program:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x7, 0x4008032, 0xffffffffffffffff, 0x0)
madvise(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x15)
r0 = socket$can_j1939(0x1d, 0x2, 0x7)
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000200)={'vcan0\x00', <r1=>0x0})
r2 = socket$can_j1939(0x1d, 0x2, 0x7)
bind$can_j1939(r2, &(0x7f0000000080)={0x1d, r1}, 0x18)
sendmsg$can_j1939(r2, &(0x7f00000001c0)={&(0x7f0000000040), 0x18, &(0x7f0000000180)={&(0x7f00000000c0)="92", 0x1a000}}, 0xee)

[   58.676295][ T5299] Bluetooth: hci0: command tx timeout
[   58.780979][    C0] ------------[ cut here ]------------
[   58.783175][    C0] refcount_t: underflow; use-after-free.
[   58.785527][    C0] WARNING: CPU: 0 PID: 46 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0
[   58.788891][    C0] Modules linked in:
[   58.790479][    C0] CPU: 0 UID: 0 PID: 46 Comm: kworker/u4:3 Not tainted 6.13.0-rc1-syzkaller-00001-ge70140ba0d2b #0
[   58.794355][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.798255][    C0] Workqueue: bat_events batadv_nc_worker
[   58.800436][    C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0
[   58.802775][    C0] Code: e0 1e 5f 8c e8 07 c1 95 fc 90 0f 0b 90 90 eb 99 e8 ab 19 d5 fc c6 05 ed 27 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 e7 c0 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 88 19 d5 fc c6 05 c7 27 39 0b 01 90
[   58.810010][    C0] RSP: 0018:ffffc900000076c0 EFLAGS: 00010246
[   58.812215][    C0] RAX: 8342c108c5957100 RBX: ffff8880403fad64 RCX: ffff88801d160000
[   58.815174][    C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
[   58.818236][    C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: 1ffff11003f8519a
[   58.821183][    C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff88803fef8c00
[   58.824251][    C0] R13: ffff8880403fad64 R14: ffff88803fef8c00 R15: ffff888052f5b818
[   58.827461][    C0] FS:  0000000000000000(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000
[   58.830870][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   58.833538][    C0] CR2: 0000000020015000 CR3: 0000000043290000 CR4: 0000000000352ef0
[   58.836438][    C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   58.840118][    C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   58.843672][    C0] Call Trace:
[   58.845103][    C0]  <IRQ>
[   58.846357][    C0]  ? __warn+0x165/0x4d0
[   58.848139][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.850585][    C0]  ? report_bug+0x2b3/0x500
[   58.852728][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.855310][    C0]  ? handle_bug+0x60/0x90
[   58.857190][    C0]  ? exc_invalid_op+0x1a/0x50
[   58.859637][    C0]  ? asm_exc_invalid_op+0x1a/0x20
[   58.861918][    C0]  ? __warn_printk+0x292/0x360
[   58.863883][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   58.866194][    C0]  j1939_xtp_rx_cts+0x552/0xc70
[   58.868097][    C0]  j1939_tp_recv+0x8ae/0x1050
[   58.869975][    C0]  j1939_can_recv+0x732/0xb20
[   58.871828][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   58.874099][    C0]  ? __lock_acquire+0x1397/0x2100
[   58.876017][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   58.878213][    C0]  can_rcv_filter+0x359/0x7f0
[   58.880145][    C0]  can_receive+0x327/0x480
[   58.881863][    C0]  ? can_receive+0x1c9/0x480
[   58.883658][    C0]  can_rcv+0x144/0x260
[   58.885191][    C0]  ? __pfx_can_rcv+0x10/0x10
[   58.887002][    C0]  __netif_receive_skb+0x2e0/0x650
[   58.888840][    C0]  ? __pfx_lock_acquire+0x10/0x10
[   58.890898][    C0]  ? __pfx___netif_receive_skb+0x10/0x10
[   58.893065][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   58.895556][    C0]  ? __pfx_lock_release+0x10/0x10
[   58.897439][    C0]  ? _raw_spin_lock_irq+0xdf/0x120
[   58.899375][    C0]  process_backlog+0x662/0x15b0
