6f2438a8d83f4205b99f10809bf36d13be2db1c777f3aec0ee85c2416c3e48da4752966c66d22546c6b93a3cd3ca473eb66c831dea8f920b7c02b5dc52012bbb02c84e6299779f25f5239bae192f67d5530833654a35ebc2ea4768c962504b14b41ccea938606b8fda8a76b67287e04efa912eca57f94c584990015711b65ab94487644bcc4a58582697ff9cafa2a9fe9a8534f1eba2cbdc2de7bdcdc7a7c150e88060b4590eb26f487aca5d31c97ead4a990ced7d83b65f60eeca4ce5c8aaefac349584fadb021ebb9a07f355eb56c77c3064817f4ca1104508096d26c2b3b5527fbf2197d76610742393fb0a8ce42167b0d79df3161f7168deb2b054008033f61689d74acf8e6c049fdde47643fd86970c12a4f1c8ea8319588967c05e344f8309459ee161c4a3df23d93c2a42230ac8012a812a5b3c21407fa3647e159310ba395591df23230988e7d7dd5b62ae7b6f83862f85f1b07b97046d9d8af1457efd3d771975726a84abe662093a06c8545881acbe78be5d6d9fa42f520de1b9aafc6ae71b8880a08d074b681f2826ea4f213d8ff7c872115abcb5161c58e13fa0775d25bde4259e3a47052354177ba80b6b31b76d1a3505ba8ebc8d9fcb26dba13c383ee70500821bd79dfbaf1a38964ae2c24f787048d91fb23dc5065935d5400c4afb8ac52c0583015e93854363ca84e4850777b461cbc811aa3c2fa0c36c7ee808f127b3c28f74737a469704be5901c683e04d437f243b85316a330e9b92b362b03fb2445a7900f818061e778db350473dee9fff3de1452c052585f94eff031fce8a6d895f1997a2b7ee9447365543dc80689f2caca26606fbe35f56f3ce0d9f983c5e5ec8076a1aa784f980e804f3acaef4ef1d1433490a6e27ce3772e11fb6fefe13970266d7de03689a1c451060177f88d1ab2a8c1c8fcd17ca1043d1fd177fa0296f6798068e48533f3bc0b692b8aab27fe3cff87881bfce85b452805c1839daffdd85b4e044f5630017bb65c6326b0286d05168dbabe8e50d6574e1eac2570e0bb2c8a0ffa7a1da74b903247fc5413cd73d80f8336abf2c5b3c04c4a3155539607666d11442ec076de91f60a717f4f67eab6a11f0533dc72c5fafae05465c08eb18459defd58d24b02e55530ee3d741bf0ee57ace1901853cd13b4305dff65f8667654e5578b0002012dd7066c3f76c7d7398d0826665683"}, 0x3fa) getgroups(0xffffffffffffffdb, &(0x7f00000001c0)=[0x0, 0xee00, 0x0]) sendmsg$nl_route_sched(r3, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000140)=@newqdisc={0x3c, 0x24, 0xf0b, 0x0, 0x0, {0x60, 0x0, 0x0, r5, {0x0, 0x10}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_cake={{0x9}, {0xc, 0x2, [@TCA_CAKE_OVERHEAD={0x8, 0x6, 0xc1}]}}]}, 0x3c}}, 0x0) sendto$inet6(r2, &(0x7f0000000940)="a5", 0x1, 0x20004002, &(0x7f0000b63fe4)={0xa, 0x2}, 0x1c) [ 81.131675][ T5300] Bluetooth: hci0: command tx timeout [ 81.136370][ T1308] ieee802154 phy0 wpan0: encryption failed: -22 [ 81.140705][ T1308] ieee802154 phy1 wpan1: encryption failed: -22 [ 81.238019][ T5313] sg_write: data in/out 489/4 bytes for SCSI command 0x97-- guessing data in; [ 81.238019][ T5313] program syz.0.0 not setting count and/or reply_len properly [ 81.291274][ T9] cfg80211: failed to load regulatory.db [ 81.298594][ C0] TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:2. Sending cookies. [ 83.190801][ T4661] Bluetooth: hci0: command tx timeout [ 84.133751][ T5312] ------------[ cut here ]------------ [ 84.135625][ T5312] refcount_t: underflow; use-after-free. [ 84.137540][ T5312] WARNING: CPU: 0 PID: 5312 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 [ 84.140949][ T5312] Modules linked in: [ 84.142505][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: syz.0.0 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 [ 84.146263][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 84.150584][ T5312] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 84.152920][ T5312] Code: e0 1e 5f 8c e8 07 c1 95 fc 90 0f 0b 90 90 eb 