vxcan0: j1939_tp_rxtimer: 0x846ee600: rx timeout, send abort
vxcan0: j1939_tp_rxtimer: 0x846ee600: abort rx timeout. Force session deactivation
------------[ cut here ]------------
WARNING: CPU: 1 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28
refcount_t: underflow; use-after-free.
Modules linked in:
Kernel panic - not syncing: kernel: panic_on_warn set ...
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.11.0-syzkaller #0
Hardware name: ARM-Versatile Express
Call trace: frame pointer underflow
[<81966cb8>] (dump_backtrace) from [<81966db4>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257)
 r7:00000000 r6:826228c4 r5:00000000 r4:8200e404
[<81966d9c>] (show_stack) from [<81984a58>] (__dump_stack lib/dump_stack.c:93 [inline])
[<81966d9c>] (show_stack) from [<81984a58>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:119)
[<81984a04>] (dump_stack_lvl) from [<81984a98>] (dump_stack+0x18/0x1c lib/dump_stack.c:128)
 r5:00000000 r4:8286ed18
[<81984a80>] (dump_stack) from [<8196785c>] (panic+0x120/0x368 kernel/panic.c:354)
[<8196773c>] (panic) from [<802421d4>] (check_panic_on_warn kernel/panic.c:243 [inline])
[<8196773c>] (panic) from [<802421d4>] (get_taint+0x0/0x1c kernel/panic.c:238)
 r3:8260c5c4 r2:00000001 r1:81ff6c38 r0:81ffea04
 r7:8081a110
[<80242160>] (check_panic_on_warn) from [<80242328>] (__warn+0x7c/0x180 kernel/panic.c:741)
[<802422ac>] (__warn) from [<80242614>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:774)
 r8:00000009 r7:8205cdc4 r6:df805dcc r5:82e3ec00 r4:00000000
[<80242430>] (warn_slowpath_fmt) from [<8081a110>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28)
 r10:82e3ec00 r9:00000000 r8:817f5808 r7:00000000 r6:817f4e34 r5:00000002
 r4:85336e40
[<80819fd4>] (refcount_warn_saturate) from [<8146782c>] (__refcount_sub_and_test include/linux/refcount.h:275 [inline])
[<80819fd4>] (refcount_warn_saturate) from [<8146782c>] (__refcount_dec_and_test include/linux/refcount.h:307 [inline])
[<80819fd4>] (refcount_warn_saturate) from [<8146782c>] (refcount_dec_and_test include/linux/refcount.h:325 [inline])
[<80819fd4>] (refcount_warn_saturate) from [<8146782c>] (skb_unref include/linux/skbuff.h:1232 [inline])
[<80819fd4>] (refcount_warn_saturate) from [<8146782c>] (__sk_skb_reason_drop net/core/skbuff.c:1213 [inline])
[<80819fd4>] (refcount_warn_saturate) from [<8146782c>] (sk_skb_reason_drop+0x1d8/0x248 net/core/skbuff.c:1241)
[<81467654>] (sk_skb_reason_drop) from [<817f4e34>] (kfree_skb_reason include/linux/skbuff.h:1262 [inline])
[<81467654>] (sk_skb_reason_drop) from [<817f4e34>] (kfree_skb include/linux/skbuff.h:1271 [inline])
[<81467654>] (sk_skb_reason_drop) from [<817f4e34>] (j1939_session_destroy+0x78/0x200 net/can/j1939/transport.c:282)
 r9:00000000 r8:817f5808 r7:846ee600 r6:846ee650 r5:846ee600 r4:85336e40
[<817f4dbc>] (j1939_session_destroy) from [<817f58bc>] (__j1939_session_release net/can/j1939/transport.c:294 [inline])
