==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230 at addr ffff8801aca24094
Write of size 4 by task syz-executor2/17401
CPU: 0 PID: 17401 Comm: syz-executor2 Not tainted 4.9.60-ge090755 #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb93f608 ffffffff81d91369 ffff8801da001c80 ffff8801aca24090
 ffff8801aca24098 ffffed0035944812 ffff8801aca24094 ffff8801cb93f630
 ffffffff8153c19c ffffed0035944812 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d91369>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91369>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c19c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c45c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c45c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c45c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c8bc>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153c8bc>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff8340e22a>] ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230
 [<ffffffff83421268>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff834871bd>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832e8c6c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82eceb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82eceb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecfaf8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed1fa0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838aa305>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801aca24090, in cache kmalloc-8 size: 8
Allocated:
PID = 17401
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13466
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 bpf_migrate_filter net/core/filter.c:1024 [inline]
 bpf_prepare_filter+0xbad/0xd90 net/core/filter.c:1068
 __get_filter+0x1db/0x260 net/core/filter.c:1261
 sk_attach_filter+0x21/0x290 net/core/filter.c:1276
 sock_setsockopt+0xc84/0x18e0 net/core/sock.c:886
 SYSC_setsockopt net/socket.c:1767 [inline]
 SyS_setsockopt+0x216/0x250 net/socket.c:1750
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801aca23f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff8801aca24000: 00 fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
>ffff8801aca24080: fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb fc
                         ^
 ffff8801aca24100: fc fb fc fc fb fc fc fb fc fc 04 fc fc 00 fc fc
 ffff8801aca24180: 00 fc fc 04 fc fc 04 fc fc fb fc fc fb fc fc 00
==================================================================
==================================================================
IPVS: Creating netns size=2536 id=29
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231 at addr ffff8801aca24098
Write of size 2 by task syz-executor2/17401
CPU: 0 PID: 17401 Comm: syz-executor2 Tainted: G    B           4.9.60-ge090755 #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb93f608 ffffffff81d91369 ffff8801da001c80 ffff8801aca24090
 ffff8801aca24098 ffffed0035944813 ffff8801aca24098 ffff8801cb93f630
 ffffffff8153c19c ffffed0035944813 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d91369>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91369>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c19c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c45c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c45c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c45c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c88c>] kasan_report mm/kasan/report.c:333 [inline]
 [<ffffffff8153c88c>] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333
 [<ffffffff8340e20c>] ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231
 [<ffffffff83421268>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff834871bd>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
?: renamed from tunl0
 [<ffffffff832e8c6c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82eceb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82eceb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecfaf8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed1fa0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838aa305>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801aca24090, in cache kmalloc-8 size: 8
Allocated:
PID = 17401
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13466
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 bpf_migrate_filter net/core/filter.c:1024 [inline]
 bpf_prepare_filter+0xbad/0xd90 net/core/filter.c:1068
 __get_filter+0x1db/0x260 net/core/filter.c:1261
 sk_attach_filter+0x21/0x290 net/core/filter.c:1276
 sock_setsockopt+0xc84/0x18e0 net/core/sock.c:886
 SYSC_setsockopt net/socket.c:1767 [inline]
 SyS_setsockopt+0x216/0x250 net/socket.c:1750
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801aca23f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff8801aca24000: 00 fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
>ffff8801aca24080: fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb fc
                            ^
 ffff8801aca24100: fc fb fc fc fb fc fc fb fc fc 04 fc fc fb fc fc
 ffff8801aca24180: 00 fc fc 04 fc fc 04 fc fc fb fc fc fb fc fc 00
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232 at addr ffff8801aca2409a
Write of size 2 by task syz-executor2/17401
CPU: 0 PID: 17401 Comm: syz-executor2 Tainted: G    B           4.9.60-ge090755 #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb93f608 ffffffff81d91369 ffff8801da001c80 ffff8801aca24090
 ffff8801aca24098 ffffed0035944813 ffff8801aca2409a ffff8801cb93f630
