------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 28120 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
Modules linked in:
CPU: 1 PID: 28120 Comm: syz-executor.0 Not tainted 5.14.0-rc3-syzkaller-00103-g764a5bc89b12 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)
pc : refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
lr : refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
sp : ffff8000158b3ca0
x29: ffff8000158b3ca0 x28: f8ff0000057c2dc0 x27: 0000000000000000
x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
x23: f9ff000005ef84c0 x22: f4ff000027964000 x21: ffff800012573f58
x20: f9ff000005ef8000 x19: f6ff000029650000 x18: 00000000fffffffa
x17: 0000000000000001 x16: 0000000000000019 x15: 0000000000000020
x14: 0000000000000000 x13: 0000000000000aee x12: ffff8000158b3970
x11: ffff8000122ccd38 x10: 00000000ffffe000 x9 : ffff8000122ccd38
x8 : ffff80001221cd38 x7 : ffff8000122ccd38 x6 : 0000000000000000
x5 : ffff00007fbb0988 x4 : 0000000000015ff5 x3 : 0000000000000001
x2 : 0000000000000000 x1 : 0000000000000000 x0 : f8ff0000057c2dc0
Call trace:
 refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 kref_get include/linux/kref.h:45 [inline]
 j1939_netdev_start+0x408/0x450 net/can/j1939/main.c:275
 j1939_sk_bind+0xf8/0x380 net/can/j1939/socket.c:482
 __sys_bind+0xd4/0x100 net/socket.c:1679
 __do_sys_bind net/socket.c:1690 [inline]
 __se_sys_bind net/socket.c:1688 [inline]
 __arm64_sys_bind+0x24/0x34 net/socket.c:1688
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x40/0xdc arch/arm64/kernel/syscall.c:145
 do_el0_svc+0x78/0x90 arch/arm64/kernel/syscall.c:184
 el0_svc+0x2c/0x54 arch/arm64/kernel/entry-common.c:511
 el0t_64_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:527
 el0t_64_sync+0x1b4/0x1b8 arch/arm64/kernel/entry.S:574
---[ end trace 0f3e35a8386e4d88 ]---