vcan0: j1939_xtp_rx_abort_one: 0x00000000fb57f9ae: 0x30000: (3) A timeout occurred and this is the connection abort to close the session. ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 Modules linked in: CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.13.0-rc1-syzkaller-00025-gfeffde684ac2 #0 Hardware name: linux,dummy-virt (DT) pstate: 60402009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 lr : refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 sp : ffff80008000bb80 x29: ffff80008000bb80 x28: fff000007f8ee9c8 x27: ffff800082777000 x26: 0000000100007833 x25: fff000007f8eebc0 x24: 0000000000000001 x23: 00000000ffffffff x22: f6f0000004241e68 x21: f6f0000004241e00 x20: 0000000000000001 x19: fbf000000ac18300 x18: ffffffffffffffff x17: fff07ffffd18c000 x16: ffff800080008000 x15: ffff80008000b5c0 x14: ffff80008000b738 x13: ffff8000827ae740 x12: 0000000000000f6f x11: 0000000000000525 x10: ffff80008285e740 x9 : ffff8000827ae740 x8 : 00000000ffffdfff x7 : ffff80008285e740 x6 : 80000000ffffe000 x5 : fff000007f8e3408 x4 : 0000000000000000 x3 : fff07ffffd18c000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : f9f000000323ed80 Call trace: refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 (P) refcount_warn_saturate+0xf4/0x144 lib/refcount.c:28 (L) __refcount_sub_and_test include/linux/refcount.h:275 [inline] __refcount_dec_and_test include/linux/refcount.h:307 [inline] refcount_dec_and_test include/linux/refcount.h:325 [inline] skb_unref include/linux/skbuff.h:1233 [inline] __sk_skb_reason_drop net/core/skbuff.c:1213 [inline] sk_skb_reason_drop+0xc4/0xcc net/core/skbuff.c:1241 kfree_skb_reason include/linux/skbuff.h:1263 [inline] kfree_skb include/linux/skbuff.h:1272 [inline] j1939_session_destroy+0x7c/0x1b4 net/can/j1939/transport.c:282 __j1939_session_release net/can/j1939/transport.c:294 [inline] kref_put include/linux/kref.h:65 [inline] j1939_session_put net/can/j1939/transport.c:299 [inline] j1939_xtp_rx_abort_one+0xe4/0x2c4 net/can/j1939/transport.c:1354 j1939_xtp_rx_abort net/can/j1939/transport.c:1362 [inline] j1939_tp_cmd_recv net/can/j1939/transport.c:2128 [inline] j1939_tp_recv+0x3d4/0x52c net/can/j1939/transport.c:2161 j1939_can_recv net/can/j1939/main.c:108 [inline] j1939_can_recv+0x1c4/0x32c net/can/j1939/main.c:34 deliver net/can/af_can.c:573 [inline] can_rcv_filter+0x94/0x1e4 net/can/af_can.c:607 can_receive+0xa8/0x11c net/can/af_can.c:664 can_rcv+0x84/0xb8 net/can/af_can.c:688 __netif_receive_skb_one_core+0x58/0x84 net/core/dev.c:5672 __netif_receive_skb+0x18/0x60 net/core/dev.c:5785 process_backlog+0x84/0x13c net/core/dev.c:6117 __napi_poll+0x38/0x198 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0x344/0x3c8 net/core/dev.c:7068 handle_softirqs+0x108/0x240 kernel/softirq.c:554 __do_softirq+0x14/0x20 kernel/softirq.c:588 ____do_softirq+0x10/0x1c arch/arm64/kernel/irq.c:81 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891 do_softirq_own_stack+0x1c/0x28 arch/arm64/kernel/irq.c:86 invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xd8/0x110 kernel/softirq.c:655 irq_exit_rcu+0x10/0x1c kernel/softirq.c:671 __el1_irq arch/arm64/kernel/entry-common.c:561 [inline] el1_interrupt+0x38/0x64 arch/arm64/kernel/entry-common.c:575 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:580 el1h_64_irq+0x6c/0x70 arch/arm64/kernel/entry.S:596 __daif_local_irq_enable arch/arm64/include/asm/irqflags.h:26 [inline] (P) arch_local_irq_enable arch/arm64/include/asm/irqflags.h:48 [inline] (P) default_idle_call+0x28/0x3c kernel/sched/idle.c:124 (P) ct_cpuidle_exit include/linux/cpuidle.h:144 [inline] (L) default_idle_call+0x24/0x3c kernel/sched/idle.c:118 (L) cpuidle_idle_call kernel/sched/idle.c:185 [inline] do_idle+0x1f8/0x250 kernel/sched/idle.c:325 cpu_startup_entry+0x34/0x3c kernel/sched/idle.c:423 secondary_start_kernel+0x138/0x158 arch/arm64/kernel/smp.c:279 __secondary_switched+0xc0/0xc4 arch/arm64/kernel/head.S:420 ---[ end trace 0000000000000000 ]---