[<817f4dbc>] (j1939_session_destroy) from [<817f58bc>] (kref_put include/linux/kref.h:65 [inline])
[<817f4dbc>] (j1939_session_destroy) from [<817f58bc>] (j1939_session_put net/can/j1939/transport.c:299 [inline])
[<817f4dbc>] (j1939_session_destroy) from [<817f58bc>] (j1939_tp_rxtimer+0xb4/0x1dc net/can/j1939/transport.c:1265)
 r6:8467c000 r5:846ee6c8 r4:846ee614
[<817f5808>] (j1939_tp_rxtimer) from [<802fc92c>] (__run_hrtimer kernel/time/hrtimer.c:1689 [inline])
[<817f5808>] (j1939_tp_rxtimer) from [<802fc92c>] (__hrtimer_run_queues+0x1d4/0x460 kernel/time/hrtimer.c:1753)
 r9:00000000 r8:817f5808 r7:ddddb1e0 r6:ddddb140 r5:ddddb220 r4:846ee6c8
[<802fc758>] (__hrtimer_run_queues) from [<802fcc4c>] (hrtimer_run_softirq+0x94/0xe4 kernel/time/hrtimer.c:1770)
 r10:00000100 r9:82e3ec00 r8:00000101 r7:7fffffff r6:ffffffff r5:20000113
 r4:ddddb140
[<802fcbb8>] (hrtimer_run_softirq) from [<8024b5d8>] (handle_softirqs+0x15c/0x468 kernel/softirq.c:554)
 r7:04200042 r6:00000008 r5:00000009 r4:826040a0
[<8024b47c>] (handle_softirqs) from [<8024b9d4>] (__do_softirq kernel/softirq.c:588 [inline])
[<8024b47c>] (handle_softirqs) from [<8024b9d4>] (invoke_softirq kernel/softirq.c:428 [inline])
[<8024b47c>] (handle_softirqs) from [<8024b9d4>] (__irq_exit_rcu+0xa4/0x164 kernel/softirq.c:637)
 r10:00000000 r9:82e3ec00 r8:00000000 r7:df869f18 r6:821af29c r5:821ef71c
 r4:82e3ec00
[<8024b930>] (__irq_exit_rcu) from [<8024bcd4>] (irq_exit+0x10/0x18 kernel/softirq.c:661)
 r5:821ef71c r4:824b8b5c
[<8024bcc4>] (irq_exit) from [<81985354>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240)
[<819852d8>] (generic_handle_arch_irq) from [<81936768>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40)
 r9:82e3ec00 r8:00000001 r7:df869f4c r6:ffffffff r5:20000013 r4:81986a98
[<8193674c>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:227)
Exception stack(0xdf869f18 to 0xdf869f60)
9f00:                                                       00000001 8200e404
9f20: 0021eebc 00000001 82e3ec00 8260c5d0 00000001 8260c5fc 00000001 00000000
9f40: 00000000 df869f84 df869f58 df869f68 81985f90 81986a98 20000013 ffffffff
[<81986a4c>] (default_idle_call) from [<80298040>] (cpuidle_idle_call kernel/sched/idle.c:185 [inline])
[<81986a4c>] (default_idle_call) from [<80298040>] (do_idle+0x264/0x2cc kernel/sched/idle.c:326)
 r7:8260c5fc r6:82e3ec00 r5:8260c5d0 r4:00000001
[<80297ddc>] (do_idle) from [<802983dc>] (cpu_startup_entry+0x30/0x34 kernel/sched/idle.c:424)
 r10:00000000 r9:411fd070 r8:80003000 r7:8286e464 r6:82e3ec00 r5:00000001
 r4:00000093
[<802983ac>] (cpu_startup_entry) from [<8020ff70>] (secondary_start_kernel+0x128/0x180 arch/arm/kernel/smp.c:478)
[<8020fe48>] (secondary_start_kernel) from [<80201374>] (__enable_mmu+0x0/0xc arch/arm/kernel/head.S:438)
 r7:8286e464 r6:30c0387d r5:00000000 r4:82cb60c0
Rebooting in 86400 seconds..