==================================================================
BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
BUG: KASAN: use-after-free in dst_release+0x2a/0xb0 net/core/dst.c:186
Write of size 4 at addr ffff8801b1a15d80 by task syz-executor074/4727

CPU: 0 PID: 4727 Comm: syz-executor074 Not tainted 4.18.0-rc6+ #165
------------[ cut here ]------------
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
kernel BUG at net/ipv6/route.c:1268!
Call Trace:
invalid opcode: 0000 [#1] SMP KASAN
 <IRQ>
CPU: 1 PID: 4728 Comm: syz-executor074 Not tainted 4.18.0-rc6+ #165
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:rt6_make_pcpu_route net/ipv6/route.c:1268 [inline]
RIP: 0010:ip6_pol_route+0x9e3/0x1250 net/ipv6/route.c:1925
Code: 
31 e4 
e8 
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
30 
4b 
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
02 
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
fc 
 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
4c 
 atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
 dst_release+0x2a/0xb0 net/core/dst.c:186
89 
 inet_sock_destruct+0x6ae/0x9c0 net/ipv4/af_inet.c:159
e0 
f0 
4c 
0f 
b1 
33 
31 
 udp_destruct_sock+0x350/0x4a0 net/ipv4/udp.c:1436
ff 
49 
89 
c4 
48 
 l2tp_tunnel_destruct+0x174/0x290 net/l2tp/l2tp_core.c:1175
89 
c6 
 __sk_destruct+0x107/0xa60 net/core/sock.c:1605
e8 
cb 
34 
c4 
fb 
4d 
85 
e4 
0f 
84 
0d 
fa 
ff 
ff e8 
8d 
33 
 __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline]
 rcu_process_callbacks+0xed5/0x1850 kernel/rcu/tree.c:2802
c4 
fb 
<0f> 0b 
e8 
86 33 
c4 
fb 
e8 
31 
a2 ae 
fb 
31 
 __do_softirq+0x2e8/0xb17 kernel/softirq.c:292
ff 
89 
c6 
88 
85 
e0 
fd 
ff 
ff 
 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
 </IRQ>
RSP: 0018:ffff8801c453ece8 EFLAGS: 00010293
 do_softirq.part.18+0x155/0x1a0 kernel/softirq.c:336
RAX: ffff8801bfa82040 RBX: ffffe8ffffd5f6a0 RCX: ffffffff85b7e1e5
 do_softirq arch/x86/include/asm/preempt.h:23 [inline]
 __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:189
RDX: 0000000000000000 RSI: ffffffff85b7e1f3 RDI: 0000000000000007
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 pppol2tp_sendmsg+0x4c4/0x6c0 net/l2tp/l2tp_ppp.c:332
RBP: ffff8801c453ef18 R08: ffff8801bfa82040 R09: fffff91ffffabed4
R10: fffff91ffffabed4 R11: ffffe8ffffd5f6a7 R12: ffff8801b1a15d40
R13: 0000000000000001 R14: ffff8801c883c500 R15: 0000000000000001
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:649
FS:  00007f63c5df6700(0000) GS:ffff8801db100000(0000) knlGS:0000000000000000
 ___sys_sendmsg+0x51d/0x930 net/socket.c:2132
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f63c5df5e78 CR3: 00000001c19e2000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2098
 fib6_rule_lookup+0x26e/0x700 net/ipv6/fib6_rules.c:122
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2227
 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2126
 ip6_dst_lookup_tail+0x1278/0x1da0 net/ipv6/ip6_output.c:978
 __do_sys_sendmmsg net/socket.c:2256 [inline]
 __se_sys_sendmmsg net/socket.c:2253 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2253
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1079
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x446a29
 ip6_sk_dst_lookup_flow+0x5d2/0xac0 net/ipv6/ip6_output.c:1117
Code: 
e8 
ac 
 udpv6_sendmsg+0x2163/0x36b0 net/ipv6/udp.c:1354
b8 
02 
00 
48 
83 
c4 
18 
c3 
 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:799
0f 
1f 
80 
00 
00 
00 
00 
48 
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:649
89 
 ___sys_sendmsg+0x51d/0x930 net/socket.c:2132
f8 48 
89 
f7 
48 
89 
d6 
 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2227
48 
89 
ca 
4d 
89 
c2 
4d 
89 
 __do_sys_sendmmsg net/socket.c:2256 [inline]
 __se_sys_sendmmsg net/socket.c:2253 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2253
c8 
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
4c 
8b 
4c 24 
08 
0f 
05 
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
<48> 
RIP: 0033:0x446a29
3d 
Code: 
01 f0 
e8 
ff ff 
ac b8 
0f 
02 
83 
00 48 
eb 
83 c4 
08 
18 
fc 
c3 
ff 
0f 1f 
c3 
80 
66 
00 
2e 
00 
0f 
00 
1f 
00 
84 
48 
00 
89 
00 
f8 
00 00 
48 
89 
RSP: 002b:00007f63c5e16db8 EFLAGS: 00000297
f7 
 ORIG_RAX: 0000000000000133
48 
RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 0000000000446a29
89 
RDX: 00000000000003e8 RSI: 0000000020005fc0 RDI: 0000000000000004
d6 
RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000
48 
R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dcc2c
89 
R13: 00007ffe149e51cf R14: 00007f63c5e179c0 R15: 0000000000000000
ca 

