------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 5183 at lib/refcount.c:25 refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
Modules linked in:
CPU: 1 PID: 5183 Comm: syz-executor.0 Not tainted 5.11.0-syzkaller-11646-g5695e5161974 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)
pc : refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
lr : refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
sp : ffff800014c3bcd0
x29: ffff800014c3bcd0 x28: f7ff000009f48f40 
x27: 0000000000000000 x26: 0000000000000000 
x25: 0000000000000000 x24: 0000000000000000 
x23: 0000000060000000 x22: f2ff0000277fc000 
x21: ffff800013d3e390 x20: f1ff000025cb8000 
x19: ffff800014c3bda8 x18: 0000000000000000 
x17: 0000000000000000 x16: 0000000000000000 
x15: 00009934308dbfc6 x14: 00000000000001c7 
x13: 00000000000001c7 x12: 0000000000000000 
x11: 0000000000000001 x10: 33cbe09266a75eb5 
x9 : 1a32df4dc01cfc2a x8 : f7ff000009f49de8 
x7 : fbff000026d22400 x6 : 00000000194709ad 
x5 : 0000000000000000 x4 : ffff00007fbd7948 
x3 : ffff00007fbde4f0 x2 : 0000000000000000 
x1 : 0000000000000000 x0 : f7ff000009f48f40 
Call trace:
 refcount_warn_saturate+0xa0/0x144 lib/refcount.c:25
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 kref_get include/linux/kref.h:45 [inline]
 j1939_netdev_start+0x330/0x440 net/can/j1939/main.c:271
 j1939_sk_bind+0xf4/0x380 net/can/j1939/socket.c:479
 __sys_bind+0xd4/0x100 net/socket.c:1637
 __do_sys_bind net/socket.c:1648 [inline]
 __se_sys_bind net/socket.c:1646 [inline]
 __arm64_sys_bind+0x24/0x34 net/socket.c:1646
 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
 el0_svc_common.constprop.0+0x60/0x120 arch/arm64/kernel/syscall.c:129
 do_el0_svc+0x74/0x90 arch/arm64/kernel/syscall.c:168
 el0_svc+0x2c/0x54 arch/arm64/kernel/entry-common.c:416
 el0_sync_handler+0x1a4/0x1b0 arch/arm64/kernel/entry-common.c:432
 el0_sync+0x18c/0x1c0 arch/arm64/kernel/entry.S:699