program: prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x2, &(0x7f00000190c0)=0x8) r0 = getpid() sched_setscheduler(r0, 0x2, &(0x7f0000000200)=0x7) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)={0xffffffffffffffff, 0xffffffffffffffff}) connect$unix(r1, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r2, &(0x7f0000000000), 0x651, 0x0) recvmmsg(r1, &(0x7f00000000c0), 0x10106, 0x2, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$ifreq_SIOCGIFINDEX_vcan(r3, 0x8933, &(0x7f0000000380)={'vcan0\x00', 0x0}) r5 = socket$can_j1939(0x1d, 0x2, 0x7) bind$can_j1939(r5, &(0x7f0000000080)={0x1d, r4}, 0x18) sendmsg$can_j1939(r5, &(0x7f00000001c0)={&(0x7f0000000040), 0x18, &(0x7f0000000180)={&(0x7f00000000c0)="92", 0x1a000}}, 0xee) sendmsg$can_j1939(r5, &(0x7f00000002c0)={&(0x7f0000000200), 0x18, &(0x7f0000000280)={0x0}}, 0x0) [ 71.997739][ T4680] Bluetooth: hci0: command tx timeout [ 72.405737][ C0] ------------[ cut here ]------------ [ 72.408100][ C0] refcount_t: underflow; use-after-free. [ 72.410408][ C0] WARNING: CPU: 0 PID: 5337 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 [ 72.414259][ C0] Modules linked in: [ 72.415970][ C0] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0 [ 72.420117][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 72.424285][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 72.426441][ C0] Code: a0 0f 61 8c e8 57 dc 95 fc 90 0f 0b 90 90 eb 99 e8 3b 36 d5 fc c6 05 0e d4 47 0b 01 90 48 c7 c7 00 10 61 8c e8 37 dc 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 18 36 d5 fc c6 05 e8 d3 47 0b 01 90 [ 72.433822][ C0] RSP: 0018:ffffc900000076e0 EFLAGS: 00010246 [ 72.436104][ C0] RAX: 134eea875a7b4a00 RBX: ffff88803a66c224 RCX: ffff88801f3e0000 [ 72.439152][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 72.442105][ C0] RBP: 0000000000000003 R08: ffffffff815688b2 R09: 1ffff11003f8519a [ 72.445130][ C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888044111400 [ 72.448097][ C0] R13: ffff88803a66c224 R14: ffff888044111400 R15: ffff888052ac4318 [ 72.451000][ C0] FS: 00007f2aef5536c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 72.454194][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.456671][ C0] CR2: 00007f2aef552fe0 CR3: 0000000043ae4000 CR4: 0000000000352ef0 [ 72.459856][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 72.462663][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 72.465530][ C0] Call Trace: [ 72.466858][ C0] [ 72.468089][ C0] ? __warn+0x168/0x4e0 [ 72.469564][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 72.471646][ C0] ? report_bug+0x2b3/0x500 [ 72.473407][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 72.475525][ C0] ? handle_bug+0x60/0x90 [ 72.477232][ C0] ? exc_invalid_op+0x1a/0x50 [ 72.479168][ C0] ? asm_exc_invalid_op+0x1a/0x20 [ 72.480995][ C0] ? __warn_printk+0x292/0x360 [ 72.482686][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 72.484603][ C0] j1939_xtp_rx_cts+0x552/0xc70 [ 72.486321][ C0] j1939_tp_recv+0x8ae/0x1050 [ 72.487966][ C0] j1939_can_recv+0x732/0xb20 [ 72.489401][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 72.491085][ C0] ? __lock_acquire+0x1397/0x2100 [ 72.492856][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 72.494845][ C0] can_rcv_filter+0x359/0x7f0 [ 72.496653][ C0] can_receive+0x327/0x480 [ 72.498407][ C0] ? can_receive+0x1c9/0x480 [ 72.500301][ C0] can_rcv+0x144/0x260 [ 72.502092][ C0] ? __pfx_can_rcv+0x10/0x10 [ 72.503853][ C0] __netif_receive_skb+0x2e0/0x650 [ 72.505747][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 72.507717][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 72.509942][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 72.512327][ C0] ? __pfx_lock_release+0x10/0x10 [ 72.514294][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 72.515847][ C0] process_backlog+0x662/0x15b0 [ 72.517762][ C0] ? process_backlog+0x33b/0x15b0 [ 72.519625][ C0] ? __pfx_process_backlog+0x10/0x10 [ 