==================================================================
BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:258 [inline]
BUG: KASAN: use-after-free in skb_release_data+0x101/0x770 net/core/skbuff.c:563
Write of size 4 at addr ffff8881cafdd764 by task syz-executor.5/8657

CPU: 0 PID: 8657 Comm: syz-executor.5 Not tainted 4.14.134+ #22
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316

Allocated by task 8657:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'.
 slab_post_alloc_hook mm/slab.h:439 [inline]
 slab_alloc_node mm/slub.c:2758 [inline]
 slab_alloc mm/slub.c:2766 [inline]
 __kmalloc_track_caller+0xf1/0x310 mm/slub.c:4333
netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'.
 __kmalloc_reserve.isra.0+0x2d/0xc0 net/core/skbuff.c:137
 __alloc_skb+0x118/0x5c0 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:980 [inline]
 sock_wmalloc+0xb6/0x110 net/core/sock.c:1925
 packet_sendmsg_spkt+0x3bb/0x1210 net/packet/af_packet.c:1962
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb7/0x100 net/socket.c:656
 ___sys_sendmsg+0x752/0x890 net/socket.c:2062
 __sys_sendmsg+0xb6/0x150 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 0xffffffffffffffff

Freed by task 8657:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457
 slab_free_hook mm/slub.c:1403 [inline]
 slab_free_freelist_hook mm/slub.c:1430 [inline]
 slab_free mm/slub.c:3005 [inline]
 kfree+0xfa/0x320 mm/slub.c:3942
 skb_free_head+0x83/0xa0 net/core/skbuff.c:554
 skb_release_data+0x4e5/0x770 net/core/skbuff.c:574
 skb_release_all+0x46/0x60 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb+0xdc/0x360 net/core/skbuff.c:705
 packet_rcv+0xdf/0x1290 net/packet/af_packet.c:2178
 dev_queue_xmit_nit+0x6e1/0x970 net/core/dev.c:1975
 0xffffffffffffffff

The buggy address belongs to the object at ffff8881cafdd680
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 228 bytes inside of
 512-byte region [ffff8881cafdd680, ffff8881cafdd880)
The buggy address belongs to the page:
page:ffffea00072bf700 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000010200(slab|head)
raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c
raw: ffffea00068a1a80 0000000800000008 ffff8881da802c00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881cafdd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881cafdd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881cafdd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8881cafdd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881cafdd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================