------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 7813 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 7813 Comm: syz.2.513 Not tainted 6.12.0-syzkaller-09435-g2c22dc1ee3a1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
Code: a0 31 60 8c e8 97 af 9e fc 90 0f 0b 90 90 eb 99 e8 1b 07 de fc c6 05 1c 7b 4f 0b 01 90 48 c7 c7 00 32 60 8c e8 77 af 9e fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 f8 06 de fc c6 05 f6 7a 4f 0b 01 90
RSP: 0018:ffffc90000007640 EFLAGS: 00010246
RAX: 544f2b47fbe61300 RBX: ffff888033e30ea4 RCX: ffff88802e94bc00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815687d2 R09: fffffbfff1cfa8a0
R10: dffffc0000000000 R11: fffffbfff1cfa8a0 R12: ffff8880288a0800
R13: ffff888033e30ea4 R14: ffff8880288a0800 R15: ffff888029344618
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa9413b4d58 CR3: 0000000054534000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 kfree_skb_reason include/linux/skbuff.h:1263 [inline]
 kfree_skb include/linux/skbuff.h:1272 [inline]
 j1939_session_skb_drop_old net/can/j1939/transport.c:347 [inline]
 j1939_xtp_rx_cts_one net/can/j1939/transport.c:1445 [inline]
 j1939_xtp_rx_cts+0x552/0xc70 net/can/j1939/transport.c:1484
 j1939_tp_cmd_recv net/can/j1939/transport.c:2089 [inline]
 j1939_tp_recv+0x8ae/0x1050 net/can/j1939/transport.c:2161
 j1939_can_recv+0x732/0xb20 net/can/j1939/main.c:108
 deliver net/can/af_can.c:573 [inline]
 can_rcv_filter+0x359/0x7f0 net/can/af_can.c:607
 can_receive+0x327/0x480 net/can/af_can.c:664
 can_rcv+0x144/0x260 net/can/af_can.c:688
 __netif_receive_skb_one_core net/core/dev.c:5672 [inline]
 __netif_receive_skb+0x2e0/0x650 net/core/dev.c:5785
 process_backlog+0x662/0x15b0 net/core/dev.c:6117
 __napi_poll+0xcb/0x490 net/core/dev.c:6877
 napi_poll net/core/dev.c:6946 [inline]
 net_rx_action+0x89b/0x1240 net/core/dev.c:7068
 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:655
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:671
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x264/0x550 kernel/locking/lockdep.c:5853
Code: 2b 00 74 08 4c 89 f7 e8 4a 81 8c 00 f6 44 24 61 02 0f 85 85 01 00 00 41 f7 c7 00 02 00 00 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 25 00 00 00 00 00 43 c7 44 25 09 00 00 00 00 43 c7 44 25
RSP: 0018:ffffc9001bf2f100 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 1ffff920037e5e2c RCX: ffff88802e94c6d8
RDX: dffffc0000000000 RSI: ffffffff8c0aea80 RDI: ffffffff8c6076a0
RBP: ffffc9001bf2f258 R08: ffffffff942e9887 R09: 1ffffffff285d310
R10: dffffc0000000000 R11: fffffbfff285d311 R12: 1ffff920037e5e28
R13: dffffc0000000000 R14: ffffc9001bf2f160 R15: 0000000000000246
 rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 rcu_read_lock include/linux/rcupdate.h:849 [inline]
 page_ext_get+0x3d/0x2a0 mm/page_ext.c:525
 page_table_check_clear+0x4b/0x550 mm/page_table_check.c:74
 get_and_clear_full_ptes include/linux/pgtable.h:705 [inline]
 zap_present_folio_ptes mm/memory.c:1502 [inline]
 zap_present_ptes mm/memory.c:1585 [inline]
 zap_pte_range mm/memory.c:1627 [inline]
 zap_pmd_range mm/memory.c:1753 [inline]
 zap_pud_range mm/memory.c:1782 [inline]
 zap_p4d_range mm/memory.c:1803 [inline]
 unmap_page_range+0x2b41/0x4230 mm/memory.c:1824
 unmap_vmas+0x3cc/0x5f0 mm/memory.c:1914
 exit_mmap+0x275/0xc40 mm/mmap.c:1667
 __mmput+0x115/0x380 kernel/fork.c:1347
 exit_mm+0x220/0x310 kernel/exit.c:570
 do_exit+0x9b2/0x28e0 kernel/exit.c:925
 do_group_exit+0x207/0x2c0 kernel/exit.c:1087
 get_signal+0x16b2/0x1750 kernel/signal.c:3016
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5cbfd7e819
Code: Unable to access opcode bytes at 0x7f5cbfd7e7ef.
RSP: 002b:00007f5cbdbf60e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f5cbff35fa8 RCX: 00007f5cbfd7e819
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f5cbff35fa8
RBP: 00007f5cbff35fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f5cbff35fac
R13: 0000000000000000 R14: 00007fff6cdfd8c0 R15: 00007fff6cdfd9a8
 </TASK>
----------------
Code disassembly (best guess):
   0:	2b 00                	sub    (%rax),%eax
   2:	74 08                	je     0xc
   4:	4c 89 f7             	mov    %r14,%rdi
   7:	e8 4a 81 8c 00       	call   0x8c8156
   c:	f6 44 24 61 02       	testb  $0x2,0x61(%rsp)
  11:	0f 85 85 01 00 00    	jne    0x19c
  17:	41 f7 c7 00 02 00 00 	test   $0x200,%r15d
  1e:	74 01                	je     0x21
  20:	fb                   	sti
  21:	48 c7 44 24 40 0e 36 	movq   $0x45e0360e,0x40(%rsp)
  28:	e0 45
* 2a:	4b c7 44 25 00 00 00 	movq   $0x0,0x0(%r13,%r12,1) <-- trapping instruction
  31:	00 00
  33:	43 c7 44 25 09 00 00 	movl   $0x0,0x9(%r13,%r12,1)
  3a:	00 00
  3c:	43                   	rex.XB
  3d:	c7                   	.byte 0xc7
  3e:	44                   	rex.R
  3f:	25                   	.byte 0x25