KASAN: use-after-free Read in __ip6_append

==================================================================
BUG: KASAN: use-after-free in __ip6_append_data.isra.0+0x284f/0x3450 net/ipv6/ip6_output.c:1331
Read of size 2 at addr ffff8801c985023a by task syz-executor343/17861

CPU: 1 PID: 17861 Comm: syz-executor343 Not tainted 4.9.202+ #0
 ffff8801c92074c8 ffffffff81b55d2b 0000000000000000 ffffea0007261400
 ffff8801c985023a 0000000000000002 ffffffff826a022f ffff8801c9207500
 ffffffff8150c321 0000000000000000 ffff8801c985023a ffff8801c985023a
Call Trace:
 [<00000000319c1862>] __dump_stack lib/dump_stack.c:15 [inline]
 [<00000000319c1862>] dump_stack+0xcb/0x130 lib/dump_stack.c:56
 [<00000000d98cee61>] print_address_description+0x6f/0x23a mm/kasan/report.c:256
 [<000000002bf6779b>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<000000002bf6779b>] kasan_report mm/kasan/report.c:413 [inline]
 [<000000002bf6779b>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397
 [<00000000eb2acbc8>] __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:432
 [<000000003dc98037>] __ip6_append_data.isra.0+0x284f/0x3450 net/ipv6/ip6_output.c:1331
 [<00000000aab7ba23>] ip6_append_data+0x1dd/0x310 net/ipv6/ip6_output.c:1647
 [<00000000a8a7606f>] udpv6_sendmsg+0x1322/0x2430 net/ipv6/udp.c:1267
 [<0000000059b80bbd>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766
 [<0000000048aaf6e2>] sock_sendmsg_nosec net/socket.c:649 [inline]
 [<0000000048aaf6e2>] sock_sendmsg+0xbe/0x110 net/socket.c:659
 [<00000000783f5cfb>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983
 [<00000000634ebece>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073
 [<000000000f6a65f4>] SYSC_sendmmsg net/socket.c:2104 [inline]
 [<000000000f6a65f4>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099
 [<00000000fbd08a9a>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<000000003fe04d7a>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the page:
page:ffffea0007261400 count:0 mapcount:-127 mapping:          (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c9850100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c9850180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801c9850200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                        ^
 ffff8801c9850280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801c9850300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2019/11/22 06:37	android-4.9	258971b8e1ac	8098ea0f	.config	console log	report	syz	C	ci-android-49-kasan-gce-root
2019/10/25 11:27	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	d01bb02a	.config	console log	report			ci-android-49-kasan-gce
2019/10/30 13:23	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	5ea87a66	.config	console log	report			ci-android-49-kasan-gce-386
2019/10/13 20:17	https://android.googlesource.com/kernel/common android-4.9	8fe428403e30	2f661ec4	.config	console log	report			ci-android-49-kasan-gce-386