4d 
Allocated by task 4572:
89 
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
c2 
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
4d 
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
89 
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
c8 
 dst_alloc+0xbb/0x1d0 net/core/dst.c:105
4c 
 ip6_dst_alloc+0x35/0xa0 net/ipv6/route.c:353
8b 
 ip6_rt_pcpu_alloc net/ipv6/route.c:1229 [inline]
 rt6_make_pcpu_route net/ipv6/route.c:1259 [inline]
 ip6_pol_route+0x83f/0x1250 net/ipv6/route.c:1925
4c 
 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2098
24 
 fib6_rule_lookup+0x26e/0x700 net/ipv6/fib6_rules.c:122
08 
 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2126
0f 
 ip6_route_output include/net/ip6_route.h:88 [inline]
 ip6_dst_lookup_tail+0xe3f/0x1da0 net/ipv6/ip6_output.c:951
05 
 ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1079
<48> 
 ip6_datagram_dst_update+0x75b/0xf80 net/ipv6/datagram.c:91
3d 
 __ip6_datagram_connect+0x5fe/0x1470 net/ipv6/datagram.c:250
01 f0 
 ip6_datagram_connect+0x2f/0x50 net/ipv6/datagram.c:273
ff 
 inet_dgram_connect+0x154/0x2e0 net/ipv4/af_inet.c:572
ff 
 __sys_connect+0x37d/0x4c0 net/socket.c:1680
0f 
 __do_sys_connect net/socket.c:1691 [inline]
 __se_sys_connect net/socket.c:1688 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1688
83 eb 
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
08 
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
fc 

ff 
Freed by task 4727:
c3 
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
66 
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
2e 
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
0f 
 __cache_free mm/slab.c:3498 [inline]
 kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
1f 
 dst_destroy+0x267/0x3c0 net/core/dst.c:141
84 
 dst_destroy_rcu+0x16/0x20 net/core/dst.c:154
00 
 __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline]
 rcu_process_callbacks+0xed5/0x1850 kernel/rcu/tree.c:2802
00 
 __do_softirq+0x2e8/0xb17 kernel/softirq.c:292
00 

00 
The buggy address belongs to the object at ffff8801b1a15d40
 which belongs to the cache ip6_dst_cache of size 240
The buggy address is located 64 bytes inside of
 240-byte region [ffff8801b1a15d40, ffff8801b1a15e30)
The buggy address belongs to the page:
RSP: 002b:00007f63c5df5db8 EFLAGS: 00000246
page:ffffea0006c68540 count:1 mapcount:0 mapping:ffff8801cde33ac0 index:0x0
 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 0000000000446a29
flags: 0x2fffc0000000100(slab)
RDX: 00000000000000b8 RSI: 0000000020001b00 RDI: 0000000000000003
raw: 02fffc0000000100 ffffea00075e3ac8 ffffea0006ed0b08 ffff8801cde33ac0
RBP: 00000000006dcc30 R08: 00007f63c5df6700 R09: 0000000000000000
raw: 0000000000000000 ffff8801b1a150c0 000000010000000c 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
page dumped because: kasan: bad access detected
R13: 00007ffe149e51cf R14: 00007f63c5df69c0 R15: 0000000000000001

Modules linked in:
Memory state around the buggy address:
 ffff8801b1a15c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
Dumping ftrace buffer:
 ffff8801b1a15d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
   (ftrace buffer empty)
>ffff8801b1a15d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
---[ end trace 284e277c8de7cca5 ]---
                   ^
 ffff8801b1a15e00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff8801b1a15e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
RIP: 0010:rt6_make_pcpu_route net/ipv6/route.c:1268 [inline]
RIP: 0010:ip6_pol_route+0x9e3/0x1250 net/ipv6/route.c:1925
==================================================================