dst_release: dst:(____ptrval____) refcnt:-1
==================================================================
kasan: CONFIG_KASAN_INLINE enabled
BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
BUG: KASAN: use-after-free in dst_release+0x2a/0xb0 net/core/dst.c:186
Write of size 4 at addr ffff8801adc77a40 by task swapper/1/0

kasan: GPF could be caused by NULL-ptr deref or user memory access
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.18.0-rc7+ #167
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
general protection fault: 0000 [#1] SMP KASAN
CPU: 0 PID: 4672 Comm: syz-executor444 Not tainted 4.18.0-rc7+ #167
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:sk_setup_caps+0xc2/0x680 net/core/sock.c:1818
Code: 48 
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
c1 
ea 
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
03 
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
80 
 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
3c 
 atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
 dst_release+0x2a/0xb0 net/core/dst.c:186
02 
 inet_sock_destruct+0x6ae/0x9c0 net/ipv4/af_inet.c:159
00 
0f 
85 
6e 
05 00 
00 
 udp_destruct_sock+0x350/0x4a0 net/ipv4/udp.c:1436
48 
b8 
00 00 
00 
00 
 l2tp_tunnel_destruct+0x174/0x290 net/l2tp/l2tp_core.c:1175
00 
fc 
 __sk_destruct+0x107/0xa60 net/core/sock.c:1605
ff 
df 4d 
8b 
26 
49 
8d 
bc 
24 
d0 
00 
00 00 
48 
89 
 __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline]
 rcu_process_callbacks+0xed5/0x1850 kernel/rcu/tree.c:2802
fa 
48 
c1 
ea 03 
<80> 
3c 
02 00 
0f 
85 
34 
05 00 
 __do_softirq+0x2e8/0xb17 kernel/softirq.c:292
00 
48 
8d bb 
30 
03 
00 00 
4d 8b 
a4 24 
d0 
RSP: 0018:ffff8801c8e977f8 EFLAGS: 00010202
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x1d4/0x210 kernel/softirq.c:412
RAX: dffffc0000000000 RBX: ffff8801c88df780 RCX: ffffffff8506b17c
 exiting_irq arch/x86/include/asm/apic.h:527 [inline]
 smp_apic_timer_interrupt+0x186/0x730 arch/x86/kernel/apic/apic.c:1055
RDX: 000000000000001a RSI: 0000000000000008 RDI: 00000000000000d0
RBP: ffff8801c8e97828 R08: 1ffff100391d2ee8 R09: 0000000000000000
R10: fffff5200022c3ca R11: ffffc90001161e53 R12: 0000000000000000
R13: ffff8801adc77a00 R14: ffff8801adc77a00 R15: 0000000000000000
FS:  00007ff4b3163700(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
CR2: 0000000020000080 CR3: 00000001c70e8000 CR4: 00000000001406f0
 </IRQ>
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:54
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Code: 
Call Trace:
c7 
 ip6_dst_store include/net/ip6_route.h:213 [inline]
 ip6_sk_dst_store_flow+0x566/0xa70 net/ipv6/route.c:2419
48 89 
45 
d8 e8 
7a 
5f 
0a 
fb 
 ip6_datagram_dst_update+0x7ad/0xf80 net/ipv6/datagram.c:109
48 
8b 
45 d8 
e9 
d2 fe 
ff 
 __ip6_datagram_connect+0x5fe/0x1470 net/ipv6/datagram.c:250
ff 
48 
89 
df 
e8 69 
5f 0a 
 ip6_datagram_connect+0x2f/0x50 net/ipv6/datagram.c:273
fb 
 inet_dgram_connect+0x154/0x2e0 net/ipv4/af_inet.c:571
eb 
 __sys_connect+0x37d/0x4c0 net/socket.c:1681
8a 
90 
90 
90 
90 90 
90 90 
55 
 __do_sys_connect net/socket.c:1692 [inline]
 __se_sys_connect net/socket.c:1689 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1689
48 
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
89 
e5 
fb 
f4 
<5d> 
c3 
0f 
1f 84 
00 
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
00 00 
RIP: 0033:0x446a29
00 
Code: 
00 55 
e8 
48 89 
ac b8 
e5 
02 
f4 5d 
00 48 
c3 
83 
90 90 
c4 
90 90 
18 
90 
c3 
0f 
RSP: 0018:ffff8801d9eefc38 EFLAGS: 00000282
1f 
 ORIG_RAX: ffffffffffffff13
80 
RAX: dffffc0000000000 RBX: 1ffff1003b3ddf8a RCX: ffffffff816685b2
00 
RDX: 1ffffffff0fe3618 RSI: 0000000000000004 RDI: ffffffff87f1b0c0
00 
RBP: ffff8801d9eefc38 R08: ffffed003b6246d7 R09: ffffed003b6246d6
00 
R10: ffffed003b6246d6 R11: ffff8801db1236b3 R12: 0000000000000001
00 
R13: ffff8801d9eefcf0 R14: ffffffff888a60a0 R15: 0000000000000000
48 
89 
f8 
 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline]
 default_idle+0xc7/0x450 arch/x86/kernel/process.c:500
48 
89 
f7 
48 
89 
d6 
48 
89 
 arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:491
ca 
 default_idle_call+0x6d/0x90 kernel/sched/idle.c:93
4d 
 cpuidle_idle_call kernel/sched/idle.c:153 [inline]
 do_idle+0x3aa/0x570 kernel/sched/idle.c:262
89 
c2 
4d 
89 
c8 
 cpu_startup_entry+0x10c/0x120 kernel/sched/idle.c:368
4c 
8b 
 start_secondary+0x433/0x5d0 arch/x86/kernel/smpboot.c:270
4c 
24 
 secondary_startup_64+0xa5/0xb0 arch/x86/kernel/head_64.S:242
08 