99 e8 ab 19 d5 fc c6 05 ed 27 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 e7 c0 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 88 19 d5 fc c6 05 c7 27 39 0b 01 90 [ 84.160098][ T5312] RSP: 0018:ffffc9000d347b58 EFLAGS: 00010246 [ 84.162372][ T5312] RAX: 16c9c3526c763c00 RBX: ffff888032f99864 RCX: ffff888000e10000 [ 84.165132][ T5312] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 84.167983][ T5312] RBP: 0000000000000003 R08: ffffffff81601c02 R09: 1ffff11003f8519a [ 84.171089][ T5312] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff88804032c068 [ 84.173884][ T5312] R13: ffff888032f99864 R14: 1ffff11008065818 R15: ffff88804032c000 [ 84.176870][ T5312] FS: 000055555b296500(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 84.180712][ T5312] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 84.183412][ T5312] CR2: 00007f95282d49a0 CR3: 0000000042ec0000 CR4: 0000000000352ef0 [ 84.186447][ T5312] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 84.189575][ T5312] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 84.192819][ T5312] Call Trace: [ 84.194031][ T5312] [ 84.195248][ T5312] ? __warn+0x165/0x4d0 [ 84.196863][ T5312] ? refcount_warn_saturate+0x15a/0x1d0 [ 84.199109][ T5312] ? report_bug+0x2b3/0x500 [ 84.200985][ T5312] ? refcount_warn_saturate+0x15a/0x1d0 [ 84.203113][ T5312] ? handle_bug+0x60/0x90 [ 84.204873][ T5312] ? exc_invalid_op+0x1a/0x50 [ 84.206715][ T5312] ? asm_exc_invalid_op+0x1a/0x20 [ 84.208636][ T5312] ? __warn_printk+0x292/0x360 [ 84.210590][ T5312] ? refcount_warn_saturate+0x15a/0x1d0 [ 84.212739][ T5312] ? refcount_warn_saturate+0x159/0x1d0 [ 84.214902][ T5312] j1939_session_put+0x1ed/0x440 [ 84.216846][ T5312] j1939_sk_queue_drop_all+0x191/0x240 [ 84.219089][ T5312] j1939_sk_release+0x2ae/0x670 [ 84.221071][ T5312] ? __pfx_j1939_sk_release+0x10/0x10 [ 84.223148][ T5312] ? __pfx_autoremove_wake_function+0x10/0x10 [ 84.225544][ T5312] ? __pfx_down_write+0x10/0x10 [ 84.227577][ T5312] sock_close+0xbc/0x240 [ 84.229206][ T5312] ? __pfx_sock_close+0x10/0x10 [ 84.231062][ T5312] __fput+0x23c/0xa50 [ 84.232535][ T5312] task_work_run+0x24f/0x310 [ 84.234186][ T5312] ? _raw_spin_unlock+0x28/0x50 [ 84.235950][ T5312] ? __pfx_task_work_run+0x10/0x10 [ 84.237800][ T5312] ? syscall_exit_to_user_mode+0xa3/0x340 [ 84.240084][ T5312] syscall_exit_to_user_mode+0x13f/0x340 [ 84.242442][ T5312] do_syscall_64+0x100/0x230 [ 84.244207][ T5312] ? clear_bhb_loop+0x35/0x90 [ 84.246030][ T5312] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.248682][ T5312] RIP: 0033:0x7f952757ff19 [ 84.250784][ T5312] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 84.258299][ T5312] RSP: 002b:00007fffd81c4578 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 84.261456][ T5312] RAX: 0000000000000000 RBX: 0000000000013cb3 RCX: 00007f952757ff19 [ 84.264347][ T5312] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 84.267165][ T5312] RBP: 00007f9527747ba0 R08: 0000000000000001 R09: 00007fffd81c485f [ 84.269897][ T5312] R10: 00007f95273ff02c R11: 0000000000000246 R12: 0000000000013d07 [ 84.272786][ T5312] R13: 00007f9527745fa0 R14: 0000000000000032 R15: ffffffffffffffff [ 84.275645][ T5312] [ 84.276772][ T5312] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 84.279499][ T5312] CPU: 0 UID: 0 PID: 5312 Comm: syz.0.0 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 [ 84.283321][ T5312] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 84.287233][ T5312] Call Trace: [ 84.288493][ T5312] [ 84.289588][ T5312] dump_stack_lvl+0x241/0x360 [ 84.291381][ T5312] ? __pfx_dump_stack_lvl+0x10/0x10 [ 84.293304][ T5312] ? __pfx__printk+0x10/0x10 [ 84.295053][ T5312] ? vscnprintf+0x5d/0x90 [ 84.296635][ T5312] panic+0x349/0x880 [ 84.298044][ T5312] ? __warn+0x174/0x4d0 [ 84.299636][ T5312] ? __pfx_panic+0x10/0x10 [ 84.301370][ T5312] __warn+0x344/0x4d0 [ 84.302798][ T5312] ? refcount_warn_saturate+0x15a/0x1d0 [ 84.304896][ T5312] report_bug+0x2b3/0x500 [ 84.306483][ T5312] ? refcount_warn_saturate+0x15a/0x1d0 [ 84.308373][ T5312] handle_bug+0x60/0x90 [ 84.309923][ T5312] exc_invalid_op+0x1a/0x50 [ 84.311637][ T5312] asm_exc_invalid_op+0x1a/0x20 [ 84.313432][ T5312] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 84.315605][ T5312] Code: e0 1e 5f 8c e8 07 c1 95 fc 90 0f 0b 90 90 eb 99 e8 ab 19 d5 fc c6 05 ed 27 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 e7 c0 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 88 19 d5 fc c6 05 c7 27 39 0b 01 90 [ 84.322876][ T5312] RSP: 0018:ffffc9000d347b58 EFLAGS: 00010246 [ 84.325053][ T5312] RAX: 16c9c3526c763c00 RBX: ffff888032f99864 RCX: ffff888000e10000 [ 84.327899][ T5312] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 84.330860][ T5312] RBP: 0000000000000003 R08: ffffffff81601c02 R09: 1ffff11003f8519a [ 84.333543][ T5312] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff88804032c068 [ 84.336457][ T5312] R13: ffff888032f99864 R14: 1ffff11008065818 R15: ffff88804032c000 [ 84.339418][ T5312] ? __warn_printk+0x292/0x360 [ 84.341187][ T5312] ? refcount_warn_saturate+0x159/0x1d0 [ 84.343204][ T5312] j1939_session_put+0x1ed/0x440 [ 84.345149][ T5312] j1939_sk_queue_drop_all+0x191/0x240 [ 84.347222][ T5312] j1939_sk_release+0x2ae/0x670 [ 84.349054][ T5312] ? __pfx_j1939_sk_release+0x10/0x10 [ 84.350952][ T5312] ? __pfx_autoremove_wake_function+0x10/0x10 [ 84.353035][ T5312] ? __pfx_down_write+0x10/0x10 [ 84.354739][ T5312] sock_close+0xbc/0x240 [ 84.356268][ T5312] ? __pfx_sock_close+0x10/0x10 [ 84.357854][ T5312] __fput+0x23c/0xa50 [ 84.359250][ T5312] task_work_run+0x24f/0x310 [ 84.360806][ T5312] ? _raw_spin_unlock+0x28/0x50 [ 84.362471][ T5312] ? __pfx_task_work_run+0x10/0x10 [ 84.364233][ T5312] ? syscall_exit_to_user_mode+0xa3/0x340 [ 84.366209][ T5312] syscall_exit_to_user_mode+0x13f/0x340 [ 84.368230][ T5312] do_syscall_64+0x100/0x230 [ 84.370007][ T5312] ? clear_bhb_loop+0x35/0x90 [ 84.371704][ T5312] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.373782][ T5312] RIP: 0033:0x7f952757ff19 [ 84.375395][ T5312] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 84.382003][ T5312] RSP: 002b:00007fffd81c4578 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 84.384977][ T5312] RAX: 0000000000000000 RBX: 0000000000013cb3 RCX: 00007f952757ff19 [ 84.387827][ T5312] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 84.390584][ T5312] RBP: 00007f9527747ba0 R08: 0000000000000001 R09: 00007fffd81c485f [ 84.393303][ T5312] R10: 00007f95273ff02c R11: 0000000000000246 R12: 0000000000013d07 [ 84.396326][ T5312] R13: 00007f9527745fa0 R14: 0000000000000032 R15: ffffffffffffffff [ 84.399249][ T5312] [ 84.400607][ T5312] Kernel Offset: disabled [ 84.402135][ T5312] Rebooting in 86400 seconds..