------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 6121 at lib/refcount.c:28 refcount_warn_saturate+0x21c/0x220 lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 6121 Comm: kworker/0:1 Not tainted 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Hardware name: riscv-virtio,qemu (DT)
Workqueue: events nsim_dev_trap_report_work
epc : refcount_warn_saturate+0x21c/0x220 lib/refcount.c:28
 ra : refcount_warn_saturate+0x21c/0x220 lib/refcount.c:28
epc : ffffffff81454a64 ra : ffffffff81454a64 sp : ff200000000076b0
 gp : ffffffff897bea80 tp : ff60000017f41a40 t0 : ff60000017f42560
 t1 : ffebffff0dd832ea t2 : 0000000000000049 s0 : ff200000000076d0
 s1 : 0000000000000000 a0 : 0000000000000005 a1 : 0000000000000000
 a2 : 0000000000f00000 a3 : ffffffff800c504c a4 : 0000000000000000
 a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ff6000006ec19753
 s2 : ffffffff896ba608 s3 : 0000000000000002 s4 : ff6000002fa115e4
 s5 : 0000000000000000 s6 : ffffffff85a735d8 s7 : 0000000000000002
 s8 : ff600000441434c2 s9 : 1fec000008828698 s10: 1fec000008828680
 s11: 1fec000009d9a749 t3 : 1fec000002fe84ab t4 : ffebffff0dd832ea
 t5 : ffebffff0dd832eb t6 : ff20000000007058
status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
[<ffffffff81454a64>] refcount_warn_saturate+0x21c/0x220 lib/refcount.c:28
[<ffffffff84cac6a0>] __refcount_sub_and_test include/linux/refcount.h:275 [inline]
[<ffffffff84cac6a0>] __refcount_dec_and_test include/linux/refcount.h:307 [inline]
[<ffffffff84cac6a0>] refcount_dec_and_test include/linux/refcount.h:325 [inline]
[<ffffffff84cac6a0>] skb_unref include/linux/skbuff.h:1232 [inline]
[<ffffffff84cac6a0>] __sk_skb_reason_drop net/core/skbuff.c:1213 [inline]
[<ffffffff84cac6a0>] sk_skb_reason_drop+0x174/0x180 net/core/skbuff.c:1241
[<ffffffff85a735d8>] kfree_skb_reason include/linux/skbuff.h:1262 [inline]
[<ffffffff85a735d8>] kfree_skb include/linux/skbuff.h:1271 [inline]
[<ffffffff85a735d8>] j1939_session_destroy+0x158/0x428 net/can/j1939/transport.c:282
[<ffffffff85a761d2>] __j1939_session_release net/can/j1939/transport.c:294 [inline]
[<ffffffff85a761d2>] kref_put include/linux/kref.h:65 [inline]
[<ffffffff85a761d2>] j1939_session_put net/can/j1939/transport.c:299 [inline]
[<ffffffff85a761d2>] j1939_xtp_rx_eoma+0x314/0x5be net/can/j1939/transport.c:1411
[<ffffffff85a7def0>] j1939_tp_cmd_recv net/can/j1939/transport.c:2113 [inline]
[<ffffffff85a7def0>] j1939_tp_recv+0xb62/0xefe net/can/j1939/transport.c:2161
[<ffffffff85a6a100>] j1939_can_recv net/can/j1939/main.c:108 [inline]
[<ffffffff85a6a100>] j1939_can_recv+0x776/0xa28 net/can/j1939/main.c:34
[<ffffffff85a47378>] deliver net/can/af_can.c:572 [inline]
[<ffffffff85a47378>] can_rcv_filter+0x23a/0x7c4 net/can/af_can.c:606
[<ffffffff85a48684>] can_receive+0x2c8/0x5a0 net/can/af_can.c:663
[<ffffffff85a48b20>] can_rcv+0x1c4/0x252 net/can/af_can.c:687
[<ffffffff84d21a54>] __netif_receive_skb_one_core+0x106/0x16e net/core/dev.c:5662
[<ffffffff84d21cd4>] __netif_receive_skb+0x2c/0x144 net/core/dev.c:5775
[<ffffffff84d22d58>] process_backlog+0x4fc/0x1cbc net/core/dev.c:6107
[<ffffffff84d2760a>] __napi_poll.constprop.0+0xaa/0x4b8 net/core/dev.c:6771
[<ffffffff84d2842a>] napi_poll net/core/dev.c:6840 [inline]
[<ffffffff84d2842a>] net_rx_action+0xa12/0xf10 net/core/dev.c:6962
[<ffffffff800e0fba>] handle_softirqs+0x4a6/0x10de kernel/softirq.c:554
[<ffffffff85ffccb8>] __do_softirq+0x12/0x1a kernel/softirq.c:588
[<ffffffff80006f74>] ___do_softirq+0x18/0x20 arch/riscv/kernel/irq.c:85
[<ffffffff85ffcc1a>] call_on_irq_stack+0x32/0x40 arch/riscv/kernel/entry.S:355