[   58.901334][    C0]  ? process_backlog+0x33b/0x15b0
[   58.903071][    C0]  ? __pfx_process_backlog+0x10/0x10
[   58.904958][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   58.907156][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   58.909349][    C0]  __napi_poll+0xcb/0x490
[   58.910947][    C0]  net_rx_action+0x89b/0x1240
[   58.912826][    C0]  ? __pfx_net_rx_action+0x10/0x10
[   58.914826][    C0]  ? __run_timer_base+0x1c0/0x8e0
[   58.916680][    C0]  ? __pfx_tmigr_handle_remote+0x10/0x10
[   58.918816][    C0]  handle_softirqs+0x2d4/0x9b0
[   58.920770][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   58.922810][    C0]  ? do_softirq+0x11b/0x1e0
[   58.924617][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   58.926697][    C0]  do_softirq+0x11b/0x1e0
[   58.928362][    C0]  </IRQ>
[   58.929541][    C0]  <TASK>
[   58.930785][    C0]  ? __pfx_do_softirq+0x10/0x10
[   58.932651][    C0]  ? __pfx_lockdep_softirqs_on+0x10/0x10
[   58.934831][    C0]  ? __pfx_lock_acquire+0x10/0x10
[   58.936813][    C0]  ? rcu_is_watching+0x15/0xb0
[   58.938738][    C0]  __local_bh_enable_ip+0x1bb/0x200
[   58.940867][    C0]  ? batadv_nc_purge_paths+0x312/0x3b0
[   58.942986][    C0]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   58.945169][    C0]  ? batadv_nc_purge_paths+0xe8/0x3b0
[   58.947223][    C0]  ? __pfx_batadv_nc_to_purge_nc_path_coding+0x10/0x10
[   58.949822][    C0]  batadv_nc_purge_paths+0x312/0x3b0
[   58.951885][    C0]  batadv_nc_worker+0x328/0x610
[   58.953722][    C0]  ? batadv_nc_worker+0xcb/0x610
[   58.955507][    C0]  ? process_scheduled_works+0x976/0x1840
[   58.957620][    C0]  process_scheduled_works+0xa66/0x1840
[   58.959742][    C0]  ? __pfx_process_scheduled_works+0x10/0x10
[   58.962166][    C0]  ? assign_work+0x364/0x3d0
[   58.963941][    C0]  worker_thread+0x870/0xd30
[   58.965757][    C0]  ? __kthread_parkme+0x169/0x1d0
[   58.967636][    C0]  ? __pfx_worker_thread+0x10/0x10
[   58.969594][    C0]  kthread+0x2f0/0x390
[   58.971279][    C0]  ? __pfx_worker_thread+0x10/0x10
[   58.973234][    C0]  ? __pfx_kthread+0x10/0x10
[   58.974990][    C0]  ret_from_fork+0x4b/0x80
[   58.976683][    C0]  ? __pfx_kthread+0x10/0x10
[   58.978517][    C0]  ret_from_fork_asm+0x1a/0x30
[   58.980444][    C0]  </TASK>
[   58.981634][    C0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   58.984374][    C0] CPU: 0 UID: 0 PID: 46 Comm: kworker/u4:3 Not tainted 6.13.0-rc1-syzkaller-00001-ge70140ba0d2b #0
[   58.988397][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.992559][    C0] Workqueue: bat_events batadv_nc_worker
[   58.994586][    C0] Call Trace:
[   58.995915][    C0]  <IRQ>
[   58.997174][    C0]  dump_stack_lvl+0x241/0x360
[   58.999115][    C0]  ? __pfx_dump_stack_lvl+0x10/0x10
[   59.001123][    C0]  ? __pfx__printk+0x10/0x10
[   59.002912][    C0]  ? _printk+0xd5/0x120
[   59.004720][    C0]  ? __init_begin+0x41000/0x41000
[   59.006833][    C0]  ? vscnprintf+0x5d/0x90
[   59.008568][    C0]  panic+0x349/0x880
[   59.010034][    C0]  ? __warn+0x174/0x4d0
[   59.011593][    C0]  ? __pfx_panic+0x10/0x10
[   59.013241][    C0]  ? ret_from_fork_asm+0x1a/0x30
[   59.015179][    C0]  __warn+0x344/0x4d0
[   59.016783][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   59.018936][    C0]  report_bug+0x2b3/0x500
[   59.020629][    C0]  ? refcount_warn_saturate+0x15a/0x1d0
[   59.022895][    C0]  handle_bug+0x60/0x90
[   59.024511][    C0]  exc_invalid_op+0x1a/0x50
[   59.026294][    C0]  asm_exc_invalid_op+0x1a/0x20
[   59.028155][    C0] RIP: 0010:refcount_warn_saturate+0x15a/0x1d0
[   59.030574][    C0] Code: e0 1e 5f 8c e8 07 c1 95 fc 90 0f 0b 90 90 eb 99 e8 ab 19 d5 fc c6 05 ed 27 39 0b 01 90 48 c7 c7 40 1f 5f 8c e8 e7 c0 95 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 88 19 d5 fc c6 05 c7 27 39 0b 01 90
[   59.037824][    C0] RSP: 0018:ffffc900000076c0 EFLAGS: 00010246
