program:
r0 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000040)={'vcan0\x00', <r1=>0x0})
bind$can_j1939(r0, &(0x7f0000000100)={0x1d, r1}, 0x18)
connect$can_j1939(r0, &(0x7f0000000140)={0x1d, r1, 0x0, {0x0, 0x0, 0x3}, 0x1}, 0x18)
sendmsg$can_j1939(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000200)='d', 0xfffe}}, 0x0)

[   70.574697][ T5303] Bluetooth: hci0: command tx timeout
[   71.925657][    C0] vcan0: j1939_tp_rxtimer: 0xffff8880437e7800: rx timeout, send abort
[   71.929869][    C0] vcan0: j1939_xtp_rx_abort_one: 0xffff8880437e7800: 0x30000: (3) A timeout occurred and this is the connection abort to close the session.
[   71.934601][    C0] ------------[ cut here ]------------
[   71.936523][    C0] refcount_t: underflow; use-after-free.
[   71.938797][    C0] WARNING: CPU: 0 PID: 16 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0
[   71.941974][    C0] Modules linked in:
[   71.943273][    C0] CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0
[   71.947118][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   71.951184][    C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0
[   71.953615][    C0] Code: e0 1e 5f 8c e8 87 c5 95 fc 90 0f 0b 90 90 eb 99 e8 2b 1e d5 fc c6 05 6d 2c 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 67 c5 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 08 1e d5 fc c6 05 47 2c 39 0b 01 90
[   71.960540][    C0] RSP: 0018:ffffc9000042f4c0 EFLAGS: 00010246
[   71.962728][    C0] RAX: 5b55c3511bc0b300 RBX: ffff88803f77fae4 RCX: ffff88801b700000
[   71.965737][    C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
[   71.968736][    C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: fffffbfff1cfa210
[   71.971739][    C0] R10: dffffc0000000000 R11: fffffbfff1cfa210 R12: ffff8880437e7868
[   71.974618][    C0] R13: ffff88803f77fae4 R14: 1ffff110086fcf18 R15: ffff8880437e7800
[   71.977684][    C0] FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   71.980913][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   71.983362][    C0] CR2: 0000000020010000 CR3: 000000004370a000 CR4: 0000000000352ef0
[   71.986313][    C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   71.989367][    C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   71.992338][    C0] Call Trace:
[   71.993660][    C0]  <TASK>
[   71.994802][    C0]  ? __warn+0x165/0x4d0
[   71.996408][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   71.998607][    C0]  ? report_bug+0x2b3/0x500
[   72.000414][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   72.002553][    C0]  ? handle_bug+0x60/0x90
[   72.004242][    C0]  ? exc_invalid_op+0x1a/0x50
[   72.005894][    C0]  ? asm_exc_invalid_op+0x1a/0x20
[   72.007581][    C0]  ? __warn_printk+0x292/0x360
[   72.009332][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   72.011661][    C0]  j1939_session_put+0x1ed/0x440
[   72.013770][    C0]  j1939_tp_recv+0x92a/0x1050
[   72.015595][    C0]  j1939_can_recv+0x732/0xb20
[   72.017391][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   72.019199][    C0]  ? __lock_acquire+0x1397/0x2100
[   72.021088][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   72.023266][    C0]  can_rcv_filter+0x359/0x7f0
[   72.025143][    C0]  can_receive+0x327/0x480
[   72.026867][    C0]  ? can_receive+0x1c9/0x480
[   72.028708][    C0]  can_rcv+0x144/0x260
[   72.030177][    C0]  ? __pfx_can_rcv+0x10/0x10
[   72.031909][    C0]  __netif_receive_skb+0x2e0/0x650
[   72.033961][    C0]  ? __pfx_lock_acquire+0x10/0x10
[   72.035849][    C0]  ? __pfx___netif_receive_skb+0x10/0x10
[   72.037764][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   72.039776][    C0]  ? __pfx_lock_release+0x10/0x10
[   72.041763][    C0]  ? _raw_spin_lock_irq+0xdf/0x120
[   72.043672][    C0]  process_backlog+0x662/0x15b0
[   72.045317][    C0]  ? process_backlog+0x33b/0x15b0
[   72.047284][    C0]  ? __pfx_process_backlog+0x10/0x10
[   72.048989][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   72.051207][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   72.053661][    C0]  __napi_poll+0xcb/0x490
[   72.055301][    C0]  net_rx_action+0x89b/0x1240
[   72.057039][    C0]  ? __pfx_net_rx_action+0x10/0x10
[   72.059006][    C0]  ? __run_timer_base+0x178/0x8e0
[   72.060877][    C0]  ? __pfx_tmigr_handle_remote+0x10/0x10
[   72.062969][    C0]  ? __schedule+0x1858/0x4c30
[   72.064676][    C0]  handle_softirqs+0x2d4/0x9b0
[   72.066468][    C0]  ? run_ksoftirqd+0xca/0x130
[   72.068263][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   72.070107][    C0]  run_ksoftirqd+0xca/0x130
[   72.071844][    C0]  ? __pfx_run_ksoftirqd+0x10/0x10
[   72.074051][    C0]  ? __pfx_run_ksoftirqd+0x10/0x10
[   72.076098][    C0]  smpboot_thread_fn+0x544/0xa30
[   72.078107][    C0]  ? smpboot_thread_fn+0x4e/0xa30
[   72.080243][    C0]  ? __pfx_smpboot_thread_fn+0x10/0x10