 ffffffff8153c19c ffffed0035944813 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d91369>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91369>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c19c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c45c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c45c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c45c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c88c>] kasan_report mm/kasan/report.c:333 [inline]
 [<ffffffff8153c88c>] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333
 [<ffffffff8340e220>] ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232
 [<ffffffff83421268>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff834871bd>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832e8c6c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82eceb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82eceb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecfaf8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed1fa0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838aa305>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801aca24090, in cache kmalloc-8 size: 8
Allocated:
PID = 8
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 13466
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 bpf_migrate_filter net/core/filter.c:1024 [inline]
 bpf_prepare_filter+0xbad/0xd90 net/core/filter.c:1068
 __get_filter+0x1db/0x260 net/core/filter.c:1261
 sk_attach_filter+0x21/0x290 net/core/filter.c:1276
 sock_setsockopt+0xc84/0x18e0 net/core/sock.c:886
 SYSC_setsockopt net/socket.c:1767 [inline]
 SyS_setsockopt+0x216/0x250 net/socket.c:1750
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801aca23f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff8801aca24000: 00 fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
>ffff8801aca24080: fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb fc
                            ^
 ffff8801aca24100: fc fb fc fc fb fc fc fb fc fc 04 fc fc fb fc fc
 ffff8801aca24180: 00 fc fc 04 fc fc 04 fc fc fb fc fc fb fc fc 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234 at addr ffff8801aca240a8
Write of size 8 by task syz-executor2/17401
CPU: 0 PID: 17401 Comm: syz-executor2 Tainted: G    B           4.9.60-ge090755 #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb93f608 ffffffff81d91369 ffff8801da001c80 ffff8801aca240a8
 ffff8801aca240b0 ffffed0035944815 ffff8801aca240a8 ffff8801cb93f630
 ffffffff8153c19c ffffed0035944815 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d91369>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91369>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c19c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c45c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c45c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c45c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c8ec>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153c8ec>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff8340e328>] ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234
 [<ffffffff83421268>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff834871bd>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832e8c6c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82eceb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82eceb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecfaf8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed1fa0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838aa305>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801aca240a8, in cache kmalloc-8 size: 8
Allocated:
PID = 17388
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232
 memdup_user+0x2c/0xb0 mm/util.c:137
 strndup_user+0x62/0xb0 mm/util.c:168
 copy_mount_string fs/namespace.c:2746 [inline]
 SYSC_mount fs/namespace.c:3040 [inline]
 SyS_mount+0x6b/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 17388
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 SYSC_mount fs/namespace.c:3054 [inline]
 SyS_mount+0xc2/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801aca23f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff8801aca24000: 00 fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
>ffff8801aca24080: fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb fc
                                  ^
 ffff8801aca24100: fc fb fc fc fb fc fc fb fc fc 04 fc fc fb fc fc
 ffff8801aca24180: 00 fc fc 04 fc fc 04 fc fc fb fc fc fb fc fc 00
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239 at addr ffff8801aca240b8
Write of size 8 by task syz-executor2/17401
CPU: 0 PID: 17401 Comm: syz-executor2 Tainted: G    B           4.9.60-ge090755 #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb93f608 ffffffff81d91369 ffff8801da001c80 ffff8801aca240a8
 ffff8801aca240b0 ffffed0035944817 ffff8801aca240b8 ffff8801cb93f630
 ffffffff8153c19c ffffed0035944817 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d91369>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91369>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c19c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c45c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c45c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c45c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c8ec>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153c8ec>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff8340e3e2>] ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239
