netlink: 4 bytes leftover after parsing attributes in process `syz.0.6913'. ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 26419 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 Modules linked in: CPU: 0 UID: 0 PID: 26419 Comm: syz.0.6913 Tainted: G B 6.12.0-rc1-syzkaller-00125-g0c559323bbaa #0 Tainted: [B]=BAD_PAGE Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 lr : refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 sp : ffff80008a30b330 x29: ffff80008a30b330 x28: ffff80008a30b490 x27: 0000000000000000 x26: ffff800082a59e78 x25: f0f0000008c3f038 x24: 000000000000006c x23: 00000000ffffffff x22: f8f0000008f41668 x21: f8f0000008f41600 x20: 0000000000000001 x19: f4f000002992c000 x18: ffffffffffffffff x17: ffff8000800cd0ac x16: ffff8000800cc6e4 x15: ffff80008a30ad70 x14: 0000000000000000 x13: ffff80008274db38 x12: 00000000000034ec x11: 00000000000011a4 x10: ffff800082818298 x9 : ffff80008274db38 x8 : 00000001000011a4 x7 : ffff8000827fdb38 x6 : 00000000000031a4 x5 : fff000007f8cb3c8 x4 : c0000001000011a4 x3 : fff07ffffd1d6000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : f9f0000005bc5b40 Call trace: refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:275 [inline] __refcount_dec_and_test include/linux/refcount.h:307 [inline] refcount_dec_and_test include/linux/refcount.h:325 [inline] skb_unref include/linux/skbuff.h:1232 [inline] __sk_skb_reason_drop net/core/skbuff.c:1213 [inline] sk_skb_reason_drop+0xc4/0xcc net/core/skbuff.c:1241 kfree_skb_reason include/linux/skbuff.h:1262 [inline] kfree_skb include/linux/skbuff.h:1271 [inline] j1939_session_destroy+0x7c/0x1b4 net/can/j1939/transport.c:282 __j1939_session_release net/can/j1939/transport.c:294 [inline] kref_put include/linux/kref.h:65 [inline] j1939_session_put net/can/j1939/transport.c:299 [inline] j1939_session_deactivate_locked net/can/j1939/transport.c:1086 [inline] j1939_session_deactivate_locked net/can/j1939/transport.c:1074 [inline] j1939_cancel_active_session+0x1c0/0x22c net/can/j1939/transport.c:2211 j1939_netdev_notify+0x108/0x1a4 net/can/j1939/main.c:376 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0x54/0x74 kernel/notifier.c:461 call_netdevice_notifiers_info+0x58/0xa4 net/core/dev.c:1996 call_netdevice_notifiers_extack net/core/dev.c:2034 [inline] call_netdevice_notifiers net/core/dev.c:2048 [inline] dev_close_many+0x110/0x184 net/core/dev.c:1589 unregister_netdevice_many_notify+0x158/0x91c net/core/dev.c:11377 rtnl_delete_link net/core/rtnetlink.c:3252 [inline] rtnl_dellink+0x144/0x3b0 net/core/rtnetlink.c:3304 rtnetlink_rcv_msg+0x12c/0x398 net/core/rtnetlink.c:6646 netlink_rcv_skb+0x5c/0x128 net/netlink/af_netlink.c:2550 rtnetlink_rcv+0x18/0x24 net/core/rtnetlink.c:6664 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x30c/0x374 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x1a4/0x3f4 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x54/0x60 net/socket.c:744 ____sys_sendmsg+0x274/0x2ac net/socket.c:2602 ___sys_sendmsg+0xac/0x100 net/socket.c:2656 __sys_sendmsg+0x84/0xe0 net/socket.c:2685 __do_sys_sendmsg net/socket.c:2694 [inline] __se_sys_sendmsg net/socket.c:2692 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2692 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 ---[ end trace 0000000000000000 ]--- unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 unregister_netdevice: waiting for vcan0 to become free. Usage count = 2