[   72.082071][    C0]  kthread+0x2f0/0x390
[   72.083475][    C0]  ? __pfx_smpboot_thread_fn+0x10/0x10
[   72.085328][    C0]  ? __pfx_kthread+0x10/0x10
[   72.087123][    C0]  ret_from_fork+0x4b/0x80
[   72.088942][    C0]  ? __pfx_kthread+0x10/0x10
[   72.090751][    C0]  ret_from_fork_asm+0x1a/0x30
[   72.093204][    C0]  </TASK>
[   72.094339][    C0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   72.096999][    C0] CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0
[   72.100906][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   72.104888][    C0] Call Trace:
[   72.106259][    C0]  <TASK>
[   72.107397][    C0]  dump_stack_lvl+0x241/0x360
[   72.109145][    C0]  ? __pfx_dump_stack_lvl+0x10/0x10
[   72.111218][    C0]  ? __pfx__printk+0x10/0x10
[   72.113077][    C0]  ? _printk+0xd5/0x120
[   72.114678][    C0]  ? __init_begin+0x41000/0x41000
[   72.116682][    C0]  ? vscnprintf+0x5d/0x90
[   72.118383][    C0]  panic+0x349/0x880
[   72.119906][    C0]  ? __warn+0x174/0x4d0
[   72.121526][    C0]  ? __pfx_panic+0x10/0x10
[   72.123148][    C0]  ? ret_from_fork_asm+0x1a/0x30
[   72.124966][    C0]  __warn+0x344/0x4d0
[   72.126519][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   72.128443][    C0]  report_bug+0x2b3/0x500
[   72.130116][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   72.132001][    C0]  handle_bug+0x60/0x90
[   72.133348][    C0]  exc_invalid_op+0x1a/0x50
[   72.134869][    C0]  asm_exc_invalid_op+0x1a/0x20
[   72.136357][    C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0
[   72.138538][    C0] Code: e0 1e 5f 8c e8 87 c5 95 fc 90 0f 0b 90 90 eb 99 e8 2b 1e d5 fc c6 05 6d 2c 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 67 c5 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 08 1e d5 fc c6 05 47 2c 39 0b 01 90
[   72.145733][    C0] RSP: 0018:ffffc9000042f4c0 EFLAGS: 00010246
[   72.148584][    C0] RAX: 5b55c3511bc0b300 RBX: ffff88803f77fae4 RCX: ffff88801b700000
[   72.152313][    C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
[   72.155902][    C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: fffffbfff1cfa210
[   72.158853][    C0] R10: dffffc0000000000 R11: fffffbfff1cfa210 R12: ffff8880437e7868
[   72.161828][    C0] R13: ffff88803f77fae4 R14: 1ffff110086fcf18 R15: ffff8880437e7800
[   72.164688][    C0]  ? __warn_printk+0x292/0x360
[   72.166416][    C0]  j1939_session_put+0x1ed/0x440
[   72.168115][    C0]  j1939_tp_recv+0x92a/0x1050
[   72.169818][    C0]  j1939_can_recv+0x732/0xb20
[   72.171450][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   72.173318][    C0]  ? __lock_acquire+0x1397/0x2100
[   72.175103][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   72.176864][    C0]  can_rcv_filter+0x359/0x7f0
[   72.178462][    C0]  can_receive+0x327/0x480
[   72.179906][    C0]  ? can_receive+0x1c9/0x480
[   72.181364][    C0]  can_rcv+0x144/0x260
[   72.182730][    C0]  ? __pfx_can_rcv+0x10/0x10
[   72.184196][    C0]  __netif_receive_skb+0x2e0/0x650
[   72.185930][    C0]  ? __pfx_lock_acquire+0x10/0x10
[   72.187708][    C0]  ? __pfx___netif_receive_skb+0x10/0x10
[   72.189701][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   72.191944][    C0]  ? __pfx_lock_release+0x10/0x10
[   72.193901][    C0]  ? _raw_spin_lock_irq+0xdf/0x120
[   72.195880][    C0]  process_backlog+0x662/0x15b0
[   72.197722][    C0]  ? process_backlog+0x33b/0x15b0
[   72.199742][    C0]  ? __pfx_process_backlog+0x10/0x10
[   72.201770][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   72.204113][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   72.206435][    C0]  __napi_poll+0xcb/0x490
[   72.207991][    C0]  net_rx_action+0x89b/0x1240
[   72.209726][    C0]  ? __pfx_net_rx_action+0x10/0x10
[   72.211640][    C0]  ? __run_timer_base+0x178/0x8e0
[   72.213472][    C0]  ? __pfx_tmigr_handle_remote+0x10/0x10
[   72.215608][    C0]  ? __schedule+0x1858/0x4c30
[   72.217537][    C0]  handle_softirqs+0x2d4/0x9b0
[   72.219436][    C0]  ? run_ksoftirqd+0xca/0x130
[   72.221062][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   72.223081][    C0]  run_ksoftirqd+0xca/0x130
[   72.224872][    C0]  ? __pfx_run_ksoftirqd+0x10/0x10
[   72.226906][    C0]  ? __pfx_run_ksoftirqd+0x10/0x10
[   72.228726][    C0]  smpboot_thread_fn+0x544/0xa30
[   72.230600][    C0]  ? smpboot_thread_fn+0x4e/0xa30
[   72.232638][    C0]  ? __pfx_smpboot_thread_fn+0x10/0x10
[   72.234783][    C0]  kthread+0x2f0/0x390
[   72.236582][    C0]  ? __pfx_smpboot_thread_fn+0x10/0x10
[   72.238782][    C0]  ? __pfx_kthread+0x10/0x10
[   72.240619][    C0]  ret_from_fork+0x4b/0x80
[   72.242417][    C0]  ? __pfx_kthread+0x10/0x10
[   72.244311][    C0]  ret_from_fork_asm+0x1a/0x30
[   72.246348][    C0]  </TASK>
[   72.247879][    C0] Kernel Offset: disabled
[   72.249671][    C0] Rebooting in 86400 seconds..