==================================================================
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in atomic_fetch_add_unless include/linux/atomic-fallback.h:1086 [inline]
BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic-fallback.h:1111 [inline]
BUG: KASAN: use-after-free in atomic_inc_not_zero include/linux/atomic-fallback.h:1127 [inline]
BUG: KASAN: use-after-free in dst_hold_safe include/net/dst.h:297 [inline]
BUG: KASAN: use-after-free in ip6_hold_safe+0xad/0x380 net/ipv6/route.c:1166
Read of size 4 at addr ffff88809ee6acb8 by task syz-executor.5/9132

CPU: 0 PID: 9132 Comm: syz-executor.5 Not tainted 5.2.0-rc3+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 kasan_check_read+0x11/0x20 mm/kasan/common.c:94
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 atomic_fetch_add_unless include/linux/atomic-fallback.h:1086 [inline]
 atomic_add_unless include/linux/atomic-fallback.h:1111 [inline]
 atomic_inc_not_zero include/linux/atomic-fallback.h:1127 [inline]
 dst_hold_safe include/net/dst.h:297 [inline]
 ip6_hold_safe+0xad/0x380 net/ipv6/route.c:1166
 rt6_get_pcpu_route net/ipv6/route.c:1395 [inline]
 ip6_pol_route+0x2e9/0xe40 net/ipv6/route.c:2251
 ip6_pol_route_input+0x65/0x80 net/ipv6/route.c:2270
 fib6_rule_lookup+0x133/0x5a0 net/ipv6/fib6_rules.c:116
 ip6_route_input_lookup+0xb7/0xd0 net/ipv6/route.c:2282
 ip6_route_input+0x5e2/0x9e0 net/ipv6/route.c:2417
 ip6_rcv_finish_core.isra.0+0x174/0x590 net/ipv6/ip6_input.c:63
 ip6_rcv_finish+0x17a/0x310 net/ipv6/ip6_input.c:74
 NF_HOOK include/linux/netfilter.h:305 [inline]
 NF_HOOK include/linux/netfilter.h:299 [inline]
 ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:272
 __netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:4981
 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5095
 netif_receive_skb_internal+0x108/0x390 net/core/dev.c:5185
 napi_frags_finish net/core/dev.c:5736 [inline]
 napi_gro_frags+0xad9/0xd10 net/core/dev.c:5810
 tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1982
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2028
 call_write_iter include/linux/fs.h:1872 [inline]
 do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
 do_iter_write fs/read_write.c:970 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:951
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
 do_writev+0x15b/0x330 fs/read_write.c:1058
 __do_sys_writev fs/read_write.c:1131 [inline]
 __se_sys_writev fs/read_write.c:1128 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1128
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459181
Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 b9 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f13b2fceba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000066 RCX: 0000000000459181
RDX: 0000000000000001 RSI: 00007f13b2fcec00 RDI: 00000000000000f0
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f13b2fcf9d0 R11: 0000000000000293 R12: 00007f13b2fcf6d4
R13: 00000000004c8003 R14: 00000000004de780 R15: 00000000ffffffff

Allocated by task 8611:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 kmem_cache_alloc_node_trace+0x153/0x720 mm/slab.c:3599
 kmalloc_node include/linux/slab.h:585 [inline]
 kzalloc_node include/linux/slab.h:753 [inline]
 __get_vm_area_node+0x12b/0x3a0 mm/vmalloc.c:1999
 __vmalloc_node_range+0xd4/0x790 mm/vmalloc.c:2438
 __vmalloc_node mm/vmalloc.c:2498 [inline]
 __vmalloc_node_flags mm/vmalloc.c:2512 [inline]
 vmalloc+0x6b/0x90 mm/vmalloc.c:2537
 netlink_alloc_large_skb net/netlink/af_netlink.c:1179 [inline]
 netlink_sendmsg+0x640/0xd70 net/netlink/af_netlink.c:1892
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:665
 kernel_sendmsg+0x44/0x50 net/socket.c:685
 sock_no_sendpage+0x116/0x150 net/core/sock.c:2715
 kernel_sendpage+0x92/0xf0 net/socket.c:3642
 sock_sendpage+0x8b/0xc0 net/socket.c:940
 pipe_to_sendpage+0x296/0x360 fs/splice.c:449
 splice_from_pipe_feed fs/splice.c:500 [inline]
 __splice_from_pipe+0x38c/0x7d0 fs/splice.c:624
 splice_from_pipe+0x108/0x170 fs/splice.c:659
 generic_splice_sendpage+0x3c/0x50 fs/splice.c:829
 do_splice_from fs/splice.c:848 [inline]
 do_splice+0x708/0x1410 fs/splice.c:1155
 __do_sys_splice fs/splice.c:1425 [inline]
 __se_sys_splice fs/splice.c:1405 [inline]
 __x64_sys_splice+0x2c6/0x330 fs/splice.c:1405
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8611:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 __vunmap+0x704/0x9c0 mm/vmalloc.c:2215
 __vfree+0x41/0xd0 mm/vmalloc.c:2256
 vfree+0x5f/0x90 mm/vmalloc.c:2286
 netlink_skb_destructor+0xc8/0x210 net/netlink/af_netlink.c:366
 skb_release_head_state+0xeb/0x260 net/core/skbuff.c:650
 skb_release_all+0x16/0x60 net/core/skbuff.c:661
 __kfree_skb net/core/skbuff.c:677 [inline]
 consume_skb net/core/skbuff.c:737 [inline]
 consume_skb+0xe2/0x380 net/core/skbuff.c:731
 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
 netlink_unicast+0x539/0x710 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:665
 kernel_sendmsg+0x44/0x50 net/socket.c:685
 sock_no_sendpage+0x116/0x150 net/core/sock.c:2715
 kernel_sendpage+0x92/0xf0 net/socket.c:3642
 sock_sendpage+0x8b/0xc0 net/socket.c:940
 pipe_to_sendpage+0x296/0x360 fs/splice.c:449
 splice_from_pipe_feed fs/splice.c:500 [inline]
 __splice_from_pipe+0x38c/0x7d0 fs/splice.c:624
 splice_from_pipe+0x108/0x170 fs/splice.c:659
 generic_splice_sendpage+0x3c/0x50 fs/splice.c:829
 do_splice_from fs/splice.c:848 [inline]
 do_splice+0x708/0x1410 fs/splice.c:1155
 __do_sys_splice fs/splice.c:1425 [inline]
 __se_sys_splice fs/splice.c:1405 [inline]
 __x64_sys_splice+0x2c6/0x330 fs/splice.c:1405
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809ee6ac80
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 56 bytes inside of
 64-byte region [ffff88809ee6ac80, ffff88809ee6acc0)
The buggy address belongs to the page:
page:ffffea00027b9a80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0001865288 ffffea0001616d08 ffff8880aa400340
raw: 0000000000000000 ffff88809ee6a000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809ee6ab80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88809ee6ac00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff88809ee6ac80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                        ^
 ffff88809ee6ad00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88809ee6ad80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================