syzbot

==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline]
BUG: KASAN: use-after-free in sk_dst_get include/net/sock.h:1695 [inline]
BUG: KASAN: use-after-free in pppol2tp_connect+0x1580/0x18f0 net/l2tp/l2tp_ppp.c:746
Read of size 8 at addr ffff8801ced401d8 by task syz-executor7/9507

CPU: 0 PID: 9507 Comm: syz-executor7 Not tainted 4.9.119-g9dc978d #75
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a16d7ad0 ffffffff81eb4be9 ffffea00073b5000 ffff8801ced401d8
 0000000000000000 ffff8801ced401d8 0000000000000000 ffff8801a16d7b08
 ffffffff81567f89 ffff8801ced401d8 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81eb4be9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eb4be9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81567f89>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81568393>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81568393>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff8153bf14>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff836c94a0>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff836c94a0>] sk_dst_get include/net/sock.h:1695 [inline]
 [<ffffffff836c94a0>] pppol2tp_connect+0x1580/0x18f0 net/l2tp/l2tp_ppp.c:746
 [<ffffffff83019958>] SYSC_connect+0x1b8/0x300 net/socket.c:1563
 [<ffffffff8301c224>] SyS_connect+0x24/0x30 net/socket.c:1544
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff839fccd3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 8791:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xbe/0x290 mm/slub.c:2728
 sk_prot_alloc+0x69/0x290 net/core/sock.c:1332
 sk_alloc+0x3a/0x3a0 net/core/sock.c:1394
 inet6_create+0x2d9/0xd80 net/ipv6/af_inet6.c:198
 __sock_create+0x2ef/0x5f0 net/socket.c:1183
 sock_create net/socket.c:1223 [inline]
 SYSC_socket net/socket.c:1253 [inline]
 SyS_socket+0xf0/0x1b0 net/socket.c:1233
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 8874:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xbe/0x310 mm/slub.c:2980
 sk_prot_free net/core/sock.c:1375 [inline]
 __sk_destruct+0x3b9/0x590 net/core/sock.c:1455
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x8ae/0x12b0 kernel/rcu/tree.c:3037
 __do_softirq+0x20b/0x937 kernel/softirq.c:284

The buggy address belongs to the object at ffff8801ced40000
 which belongs to the cache UDPv6 of size 1496
The buggy address is located 472 bytes inside of
 1496-byte region [ffff8801ced40000, ffff8801ced405d8)
The buggy address belongs to the page:
page:ffffea00073b5000 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801ced40080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ced40100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801ced40180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff8801ced40200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801ced40280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================