[   59.040110][    C0] RAX: 8342c108c5957100 RBX: ffff8880403fad64 RCX: ffff88801d160000
[   59.043154][    C0] RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
[   59.046145][    C0] RBP: 0000000000000003 R08: ffffffff81601c02 R09: 1ffff11003f8519a
[   59.049193][    C0] R10: dffffc0000000000 R11: ffffed1003f8519b R12: ffff88803fef8c00
[   59.052313][    C0] R13: ffff8880403fad64 R14: ffff88803fef8c00 R15: ffff888052f5b818
[   59.055400][    C0]  ? __warn_printk+0x292/0x360
[   59.057318][    C0]  j1939_xtp_rx_cts+0x552/0xc70
[   59.059254][    C0]  j1939_tp_recv+0x8ae/0x1050
[   59.061126][    C0]  j1939_can_recv+0x732/0xb20
[   59.063072][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   59.065136][    C0]  ? __lock_acquire+0x1397/0x2100
[   59.067136][    C0]  ? __pfx_j1939_can_recv+0x10/0x10
[   59.069162][    C0]  can_rcv_filter+0x359/0x7f0
[   59.071028][    C0]  can_receive+0x327/0x480
[   59.072772][    C0]  ? can_receive+0x1c9/0x480
[   59.074680][    C0]  can_rcv+0x144/0x260
[   59.076256][    C0]  ? __pfx_can_rcv+0x10/0x10
[   59.078074][    C0]  __netif_receive_skb+0x2e0/0x650
[   59.080114][    C0]  ? __pfx_lock_acquire+0x10/0x10
[   59.082157][    C0]  ? __pfx___netif_receive_skb+0x10/0x10
[   59.084344][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   59.086703][    C0]  ? __pfx_lock_release+0x10/0x10
[   59.088600][    C0]  ? _raw_spin_lock_irq+0xdf/0x120
[   59.090675][    C0]  process_backlog+0x662/0x15b0
[   59.092547][    C0]  ? process_backlog+0x33b/0x15b0
[   59.094524][    C0]  ? __pfx_process_backlog+0x10/0x10
[   59.096883][    C0]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   59.099478][    C0]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   59.101992][    C0]  __napi_poll+0xcb/0x490
[   59.103702][    C0]  net_rx_action+0x89b/0x1240
[   59.105538][    C0]  ? __pfx_net_rx_action+0x10/0x10
[   59.107464][    C0]  ? __run_timer_base+0x1c0/0x8e0
[   59.109411][    C0]  ? __pfx_tmigr_handle_remote+0x10/0x10
[   59.111669][    C0]  handle_softirqs+0x2d4/0x9b0
[   59.113526][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   59.115621][    C0]  ? do_softirq+0x11b/0x1e0
[   59.117529][    C0]  ? __pfx_handle_softirqs+0x10/0x10
[   59.119593][    C0]  do_softirq+0x11b/0x1e0
[   59.121365][    C0]  </IRQ>
[   59.122469][    C0]  <TASK>
[   59.123593][    C0]  ? __pfx_do_softirq+0x10/0x10
[   59.125509][    C0]  ? __pfx_lockdep_softirqs_on+0x10/0x10
[   59.127762][    C0]  ? __pfx_lock_acquire+0x10/0x10
[   59.129702][    C0]  ? rcu_is_watching+0x15/0xb0
[   59.131595][    C0]  __local_bh_enable_ip+0x1bb/0x200
[   59.133671][    C0]  ? batadv_nc_purge_paths+0x312/0x3b0
[   59.135749][    C0]  ? __pfx___local_bh_enable_ip+0x10/0x10
[   59.137896][    C0]  ? batadv_nc_purge_paths+0xe8/0x3b0
[   59.139907][    C0]  ? __pfx_batadv_nc_to_purge_nc_path_coding+0x10/0x10
[   59.142557][    C0]  batadv_nc_purge_paths+0x312/0x3b0
[   59.144521][    C0]  batadv_nc_worker+0x328/0x610
[   59.146438][    C0]  ? batadv_nc_worker+0xcb/0x610
[   59.148361][    C0]  ? process_scheduled_works+0x976/0x1840
[   59.150594][    C0]  process_scheduled_works+0xa66/0x1840
[   59.152754][    C0]  ? __pfx_process_scheduled_works+0x10/0x10
[   59.155093][    C0]  ? assign_work+0x364/0x3d0
[   59.156868][    C0]  worker_thread+0x870/0xd30
[   59.158639][    C0]  ? __kthread_parkme+0x169/0x1d0
[   59.160564][    C0]  ? __pfx_worker_thread+0x10/0x10
[   59.162573][    C0]  kthread+0x2f0/0x390
[   59.164257][    C0]  ? __pfx_worker_thread+0x10/0x10
[   59.166238][    C0]  ? __pfx_kthread+0x10/0x10
[   59.167999][    C0]  ret_from_fork+0x4b/0x80
[   59.169690][    C0]  ? __pfx_kthread+0x10/0x10
[   59.171430][    C0]  ret_from_fork_asm+0x1a/0x30
[   59.173253][    C0]  </TASK>
[   59.174722][    C0] Kernel Offset: disabled
[   59.176331][    C0] Rebooting in 86400 seconds..