------------[ cut here ]------------
WARNING: CPU: 0 PID: 7902 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28
refcount_t: underflow; use-after-free.
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 0 UID: 0 PID: 7902 Comm: syz-executor Not tainted 6.12.0-rc7-syzkaller #0
Hardware name: ARM-Versatile Express
Call trace: frame pointer underflow
[<8199ca98>] (dump_backtrace) from [<8199cb94>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:82622f44 r5:00000000 r4:8203dc20
[<8199cb7c>] (show_stack) from [<819bb028>] (__dump_stack lib/dump_stack.c:94 [inline])
[<8199cb7c>] (show_stack) from [<819bb028>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120)
[<819bafd4>] (dump_stack_lvl) from [<819bb068>] (dump_stack+0x18/0x1c lib/dump_stack.c:129)
 r5:00000000 r4:82870d18
[<819bb050>] (dump_stack) from [<8199d6c0>] (panic+0x120/0x374 kernel/panic.c:354)
[<8199d5a0>] (panic) from [<80242118>] (check_panic_on_warn kernel/panic.c:243 [inline])
[<8199d5a0>] (panic) from [<80242118>] (get_taint+0x0/0x1c kernel/panic.c:238)
 r3:8260c5c4 r2:00000001 r1:82025ff4 r0:8202da5c
 r7:808408b8
[<802420a4>] (check_panic_on_warn) from [<8024227c>] (__warn+0x80/0x188 kernel/panic.c:748)
[<802421fc>] (__warn) from [<8024256c>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:783)
 r8:00000009 r7:8208c430 r6:df801c44 r5:86dc0000 r4:00000000
[<80242388>] (warn_slowpath_fmt) from [<808408b8>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28)
 r10:dddd10c8 r9:00000040 r8:86a7a010 r7:00000000 r6:8182a15c r5:00000002
 r4:86f146c0
[<8084077c>] (refcount_warn_saturate) from [<8149bc18>] (__refcount_sub_and_test include/linux/refcount.h:275 [inline])
[<8084077c>] (refcount_warn_saturate) from [<8149bc18>] (__refcount_dec_and_test include/linux/refcount.h:307 [inline])
[<8084077c>] (refcount_warn_saturate) from [<8149bc18>] (refcount_dec_and_test include/linux/refcount.h:325 [inline])
[<8084077c>] (refcount_warn_saturate) from [<8149bc18>] (skb_unref include/linux/skbuff.h:1232 [inline])
[<8084077c>] (refcount_warn_saturate) from [<8149bc18>] (__sk_skb_reason_drop net/core/skbuff.c:1213 [inline])
[<8084077c>] (refcount_warn_saturate) from [<8149bc18>] (sk_skb_reason_drop+0x1d8/0x248 net/core/skbuff.c:1241)
[<8149ba40>] (sk_skb_reason_drop) from [<8182a15c>] (kfree_skb_reason include/linux/skbuff.h:1262 [inline])
[<8149ba40>] (sk_skb_reason_drop) from [<8182a15c>] (kfree_skb include/linux/skbuff.h:1271 [inline])
[<8149ba40>] (sk_skb_reason_drop) from [<8182a15c>] (j1939_session_destroy+0x78/0x200 net/can/j1939/transport.c:282)
 r9:00000040 r8:86a7a010 r7:8494681c r6:85050b50 r5:85050b00 r4:86f146c0
[<8182a0e4>] (j1939_session_destroy) from [<8182b2bc>] (__j1939_session_release net/can/j1939/transport.c:294 [inline])
[<8182a0e4>] (j1939_session_destroy) from [<8182b2bc>] (kref_put include/linux/kref.h:65 [inline])
[<8182a0e4>] (j1939_session_destroy) from [<8182b2bc>] (j1939_session_put net/can/j1939/transport.c:299 [inline])
[<8182a0e4>] (j1939_session_destroy) from [<8182b2bc>] (j1939_xtp_rx_eoma+0x120/0x234 net/can/j1939/transport.c:1411)
 r6:86f14600 r5:85050b00 r4:85050b14
[<8182b19c>] (j1939_xtp_rx_eoma) from [<8182d6e4>] (j1939_tp_cmd_recv net/can/j1939/transport.c:2113 [inline])
[<8182b19c>] (j1939_xtp_rx_eoma) from [<8182d6e4>] (j1939_tp_recv+0x4a8/0x530 net/can/j1939/transport.c:2161)
 r7:84946000 r6:84946008 r5:84946000 r4:86f14600
[<8182d23c>] (j1939_tp_recv) from [<818270c8>] (j1939_can_recv+0x1e4/0x2dc net/can/j1939/main.c:108)
 r7:84946000 r6:84946008 r5:84946810 r4:86f14600
[<81826ee4>] (j1939_can_recv) from [<8181ce98>] (deliver net/can/af_can.c:572 [inline])
[<81826ee4>] (j1939_can_recv) from [<8181ce98>] (can_rcv_filter+0x9c/0x218 net/can/af_can.c:606)
 r9:00000040 r8:849fc680 r7:98ec0000 r6:86f14780 r5:00000001 r4:84ea4450
[<8181cdfc>] (can_rcv_filter) from [<8181d83c>] (can_receive+0xb4/0xf0 net/can/af_can.c:663)
 r9:00000040 r8:00000000 r7:849fc000 r6:84f81400 r5:84891a00 r4:86f14780