0f 05 
Allocated by task 4564:
<48> 
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
3d 01 
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
f0 
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
ff 
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
ff 0f 
 dst_alloc+0xbb/0x1d0 net/core/dst.c:105
83 
 ip6_dst_alloc+0x35/0xa0 net/ipv6/route.c:353
eb 
 ip6_rt_pcpu_alloc net/ipv6/route.c:1229 [inline]
 rt6_make_pcpu_route net/ipv6/route.c:1259 [inline]
 ip6_pol_route+0x83f/0x1250 net/ipv6/route.c:1925
08 
 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2098
fc 
 fib6_rule_lookup+0x26e/0x700 net/ipv6/fib6_rules.c:122
ff 
 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2126
c3 
 ip6_route_output include/net/ip6_route.h:88 [inline]
 ip6_dst_lookup_tail+0xe3f/0x1da0 net/ipv6/ip6_output.c:951
66 
 ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1079
2e 
 ip6_datagram_dst_update+0x75b/0xf80 net/ipv6/datagram.c:91
0f 
 __ip6_datagram_connect+0x5fe/0x1470 net/ipv6/datagram.c:250
1f 
 ip6_datagram_connect+0x2f/0x50 net/ipv6/datagram.c:273
 inet_dgram_connect+0x154/0x2e0 net/ipv4/af_inet.c:571
84 
 __sys_connect+0x37d/0x4c0 net/socket.c:1681
00 
 __do_sys_connect net/socket.c:1692 [inline]
 __se_sys_connect net/socket.c:1689 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1689
00 
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
00 
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
00 

Freed by task 0:
RSP: 002b:00007ff4b3162db8 EFLAGS: 00000297
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 ORIG_RAX: 000000000000002a
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 0000000000446a29
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
RDX: 000000000000001c RSI: 0000000020000080 RDI: 0000000000000003
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
 dst_destroy+0x267/0x3c0 net/core/dst.c:141
R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dcc2c
R13: 00007ffc9691d9bf R14: 00007ff4b31639c0 R15: 0000000000000000
 dst_destroy_rcu+0x16/0x20 net/core/dst.c:154
Modules linked in:
 __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline]
 rcu_process_callbacks+0xed5/0x1850 kernel/rcu/tree.c:2802
 __do_softirq+0x2e8/0xb17 kernel/softirq.c:292
Dumping ftrace buffer:

   (ftrace buffer empty)
The buggy address belongs to the object at ffff8801adc77a00
 which belongs to the cache ip6_dst_cache of size 240
---[ end trace e3368128835efb12 ]---
The buggy address is located 64 bytes inside of
 240-byte region [ffff8801adc77a00, ffff8801adc77af0)
The buggy address belongs to the page:
page:ffffea0006b71dc0 count:1 mapcount:0 mapping:ffff8801cde87640 index:0x0
RIP: 0010:sk_setup_caps+0xc2/0x680 net/core/sock.c:1818
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea00075b2848 ffffea000742b048 ffff8801cde87640
Code: 
raw: 0000000000000000 ffff8801adc77000 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
48 

Memory state around the buggy address:
 ffff8801adc77900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801adc77980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
c1 
>ffff8801adc77a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801adc77a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff8801adc77b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
ea