vcan0: j1939_tp_rxtimer: 0xffff88801fb36c00: rx timeout, send abort
vcan0: j1939_xtp_rx_abort_one: 0xffff88801fb36c00: 0x40000: (3) A timeout occurred and this is the connection abort to close the session.
------------[ cut here ]------------
WARNING: CPU: 1 PID: 9895 at net/can/j1939/socket.c:181 j1939_sk_queue_activate_next_locked net/can/j1939/socket.c:181 [inline]
WARNING: CPU: 1 PID: 9895 at net/can/j1939/socket.c:181 j1939_sk_queue_activate_next+0x34d/0x460 net/can/j1939/socket.c:205
Modules linked in:
CPU: 1 PID: 9895 Comm: syz-executor.0 Not tainted 5.19.0-rc2-syzkaller-00052-g979086f5e006 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:j1939_sk_queue_activate_next_locked net/can/j1939/socket.c:181 [inline]
RIP: 0010:j1939_sk_queue_activate_next+0x34d/0x460 net/can/j1939/socket.c:205
Code: 1c 83 c0 0a 89 44 24 04 eb 9d 48 c7 c7 4c b0 bb 8d e8 c7 9b 77 f9 e9 73 fd ff ff e8 bd 9b 77 f9 e9 19 fe ff ff e8 53 d8 2a f9 <0f> 0b 49 8d bf b8 00 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 30 84
RSP: 0018:ffffc900001f0a50 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88807b1bb000 RCX: 0000000000000100
RDX: ffff88801d06d880 RSI: ffffffff884f99ad RDI: 0000000000000005
RBP: ffff88807b1bb5b0 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000fffffff5 R11: 0000000000000000 R12: ffff888071301800
R13: ffff88807b1bb5f0 R14: dffffc0000000000 R15: ffff888071301818
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8324d01718 CR3: 00000000487cf000 CR4: 00000000003526e0
Call Trace:
 <IRQ>
 j1939_session_deactivate_activate_next net/can/j1939/transport.c:1101 [inline]
 j1939_session_completed+0x19a/0x1f0 net/can/j1939/transport.c:1214
 j1939_xtp_rx_eoma_one net/can/j1939/transport.c:1384 [inline]
 j1939_xtp_rx_eoma+0x2a6/0x5f0 net/can/j1939/transport.c:1399
 j1939_tp_cmd_recv net/can/j1939/transport.c:2088 [inline]
 j1939_tp_recv+0x930/0xcb0 net/can/j1939/transport.c:2133
 j1939_can_recv+0x6ff/0x9a0 net/can/j1939/main.c:108
 deliver net/can/af_can.c:574 [inline]
 can_rcv_filter+0x5d4/0x8d0 net/can/af_can.c:608
 can_receive+0x31d/0x580 net/can/af_can.c:665
 can_rcv+0x120/0x1c0 net/can/af_can.c:696
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5478
 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5592
 process_backlog+0x3a0/0x7c0 net/core/dev.c:5920
 __napi_poll+0xb3/0x6e0 net/core/dev.c:6486
 napi_poll net/core/dev.c:6553 [inline]
 net_rx_action+0x9c1/0xd90 net/core/dev.c:6664
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:pgd_free+0x0/0x1a0 arch/x86/mm/pgtable.c:472
Code: e8 85 0a 91 00 e9 2f ff ff ff 4c 89 ff e8 78 0a 91 00 e9 d7 fe ff ff e8 6e 0a 91 00 e9 f0 fe ff ff 66 0f 1f 84 00 00 00 00 00 <41> 57 41 56 41 55 41 54 55 48 89 f5 53 e8 5e 46 44 00 48 c7 c7 40
RSP: 0018:ffffc9000b7efaf0 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffff88801d06d880 RCX: 0000000000000000
RDX: 1ffff1100fe0b70a RSI: ffff888020bdf000 RDI: ffff88807f05b800
RBP: ffff88807f05b800 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88807f05b800
R13: ffff88807f05bdd8 R14: ffff88801d06d880 R15: ffff88807f05b800
 mm_free_pgd kernel/fork.c:737 [inline]
 __mmdrop+0xcb/0x3f0 kernel/fork.c:788
 mmdrop include/linux/sched/mm.h:50 [inline]
 __mmput+0x3f1/0x4b0 kernel/fork.c:1197
 mmput+0x56/0x60 kernel/fork.c:1208
 exit_mm kernel/exit.c:510 [inline]
 do_exit+0xa12/0x2a00 kernel/exit.c:782
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 get_signal+0x2542/0x2600 kernel/signal.c:2857
 arch_do_signal_or_restart+0x82/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f7bddcade31
Code: Unable to access opcode bytes at RIP 0x7f7bddcade07.
RSP: 002b:00007f7bde2cfb30 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
RAX: 0000000000000000 RBX: 00007f7bddd9bf60 RCX: 00007f7bddcade31
RDX: 00007f7bde2cfb70 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f7bddd9d960 R08: 0000000000000000 R09: 00007fffc5ff2080
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000148a37
R13: 00007f7bddda1560 R14: 00007f7bddd9c6b0 R15: 0000000000000009
 </TASK>
----------------
Code disassembly (best guess):
   0:	e8 85 0a 91 00       	callq  0x910a8a
   5:	e9 2f ff ff ff       	jmpq   0xffffff39
   a:	4c 89 ff             	mov    %r15,%rdi
   d:	e8 78 0a 91 00       	callq  0x910a8a
  12:	e9 d7 fe ff ff       	jmpq   0xfffffeee
  17:	e8 6e 0a 91 00       	callq  0x910a8a
  1c:	e9 f0 fe ff ff       	jmpq   0xffffff11
  21:	66 0f 1f 84 00 00 00 	nopw   0x0(%rax,%rax,1)
  28:	00 00
* 2a:	41 57                	push   %r15 <-- trapping instruction
  2c:	41 56                	push   %r14
  2e:	41 55                	push   %r13
  30:	41 54                	push   %r12
  32:	55                   	push   %rbp
  33:	48 89 f5             	mov    %rsi,%rbp
  36:	53                   	push   %rbx
  37:	e8 5e 46 44 00       	callq  0x44469a
  3c:	48                   	rex.W
  3d:	c7                   	.byte 0xc7
  3e:	c7                   	.byte 0xc7
  3f:	40                   	rex