------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 22 at lib/refcount.c:28 refcount_warn_saturate+0x140/0x1f0 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 22 Comm: ksoftirqd/1 Not tainted 6.5.0-rc7-next-20230821-syzkaller-11453-g47d9bb711707 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:refcount_warn_saturate+0x140/0x1f0 lib/refcount.c:28
Code: 0a 31 ff 89 de e8 c0 fd 63 fd 84 db 0f 85 6e ff ff ff e8 83 02 64 fd 48 c7 c7 a0 a3 e8 8a c6 05 70 1c 94 0a 01 e8 10 1f 2a fd <0f> 0b e9 4f ff ff ff e8 64 02 64 fd 0f b6 1d 56 1c 94 0a 31 ff 89
RSP: 0018:ffffc900001c7c40 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: ffff888017a73b80 RSI: ffffffff814df276 RDI: 0000000000000001
RBP: ffff88802864bfc4 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88802864bfc4 R14: ffff888068f34038 R15: 0000000000000002
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ebf877108 CR3: 000000001be5f000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 ip_dst_metrics_put include/net/ip.h:526 [inline]
 ip6_dst_destroy+0x3a0/0x450 net/ipv6/route.c:361
 dst_destroy+0x10d/0x820 net/core/dst.c:116
 rcu_do_batch kernel/rcu/tree.c:2140 [inline]
 rcu_core+0x826/0x1c50 kernel/rcu/tree.c:2404
 __do_softirq+0x218/0x965 kernel/softirq.c:553
 run_ksoftirqd kernel/softirq.c:921 [inline]
 run_ksoftirqd+0x31/0x60 kernel/softirq.c:913
 smpboot_thread_fn+0x67d/0xa00 kernel/smpboot.c:164
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>