vxcan1: j1939_xtp_rx_abort_one: 0x0000000057af6fe3: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 15 at lib/refcount.c:28 refcount_warn_saturate+0x138/0x19c lib/refcount.c:28 Modules linked in: CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.12.0-syzkaller-12128-gf788b5ef1ca9 #0 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x138/0x19c lib/refcount.c:28 lr : refcount_warn_saturate+0x138/0x19c lib/refcount.c:28 sp : ffff80008d0874e0 x29: ffff80008d0874e0 x28: ffff000019d4bc1c x27: 0000000000000002 x26: 1fffe00003da9c00 x25: 1fffe00003da9c18 x24: ffff00001ed4e0c2 x23: ffff000019d4bc1c x22: 0000000000000000 x21: ffff800084ea451c x20: ffff000019d4bc1c x19: 0000000000000003 x18: 000000009be2c94c x17: 0000000000000000 x16: 0000000000000000 x15: 1fffe00001b508dc x14: 1ffff000110e62fd x13: ffff00000da84700 x12: ffff700010dc5a99 x11: 1ffff00010dc5a98 x10: ffff700010dc5a98 x9 : dfff800000000000 x8 : 0000000000000003 x7 : 0000000000000001 x6 : ffff700010dc5a98 x5 : ffff800086e2d4c0 x4 : 1fffe00001b50791 x3 : dfff800000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00000da83c80 Call trace: refcount_warn_saturate+0x138/0x19c lib/refcount.c:28 (P) refcount_warn_saturate+0x138/0x19c lib/refcount.c:28 (L) __refcount_sub_and_test include/linux/refcount.h:275 [inline] __refcount_dec_and_test include/linux/refcount.h:307 [inline] refcount_dec_and_test include/linux/refcount.h:325 [inline] skb_unref include/linux/skbuff.h:1233 [inline] __sk_skb_reason_drop net/core/skbuff.c:1213 [inline] sk_skb_reason_drop+0x154/0x174 net/core/skbuff.c:1241 kfree_skb_reason include/linux/skbuff.h:1263 [inline] kfree_skb include/linux/skbuff.h:1272 [inline] j1939_session_destroy+0x104/0x36c net/can/j1939/transport.c:282 __j1939_session_release net/can/j1939/transport.c:294 [inline] kref_put include/linux/kref.h:65 [inline] j1939_session_put net/can/j1939/transport.c:299 [inline] j1939_xtp_rx_abort_one+0x140/0x4e0 net/can/j1939/transport.c:1354 j1939_xtp_rx_abort net/can/j1939/transport.c:1362 [inline] j1939_tp_cmd_recv net/can/j1939/transport.c:2128 [inline] j1939_tp_recv+0x680/0xb90 net/can/j1939/transport.c:2161 j1939_can_recv net/can/j1939/main.c:108 [inline] j1939_can_recv+0x5b4/0x834 net/can/j1939/main.c:34 deliver net/can/af_can.c:573 [inline] can_rcv_filter+0x1ec/0x6b8 net/can/af_can.c:607 can_receive+0x244/0x440 net/can/af_can.c:664 can_rcv+0x14c/0x22c net/can/af_can.c:688 __netif_receive_skb_one_core+0xf4/0x168 net/core/dev.c:5672 __netif_receive_skb+0x24/0x14c net/core/dev.c:5785 process_backlog+0x384/0x1588 net/core/dev.c:6117 __napi_poll.constprop.0+0x94/0x3b8 net/core/dev.c:6877 napi_poll net/core/dev.c:6946 [inline] net_rx_action+0x808/0xb84 net/core/dev.c:7068 handle_softirqs+0x2d8/0xdb4 kernel/softirq.c:554 run_ksoftirqd kernel/softirq.c:943 [inline] run_ksoftirqd+0x90/0xcc kernel/softirq.c:935 smpboot_thread_fn+0x4f8/0x8e4 kernel/smpboot.c:164 kthread+0x27c/0x300 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 irq event stamp: 856939 hardirqs last enabled at (856938): [] __up_console_sem+0x74/0x94 kernel/printk/printk.c:344 hardirqs last disabled at (856939): [] el1_dbg+0x24/0x9c arch/arm64/kernel/entry-common.c:488 softirqs last enabled at (856878): [] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (856878): [] handle_softirqs+0x88c/0xdb4 kernel/softirq.c:582 softirqs last disabled at (856883): [] run_ksoftirqd kernel/softirq.c:943 [inline] softirqs last disabled at (856883): [] run_ksoftirqd+0x90/0xcc kernel/softirq.c:935 ---[ end trace 0000000000000000 ]---