syzbot

==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:248 [inline]
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline]
BUG: KASAN: use-after-free in __atomic_add_unless arch/x86/include/asm/atomic.h:240 [inline]
BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:506 [inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1706 [inline]
BUG: KASAN: use-after-free in sk_dst_check+0x347/0x380 net/core/sock.c:513
Read of size 4 at addr ffff8801508cf940 by task syz-executor.5/22647

CPU: 0 PID: 22647 Comm: syz-executor.5 Not tainted 4.9.186+ #10
 ffff8801bab4f6c8 ffffffff81b5a0b1 0000000000000000 ffffea00054233c0
 ffff8801508cf940 0000000000000004 ffffffff822c2d07 ffff8801bab4f700
 ffffffff8150ab68 0000000000000000 ffff8801508cf940 ffff8801508cf940
Call Trace:
 [<00000000a8481923>] __dump_stack lib/dump_stack.c:15 [inline]
 [<00000000a8481923>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<00000000e406efd1>] print_address_description+0x6f/0x23a mm/kasan/report.c:256
 [<00000000c853f188>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<00000000c853f188>] kasan_report mm/kasan/report.c:413 [inline]
 [<00000000c853f188>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
 [<00000000cb91697d>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:433
 [<000000003d49af4b>] __read_once_size include/linux/compiler.h:248 [inline]
 [<000000003d49af4b>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
 [<000000003d49af4b>] __atomic_add_unless arch/x86/include/asm/atomic.h:240 [inline]
 [<000000003d49af4b>] atomic_add_unless include/linux/atomic.h:506 [inline]
 [<000000003d49af4b>] sk_dst_get include/net/sock.h:1706 [inline]
 [<000000003d49af4b>] sk_dst_check+0x347/0x380 net/core/sock.c:513
 [<00000000632da59e>] udp_sendmsg+0x10a6/0x1c60 net/ipv4/udp.c:1014
 [<00000000472dba77>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
 [<0000000007bd0712>] sock_sendmsg_nosec net/socket.c:649 [inline]
 [<0000000007bd0712>] sock_sendmsg+0xbe/0x110 net/socket.c:659
 [<000000005a6bb9e4>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
 [<000000006ecdfae9>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
 [<00000000f3c3b04d>] SYSC_sendmmsg net/socket.c:2104 [inline]
 [<00000000f3c3b04d>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
 [<00000000710b1ed3>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<0000000000d83e65>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 22652:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:512 [inline]
 set_track mm/kasan/kasan.c:524 [inline]
 kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
 kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xd5/0x2b0 mm/slub.c:2728
 dst_alloc+0xf3/0x1b0 net/core/dst.c:210
 ipv4_blackhole_route+0x30/0x720 net/ipv4/route.c:2442
 make_blackhole net/xfrm/xfrm_policy.c:2214 [inline]
 xfrm_lookup_route net/xfrm/xfrm_policy.c:2387 [inline]
 xfrm_lookup_route+0xf4/0x140 net/xfrm/xfrm_policy.c:2378
 ip_route_output_flow+0x93/0xa0 net/ipv4/route.c:2483
 udp_sendmsg+0x1494/0x1c60 net/ipv4/udp.c:1029
 inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
 sock_sendmsg_nosec net/socket.c:649 [inline]
 sock_sendmsg+0xbe/0x110 net/socket.c:659
 ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
 __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
 SYSC_sendmmsg net/socket.c:2104 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2099
 do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 16542:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:512 [inline]
 set_track mm/kasan/kasan.c:524 [inline]
 kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 dst_destroy+0x275/0x350 net/core/dst.c:270
 dst_gc_task+0x1b2/0x520 net/core/dst.c:89
 process_one_work+0x88b/0x1600 kernel/workqueue.c:2114
 worker_thread+0x5df/0x11d0 kernel/workqueue.c:2251
 kthread+0x278/0x310 kernel/kthread.c:211
 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:375

The buggy address belongs to the object at ffff8801508cf8c0
 which belongs to the cache ip_dst_cache of size 216
The buggy address is located 128 bytes inside of
 216-byte region [ffff8801508cf8c0, ffff8801508cf998)
The buggy address belongs to the page:
page:ffffea00054233c0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000200(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801508cf800: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
 ffff8801508cf880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801508cf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801508cf980: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801508cfa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================