vcan0: j1939_tp_rxtimer: 0x8514ac00: abort rx timeout. Force session deactivation ------------[ cut here ]------------ WARNING: CPU: 1 PID: 5389 at lib/refcount.c:28 refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28 refcount_t: underflow; use-after-free. Modules linked in: Kernel panic - not syncing: kernel: panic_on_warn set ... CPU: 1 UID: 0 PID: 5389 Comm: syz.2.249 Not tainted 6.12.0-rc7-syzkaller #0 Hardware name: ARM-Versatile Express Call trace: frame pointer underflow [<8199d4f8>] (dump_backtrace) from [<8199d5f4>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257) r7:00000000 r6:82622f44 r5:00000000 r4:8203df84 [<8199d5dc>] (show_stack) from [<819bbac0>] (__dump_stack lib/dump_stack.c:94 [inline]) [<8199d5dc>] (show_stack) from [<819bbac0>] (dump_stack_lvl+0x54/0x7c lib/dump_stack.c:120) [<819bba6c>] (dump_stack_lvl) from [<819bbb00>] (dump_stack+0x18/0x1c lib/dump_stack.c:129) r5:00000000 r4:82870d18 [<819bbae8>] (dump_stack) from [<8199e120>] (panic+0x120/0x374 kernel/panic.c:354) [<8199e000>] (panic) from [<80242118>] (check_panic_on_warn kernel/panic.c:243 [inline]) [<8199e000>] (panic) from [<80242118>] (get_taint+0x0/0x1c kernel/panic.c:238) r3:8260c5c4 r2:00000001 r1:82026358 r0:8202ddc0 r7:80840e78 [<802420a4>] (check_panic_on_warn) from [<8024227c>] (__warn+0x80/0x188 kernel/panic.c:748) [<802421fc>] (__warn) from [<8024256c>] (warn_slowpath_fmt+0x1e8/0x1f4 kernel/panic.c:783) r8:00000009 r7:8208c7ac r6:df805dcc r5:83f7d400 r4:00000000 [<80242388>] (warn_slowpath_fmt) from [<80840e78>] (refcount_warn_saturate+0x13c/0x174 lib/refcount.c:28) r10:83f7d400 r9:00000000 r8:8182b518 r7:00000000 r6:8182ab44 r5:00000002 r4:82eefe40 [<80840d3c>] (refcount_warn_saturate) from [<8149c620>] (__refcount_sub_and_test include/linux/refcount.h:275 [inline]) [<80840d3c>] (refcount_warn_saturate) from [<8149c620>] (__refcount_dec_and_test include/linux/refcount.h:307 [inline]) [<80840d3c>] (refcount_warn_saturate) from [<8149c620>] (refcount_dec_and_test include/linux/refcount.h:325 [inline]) [<80840d3c>] (refcount_warn_saturate) from [<8149c620>] (skb_unref include/linux/skbuff.h:1232 [inline]) [<80840d3c>] (refcount_warn_saturate) from [<8149c620>] (__sk_skb_reason_drop net/core/skbuff.c:1213 [inline]) [<80840d3c>] (refcount_warn_saturate) from [<8149c620>] (sk_skb_reason_drop+0x1d8/0x248 net/core/skbuff.c:1241) [<8149c448>] (sk_skb_reason_drop) from [<8182ab44>] (kfree_skb_reason include/linux/skbuff.h:1262 [inline]) [<8149c448>] (sk_skb_reason_drop) from [<8182ab44>] (kfree_skb include/linux/skbuff.h:1271 [inline]) [<8149c448>] (sk_skb_reason_drop) from [<8182ab44>] (j1939_session_destroy+0x78/0x200 net/can/j1939/transport.c:282) r9:00000000 r8:8182b518 r7:8514ac00 r6:8514ac50 r5:8514ac00 r4:82eefe40 [<8182aacc>] (j1939_session_destroy) from [<8182b5cc>] (__j1939_session_release net/can/j1939/transport.c:294 [inline]) [<8182aacc>] (j1939_session_destroy) from [<8182b5cc>] (kref_put include/linux/kref.h:65 [inline]) [<8182aacc>] (j1939_session_destroy) from [<8182b5cc>] (j1939_session_put net/can/j1939/transport.c:299 [inline]) [<8182aacc>] (j1939_session_destroy) from [<8182b5cc>] (j1939_tp_rxtimer+0xb4/0x1dc net/can/j1939/transport.c:1265) r6:84670000 r5:8514acc8 r4:8514ac14 [<8182b518>] (j1939_tp_rxtimer) from [<803041f4>] (__run_hrtimer kernel/time/hrtimer.c:1691 [inline]) [<8182b518>] (j1939_tp_rxtimer) from [<803041f4>] (__hrtimer_run_queues+0x1d4/0x460 kernel/time/hrtimer.c:1755) r9:00000000 r8:8182b518 r7:ddddb1e0 r6:ddddb140 r5:ddddb220 r4:8514acc8 [<80304020>] (__hrtimer_run_queues) from [<80304598>] (hrtimer_run_softirq+0x94/0xe4 kernel/time/hrtimer.c:1772) r10:00000010 r9:83f7d400 r8:00000100 r7:7fffffff r6:ffffffff r5:20000113 r4:ddddb140 [<80304504>] (hrtimer_run_softirq) from [<8024b55c>] (handle_softirqs+0x158/0x464 kernel/softirq.c:554) r7:00400040 r6:00000008 r5:00000005 r4:826040a0 [<8024b404>] (handle_softirqs) from [<8024b958>] (__do_softirq kernel/softirq.c:588 [inline]) [<8024b404>] (handle_softirqs) from [<8024b958>] (invoke_softirq kernel/softirq.c:428 [inline]) [<8024b404>] (handle_softirqs) from [<8024b958>] (__irq_exit_rcu+0xa4/0x164 kernel/softirq.c:637) r10:b5403587 r9:83f7d400 r8:00000000 r7:df9ade30 r6:821dfb68 r5:82220374 r4:83f7d400 [<8024b8b4>] (__irq_exit_rcu) from [<8024bc58>] (irq_exit+0x10/0x18 kernel/softirq.c:661) r5:82220374 r4:824bbcdc [<8024bc48>] (irq_exit) from [<819bc49c>] (generic_handle_arch_irq+0x7c/0x80 kernel/irq/handle.c:240) [<819bc420>] (generic_handle_arch_irq) from [<8196c98c>] (call_with_stack+0x1c/0x20 arch/arm/lib/call_with_stack.S:40) r9:83f7d400 r8:00000000 r7:df9ade64 r6:ffffffff r5:80000113 r4:8148a404 [<8196c970>] (call_with_stack) from [<80200bcc>] (__irq_svc+0x8c/0xbc arch/arm/kernel/entry-armv.S:227) Exception stack(0xdf9ade30 to 0xdf9ade78) de20: 00000000 7effffff 00000000 b5003500 de40: df9adec0 20f458a0 0007a2bf 00000002 00000000 83f7d400 b5403587 df9adf5c de60: a1f458bf df9ade80 8148a3fc 8148a404 80000113 ffffffff [<8148a2d4>] (do_recvmmsg) from [<8148adc0>] (__sys_recvmmsg net/socket.c:3041 [inline]) [<8148a2d4>] (do_recvmmsg) from [<8148adc0>] (__do_sys_recvmmsg_time32 net/socket.c:3075 [inline]) [<8148a2d4>] (do_recvmmsg) from [<8148adc0>] (sys_recvmmsg_time32+0xc4/0xd8 net/socket.c:3068) r10:0000016d r9:83f7d400 r8:fffffeda r7:00000002 r6:00000000 r5:200000c0 r4:00000004 [<8148acfc>] (sys_recvmmsg_time32) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xdf9adfa8 to 0xdf9adff0) dfa0: 00000000 00000000 00000004 200000c0 fffffeda 00000002 dfc0: 00000000 00000000 00286388 0000016d 00000000 00006364 003d0f00 76bc90bc dfe0: 76bc8ec0 76bc8eb0 00018af0 00133450 r8:8020029c r7:0000016d r6:00286388 r5:00000000 r4:00000000 Rebooting in 86400 seconds..