 [<ffffffff83421268>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff834871bd>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832e8c6c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82eceb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82eceb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecfaf8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed1fa0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838aa305>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801aca240a8, in cache kmalloc-8 size: 8
Allocated:
PID = 17388
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232
 memdup_user+0x2c/0xb0 mm/util.c:137
 strndup_user+0x62/0xb0 mm/util.c:168
 copy_mount_string fs/namespace.c:2746 [inline]
 SYSC_mount fs/namespace.c:3040 [inline]
 SyS_mount+0x6b/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 17388
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 SYSC_mount fs/namespace.c:3054 [inline]
 SyS_mount+0xc2/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801aca23f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
 ffff8801aca24000: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
>ffff8801aca24080: fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb fc
                                        ^
 ffff8801aca24100: fc 00 fc fc fb fc fc fb fc fc fb fc fc fb fc fc
 ffff8801aca24180: 00 fc fc 04 fc fc 04 fc fc fb fc fc fb fc fc 00
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241 at addr ffff8801aca240b8
Read of size 8 by task syz-executor2/17401
CPU: 1 PID: 17401 Comm: syz-executor2 Tainted: G    B           4.9.60-ge090755 #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cb93f608 ffffffff81d91369 ffff8801da001c80 ffff8801aca240a8
 ffff8801aca240b0 ffffed0035944817 ffff8801aca240b8 ffff8801cb93f630
 ffffffff8153c19c ffffed0035944817 ffff8801da001c80 0000000000000000
Call Trace:
 [<ffffffff81d91369>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d91369>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153c19c>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153c45c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c45c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c45c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c7f9>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153c7f9>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff8340e396>] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241
 [<ffffffff83421268>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff834871bd>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832e8c6c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82eceb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82eceb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecfaf8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed1fa0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838aa305>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801aca240a8, in cache kmalloc-8 size: 8
Allocated:
PID = 17388
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232
 memdup_user+0x2c/0xb0 mm/util.c:137
 strndup_user+0x62/0xb0 mm/util.c:168
 copy_mount_string fs/namespace.c:2746 [inline]
 SYSC_mount fs/namespace.c:3040 [inline]
 SyS_mount+0x6b/0x120 fs/namespace.c:3027
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 2896314632
BUG: unable to handle kernel paging request at ffffffff87108fa8
IP: [<ffffffff81e3fd95>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
PGD 441e067 [  128.468744] PUD 441f063 
Oops: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17401 Comm: syz-executor2 Tainted: G    B           4.9.60-ge090755 #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801ccc3c800 task.stack: ffff8801cb938000
RIP: 0010:[<ffffffff81e3fd95>]  [<ffffffff81e3fd95>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
RSP: 0018:ffff8801cb93f5d8  EFLAGS: 00010006
RAX: 00000000001f8801 RBX: ffff8801aca240b8 RCX: ffffc90000930000
RDX: 0000000000000000 RSI: ffff8801cb93f5e0 RDI: 0000000000003ff0
RBP: ffff8801cb93f608 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000000 R12: ffff8801aca240a8
R13: ffff8801aca240b0 R14: ffffed0035944817 R15: ffff8801aca240b8
FS:  00007fbe5fa55700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff87108fa8 CR3: 00000001c7eeb000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff8156351e 0000000000000000 ffff8801da001c80 0000000000000008
 b92ad247d3bd8261 ffff8801da001c80 ffff8801cb93f630 ffffffff8153c1e8
 ffffed0035944817 ffff8801da001c80 0000000000000000 ffff8801cb93f6b8
Call Trace:
 [<ffffffff8153c1e8>] kasan_object_err+0x68/0x70 mm/kasan/report.c:170
 [<ffffffff8153c45c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153c45c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153c45c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153c7f9>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153c7f9>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff8340e396>] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241
 [<ffffffff83421268>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff834871bd>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832e8c6c>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:753
 [<ffffffff82eceb9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82eceb9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ecfaf8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed1fa0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838aa305>] entry_SYSCALL_64_fastpath+0x23/0xc6
Code: a4 52 ff 0f 0b e8 5c ca 6f ff eb de 66 2e 0f 1f 84 00 00 00 00 00 89 f8 c1 ef 11 55 25 ff ff 1f 00 81 e7 f0 3f 00 00 48 89 e5 5d <48> 03 3c c5 a0 4f 14 86 8b 47 0c 48 83 c7 18 c7 46 10 00 00 00 
RIP  [<ffffffff81e3fd95>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
 RSP <ffff8801cb93f5d8>
CR2: ffffffff87108fa8
---[ end trace 54dee90a5693edbb ]---