input: syz1 as /devices/virtual/input/input101
==================================================================
BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:247 [inline]
BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:632 [inline]
BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:340 [inline]
BUG: KASAN: use-after-free in nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691
Write of size 8 at addr ffff8800a6163ee8 by task syz-executor.1/2116

CPU: 0 PID: 2116 Comm: syz-executor.1 Not tainted 4.4.174+ #17
 0000000000000000 1c65a3ad5f3bebef ffff8801db607a10 ffffffff81aad1a1
 0000000000000001 ffffea00029858c0 ffff8800a6163ee8 0000000000000008
 ffffffff82361100 ffff8801db607a48 ffffffff81490120 0000000000000001
Call Trace:
 <IRQ>  [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 <IRQ>  [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81490120>] print_address_description+0x6f/0x21b mm/kasan/report.c:252
 [<ffffffff81490358>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff81490358>] kasan_report mm/kasan/report.c:408 [inline]
 [<ffffffff81490358>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
 [<ffffffff81484f77>] __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434
 [<ffffffff823612ca>] __write_once_size include/linux/compiler.h:247 [inline]
 [<ffffffff823612ca>] __hlist_del include/linux/list.h:632 [inline]
 [<ffffffff823612ca>] hlist_del_rcu include/linux/rculist.h:340 [inline]
 [<ffffffff823612ca>] nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691
 [<ffffffff8232d7b0>] __nf_ct_ext_destroy+0x140/0x2a0 net/netfilter/nf_conntrack_extend.c:40
 [<ffffffff8230e217>] nf_ct_ext_destroy include/net/netfilter/nf_conntrack_extend.h:80 [inline]
 [<ffffffff8230e217>] nf_conntrack_free+0x77/0x120 net/netfilter/nf_conntrack_core.c:904
 [<ffffffff823116f0>] destroy_conntrack+0x270/0x380 net/netfilter/nf_conntrack_core.c:365
 [<ffffffff822f6cd9>] nf_conntrack_destroy+0x99/0x1a0 net/netfilter/core.c:389
 [<ffffffff821eff3a>] nf_conntrack_put include/linux/skbuff.h:3377 [inline]
 [<ffffffff821eff3a>] skb_release_head_state+0x15a/0x210 net/core/skbuff.c:649
 [<ffffffff821fd0e6>] skb_release_all+0x16/0x60 net/core/skbuff.c:659
 [<ffffffff821fd257>] __kfree_skb net/core/skbuff.c:675 [inline]
 [<ffffffff821fd257>] kfree_skb+0xf7/0x400 net/core/skbuff.c:696
 [<ffffffff823b8e9a>] inet_frag_rbtree_purge+0xaa/0xf0 net/ipv4/ip_fragment.c:761
 [<ffffffff824e152f>] inet_frag_destroy+0x21f/0x2c0 net/ipv4/inet_fragment.c:156
 [<ffffffff823b8f14>] inet_frag_put include/net/inet_frag.h:124 [inline]
 [<ffffffff823b8f14>] ipq_put+0x34/0x40 net/ipv4/ip_fragment.c:164
 [<ffffffff823b954d>] ip_expire+0x14d/0x880 net/ipv4/ip_fragment.c:265
 [<ffffffff812582dd>] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185
 [<ffffffff81258ebf>] __run_timers kernel/time/timer.c:1261 [inline]
 [<ffffffff81258ebf>] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444
 [<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273
 [<ffffffff810e1a8a>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff810e1a8a>] irq_exit+0x10a/0x150 kernel/softirq.c:391
 [<ffffffff8271b24e>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
 [<ffffffff8271b24e>] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926
 [<ffffffff8271a59d>] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768
 <EOI>  [<ffffffff810a3ceb>] ? rdtsc arch/x86/include/asm/msr.h:124 [inline]
 <EOI>  [<ffffffff810a3ceb>] ? rdtsc_ordered arch/x86/include/asm/msr.h:151 [inline]
 <EOI>  [<ffffffff810a3ceb>] ? pvclock_get_nsec_offset arch/x86/include/asm/pvclock.h:74 [inline]
 <EOI>  [<ffffffff810a3ceb>] ? __pvclock_read_cycles arch/x86/include/asm/pvclock.h:91 [inline]
 <EOI>  [<ffffffff810a3ceb>] ? pvclock_clocksource_read+0xcb/0x490 arch/x86/kernel/pvclock.c:84
 [<ffffffff810a19b3>] kvm_clock_read+0x23/0x40 arch/x86/kernel/kvmclock.c:91
 [<ffffffff810a19d9>] kvm_clock_get_cycles+0x9/0x10 arch/x86/kernel/kvmclock.c:98
 [<ffffffff8127239b>] tk_clock_read kernel/time/timekeeping.c:140 [inline]
 [<ffffffff8127239b>] timekeeping_get_delta kernel/time/timekeeping.c:234 [inline]
 [<ffffffff8127239b>] timekeeping_get_ns kernel/time/timekeeping.c:340 [inline]
 [<ffffffff8127239b>] ktime_get_ts64+0x10b/0x2c0 kernel/time/timekeeping.c:869
 [<ffffffff81265e76>] ktime_get_ts include/linux/timekeeping.h:66 [inline]
 [<ffffffff81265e76>] posix_ktime_get_ts+0x16/0x20 kernel/time/posix-timers.c:230
 [<ffffffff81269e06>] SYSC_clock_gettime kernel/time/posix-timers.c:1050 [inline]
 [<ffffffff81269e06>] SyS_clock_gettime+0x106/0x1e0 kernel/time/posix-timers.c:1040
 [<ffffffff812b5270>] C_SYSC_clock_gettime kernel/compat.c:766 [inline]
 [<ffffffff812b5270>] compat_SyS_clock_gettime+0x110/0x1f0 kernel/compat.c:757
 [<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 [<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397
 [<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a

The buggy address belongs to the page:
page:ffffea00029858c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8800a6163d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8800a6163e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8800a6163e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff8800a6163f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8800a6163f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================