[<8181d788>] (can_receive) from [<8181d8fc>] (can_rcv+0x84/0xac net/can/af_can.c:687)
 r9:00000040 r8:00000001 r7:00000000 r6:00000000 r5:8181d878 r4:86f14780
[<8181d878>] (can_rcv) from [<814bcb8c>] (__netif_receive_skb_one_core+0x5c/0x80 net/core/dev.c:5670)
 r5:8181d878 r4:849fc000
[<814bcb30>] (__netif_receive_skb_one_core) from [<814bcbf8>] (__netif_receive_skb+0x18/0x5c net/core/dev.c:5783)
 r5:dddd11b0 r4:86f14780
[<814bcbe0>] (__netif_receive_skb) from [<814bcf00>] (process_backlog+0xa0/0x17c net/core/dev.c:6115)
 r5:dddd11b0 r4:86f14780
[<814bce60>] (process_backlog) from [<814bde0c>] (__napi_poll+0x34/0x240 net/core/dev.c:6779)
 r10:dddd10c0 r9:dddd1300 r8:df801ea0 r7:df801e9b r6:00000040 r5:dddd11b0
 r4:00000001
[<814bddd8>] (__napi_poll) from [<814be680>] (napi_poll net/core/dev.c:6848 [inline])
[<814bddd8>] (__napi_poll) from [<814be680>] (net_rx_action+0x358/0x440 net/core/dev.c:6970)
 r9:dddd1300 r8:df801ea0 r7:0000012c r6:0000fe0a r5:dddd11b0 r4:00000000
[<814be328>] (net_rx_action) from [<8024b55c>] (handle_softirqs+0x158/0x464 kernel/softirq.c:554)
 r10:00000008 r9:86dc0000 r8:00000101 r7:00400140 r6:00000003 r5:00000004
 r4:8260408c
[<8024b404>] (handle_softirqs) from [<8024b958>] (__do_softirq kernel/softirq.c:588 [inline])
[<8024b404>] (handle_softirqs) from [<8024b958>] (invoke_softirq kernel/softirq.c:428 [inline])
[<8024b404>] (handle_softirqs) from [<8024b958>] (__irq_exit_rcu+0xa4/0x164 kernel/softirq.c:637)
 r10:00000001 r9:86dc0000 r8:00000000 r7:dfb41d68 r6:821df810 r5:82220024
 r4:86dc0000
[<8024b8b4>] (__irq_exit_rcu) from [<8024bc58>] (irq_exit+0x10/0x18 kernel/softirq.c:661)
 r5:82220024 r4:824bbcdc
[<8024bc48>] (irq_exit) from [<819bba04>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
[<819bb988>] (generic_handle_arch_irq) from [<8196bf24>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:86dc0000 r8:82e3b000 r7:dfb41d9c r6:ffffffff r5:20000113 r4:8027d4c4
[<8196bf08>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:227)
Exception stack(0xdfb41d68 to 0xdfb41db0)
1d60:                   00000001 8203dc20 00000001 86dc0000 00000000 dddd0400
1d80: 819bf380 a3eca5c0 82e3b000 86dc0000 00000001 dfb41dfc dfb41da8 dfb41db8
1da0: 819c82dc 8027d4c4 20000113 ffffffff
[<8027d438>] (finish_task_switch) from [<819bf380>] (context_switch kernel/sched/core.c:5331 [inline])
[<8027d438>] (finish_task_switch) from [<819bf380>] (__schedule+0x424/0xc2c kernel/sched/core.c:6693)
 r10:83b8b8c0 r9:00000000 r8:83fbe100 r7:a3eca5c0 r6:86dc0000 r5:dddd0400
 r4:84d7ec00
[<819bef5c>] (__schedule) from [<819bfbb4>] (__schedule_loop kernel/sched/core.c:6770 [inline])
[<819bef5c>] (__schedule) from [<819bfbb4>] (schedule+0x2c/0xfc kernel/sched/core.c:6785)
 r10:00000109 r9:86dc0000 r8:00000000 r7:00000001 r6:00002001 r5:86dc0000
 r4:86dc0000
[<819bfb88>] (schedule) from [<819c7460>] (do_nanosleep+0x90/0x15c kernel/time/hrtimer.c:2032)
 r5:86dc0000 r4:dfb41ee8
[<819c73d0>] (do_nanosleep) from [<80305b9c>] (hrtimer_nanosleep+0xc8/0x144 kernel/time/hrtimer.c:2080)
 r8:00000000 r7:00000001 r6:86dc0000 r5:00989680 r4:00000000
[<80305ad4>] (hrtimer_nanosleep) from [<80310224>] (common_nsleep+0x5c/0x6c kernel/time/posix-timers.c:1365)
 r8:7ebe29d4 r7:86dc0000 r6:00000000 r5:00000000 r4:3b9aca00
[<803101c8>] (common_nsleep) from [<8031257c>] (__do_sys_clock_nanosleep_time32 kernel/time/posix-timers.c:1439 [inline])
[<803101c8>] (common_nsleep) from [<8031257c>] (sys_clock_nanosleep_time32+0xf8/0x154 kernel/time/posix-timers.c:1416)
 r5:81a044a8 r4:00000000
[<80312484>] (sys_clock_nanosleep_time32) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfb41fa8 to 0xdfb41ff0)
1fa0:                   00000000 7ebe29d4 00000000 00000000 7ebe29dc 7ebe29d4
1fc0: 00000000 7ebe29d4 00000000 00000109 00000000 7ebe2ac8 00000000 00000115
1fe0: 00000000 7ebe29d0 00000001 00160704
 r8:8020029c r7:00000109 r6:00000000 r5:7ebe29d4 r4:00000000
Rebooting in 86400 seconds..