72.521554][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 72.523747][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 72.526105][ C0] __napi_poll+0xcb/0x490 [ 72.527843][ C0] net_rx_action+0x89b/0x1240 [ 72.529585][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 72.531483][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 72.533724][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 72.536251][ C0] handle_softirqs+0x2c5/0x980 [ 72.538212][ C0] ? do_softirq+0x11b/0x1e0 [ 72.540013][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 72.542030][ C0] do_softirq+0x11b/0x1e0 [ 72.543734][ C0] [ 72.544863][ C0] [ 72.545989][ C0] ? __pfx_do_softirq+0x10/0x10 [ 72.547895][ C0] ? __pfx_lockdep_softirqs_on+0x10/0x10 [ 72.550080][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 72.552027][ C0] ? rcu_is_watching+0x15/0xb0 [ 72.553907][ C0] __local_bh_enable_ip+0x1bb/0x200 [ 72.555919][ C0] ? j1939_sk_sendmsg+0x114a/0x14c0 [ 72.558026][ C0] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 72.560130][ C0] j1939_sk_sendmsg+0x114a/0x14c0 [ 72.561970][ C0] ? aa_sk_perm+0x96d/0xab0 [ 72.563703][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 72.565677][ C0] ? __import_iovec+0x590/0x870 [ 72.567466][ C0] ? aa_sock_msg_perm+0x91/0x160 [ 72.569474][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 72.571400][ C0] __sock_sendmsg+0x221/0x270 [ 72.573308][ C0] ____sys_sendmsg+0x52a/0x7e0 [ 72.575189][ C0] ? __pfx_____sys_sendmsg+0x10/0x10 [ 72.577093][ C0] ? __fget_files+0x2a/0x410 [ 72.578694][ C0] ? __fget_files+0x2a/0x410 [ 72.580247][ C0] __sys_sendmsg+0x269/0x350 [ 72.581928][ C0] ? __pfx___sys_sendmsg+0x10/0x10 [ 72.583893][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 72.586298][ C0] ? do_syscall_64+0x100/0x230 [ 72.588282][ C0] ? do_syscall_64+0xb6/0x230 [ 72.590265][ C0] do_syscall_64+0xf3/0x230 [ 72.592221][ C0] ? clear_bhb_loop+0x35/0x90 [ 72.594026][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.596247][ C0] RIP: 0033:0x7f2aee77e819 [ 72.598044][ C0] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.605243][ C0] RSP: 002b:00007f2aef553038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 72.608746][ C0] RAX: ffffffffffffffda RBX: 00007f2aee936160 RCX: 00007f2aee77e819 [ 72.612022][ C0] RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000006 [ 72.615469][ C0] RBP: 00007f2aee7f175e R08: 0000000000000000 R09: 0000000000000000 [ 72.619089][ C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 72.622318][ C0] R13: 0000000000000000 R14: 00007f2aee936160 R15: 00007ffea13ceb08 [ 72.625559][ C0] [ 72.626840][ C0] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 72.629395][ C0] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0 [ 72.632708][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 72.636483][ C0] Call Trace: [ 72.637788][ C0] [ 72.638908][ C0] dump_stack_lvl+0x241/0x360 [ 72.640717][ C0] ? __pfx_dump_stack_lvl+0x10/0x10 [ 72.642716][ C0] ? __pfx__printk+0x10/0x10 [ 72.644518][ C0] ? vscnprintf+0x5d/0x90 [ 72.646183][ C0] panic+0x349/0x880 [ 72.647675][ C0] ? __warn+0x177/0x4e0 [ 72.649235][ C0] ? __pfx_panic+0x10/0x10 [ 72.650912][ C0] __warn+0x34b/0x4e0 [ 72.652411][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 72.654407][ C0] report_bug+0x2b3/0x500 [ 72.655999][ C0] ? refcount_warn_saturate+0x15a/0x1d0 [ 72.657999][ C0] handle_bug+0x60/0x90 [ 72.659522][ C0] exc_invalid_op+0x1a/0x50 [ 72.661267][ C0] asm_exc_invalid_op+0x1a/0x20 [ 72.663174][ C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 [ 72.665475][ C0] Code: a0 0f 61 8c e8 57 dc 95 fc 90 0f 0b 90 90 eb 99 e8 3b 36 d5 fc c6 05 0e d4 47 0b 01 90 48 c7 c7 00 10 61 8c e8 37 dc 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 18 36 d5 fc c6 05 e8 d3 47 0b 01 90 [ 72.672510][ C0] RSP: 0018:ffffc900000076e0 EFLAGS: 00010246 [ 72.674788][ C0] RAX: 134eea875a7b4a00 RBX: ffff88803a66c224 RCX: ffff88801f3e0000 [ 72.677466][ C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000 [ 72.680218][ C0] RBP: 0000000000000003 R08: ffffffff815688b2 R09: 1ffff11003f8519a [ 72.682976][ C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff888044111400 [ 72.685971][ C0] R13: ffff88803a66c224 R14: ffff888044111400 R15: ffff888052ac4318 [ 72.688970][ C0] ? __warn_printk+0x292/0x360 [ 72.690708][ C0] j1939_xtp_rx_cts+0x552/0xc70 [ 72.692597][ C0] j1939_tp_recv+0x8ae/0x1050 [ 72.694410][ C0] j1939_can_recv+0x732/0xb20 [ 72.696219][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 72.698201][ C0] ? __lock_acquire+0x1397/0x2100 [ 72.700187][ C0] ? __pfx_j1939_can_recv+0x10/0x10 [ 72.702162][ C0] can_rcv_filter+0x359/0x7f0 [ 72.703770][ C0] can_receive+0x327/0x480 [ 72.705386][ C0] ? can_receive+0x1c9/0x480 [ 72.707048][ C0] can_rcv+0x144/0x260 [ 72.708420][ C0] ? __pfx_can_rcv+0x10/0x10 [ 72.709975][ C0] __netif_receive_skb+0x2e0/0x650 [ 72.711720][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 72.713417][ C0] ? __pfx___netif_receive_skb+0x10/0x10 [ 72.715276][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 72.717428][ C0] ? __pfx_lock_release+0x10/0x10 [ 72.719273][ C0] ? _raw_spin_lock_irq+0xdf/0x120 [ 72.721205][ C0] process_backlog+0x662/0x15b0 [ 72.723060][ C0] ? process_backlog+0x33b/0x15b0 [ 72.724885][ C0] ? __pfx_process_backlog+0x10/0x10 [ 72.726916][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 72.729171][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 72.731340][ C0] __napi_poll+0xcb/0x490 [ 72.732793][ C0] net_rx_action+0x89b/0x1240 [ 72.734439][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 72.736330][ C0] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 72.738686][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 72.741093][ C0] handle_softirqs+0x2c5/0x980 [ 72.742972][ C0] ? do_softirq+0x11b/0x1e0 [ 72.744720][ C0] ? __pfx_handle_softirqs+0x10/0x10 [ 72.746737][ C0] do_softirq+0x11b/0x1e0 [ 72.748337][ C0] [ 72.749462][ C0] [ 72.750607][ C0] ? __pfx_do_softirq+0x10/0x10 [ 72.752413][ C0] ? __pfx_lockdep_softirqs_on+0x10/0x10 [ 72.754490][ C0] ? __pfx_lock_acquire+0x10/0x10 [ 72.756379][ C0] ? rcu_is_watching+0x15/0xb0 [ 72.758292][ C0] __local_bh_enable_ip+0x1bb/0x200 [ 72.760372][ C0] ? j1939_sk_sendmsg+0x114a/0x14c0 [ 72.762375][ C0] ? __pfx___local_bh_enable_ip+0x10/0x10 [ 72.764597][ C0] j1939_sk_sendmsg+0x114a/0x14c0 [ 72.766539][ C0] ? aa_sk_perm+0x96d/0xab0 [ 72.768327][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 72.770429][ C0] ? __import_iovec+0x590/0x870 [ 72.772366][ C0] ? aa_sock_msg_perm+0x91/0x160 [ 72.774312][ C0] ? __pfx_j1939_sk_sendmsg+0x10/0x10 [ 72.776438][ C0] __sock_sendmsg+0x221/0x270 [ 72.778319][ C0] ____sys_sendmsg+0x52a/0x7e0 [ 72.780291][ C0] ? __pfx_____sys_sendmsg+0x10/0x10 [ 72.782414][ C0] ? __fget_files+0x2a/0x410 [ 72.784290][ C0] ? __fget_files+0x2a/0x410 [ 72.786179][ C0] __sys_sendmsg+0x269/0x350 [ 72.788022][ C0] ? __pfx___sys_sendmsg+0x10/0x10 [ 72.790015][ C0] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 72.792403][ C0] ? do_syscall_64+0x100/0x230 [ 72.794007][ C0] ? do_syscall_64+0xb6/0x230 [ 72.795469][ C0] do_syscall_64+0xf3/0x230 [ 72.797014][ C0] ? clear_bhb_loop+0x35/0x90 [ 72.798729][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.801021][ C0] RIP: 0033:0x7f2aee77e819 [ 72.802787][ C0] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 72.809886][ C0] RSP: 002b:00007f2aef553038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 72.812947][ C0] RAX: ffffffffffffffda RBX: 00007f2aee936160 RCX: 00007f2aee77e819 [ 72.815997][ C0] RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000006 [ 72.818925][ C0] RBP: 00007f2aee7f175e R08: 0000000000000000 R09: 0000000000000000 [ 72.821927][ C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 72.824874][ C0] R13: 0000000000000000 R14: 00007f2aee936160 R15: 00007ffea13ceb08 [ 72.827791][ C0] [ 72.829198][ C0] Kernel Offset: disabled [ 72.830789][ C0] Rebooting in 86400 seconds..