==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:141 [inline]
BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237
Read of size 8 at addr ffff8800b310ca18 by task syz-executor4/6083

CPU: 0 PID: 6083 Comm: syz-executor4 Not tainted 4.4.153-g5e24b4e #26
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 6a756784fd2fb4b9 ffff8801bdb4f548 ffffffff81e162ed
 ffffea0002cc4300 ffff8800b310ca18 0000000000000000 ffff8800b310ca18
 0000000000001000 ffff8801bdb4f580 ffffffff8151b4d9 ffff8800b310ca18
Call Trace:
 [<ffffffff81e162ed>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e162ed>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8151b4d9>] print_address_description+0x6c/0x216 mm/kasan/report.c:252
binder_alloc: binder_alloc_mmap_handler: 6085 20000000-20002000 already mapped failed -16
 [<ffffffff8151b7f8>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8151b7f8>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff814fe784>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff834361fc>] ip6_dst_idev include/net/ip6_fib.h:141 [inline]
 [<ffffffff834361fc>] ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237
 [<ffffffff834f63c5>] inet6_csk_xmit+0x245/0x490 net/ipv6/inet6_connection_sock.c:176
 [<ffffffff835a5a0c>] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline]
 [<ffffffff835a5a0c>] l2tp_xmit_skb+0xb9c/0xe80 net/l2tp/l2tp_core.c:1179
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
SELinux: failure in selinux_parse_skb(), unable to parse packet
device veth0_to_bond entered promiscuous mode
 [<ffffffff835b1f60>] pppol2tp_sendmsg+0x4e0/0x7d0 net/l2tp/l2tp_ppp.c:355
 [<ffffffff82f2757c>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff82f2757c>] sock_sendmsg+0xcc/0x110 net/socket.c:648
 [<ffffffff82f28d41>] ___sys_sendmsg+0x441/0x880 net/socket.c:1975
 [<ffffffff82f2b3d4>] __sys_sendmmsg+0x1d4/0x2e0 net/socket.c:2053
 [<ffffffff83014e22>] C_SYSC_sendmmsg net/compat.c:728 [inline]
 [<ffffffff83014e22>] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:725
 [<ffffffff81006d94>] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline]
 [<ffffffff81006d94>] do_fast_syscall_32+0x324/0x8b0 arch/x86/entry/common.c:460
 [<ffffffff838ce1c3>] sysenter_flags_fixed+0xd/0x1a

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8800b310ca00
 which belongs to the cache ip_dst_cache of size 208
The buggy address is located 24 bytes inside of
 208-byte region [ffff8800b310ca00, ffff8800b310cad0)
The buggy address belongs to the page:
BUG: unable to handle kernel paging request at ffffff70858b4977
IP: [<ffffffff81c70b1c>] task_has_perm+0xdc/0x330 security/selinux/hooks.c:1522
PGD 4c0e067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3830 Comm: syz-executor0 Not tainted 4.4.153-g5e24b4e #26
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cb77b000 task.stack: ffff8801c57c0000
RIP: 0010:[<ffffffff81c70b1c>]  [<ffffffff81c70b1c>] task_has_perm+0xdc/0x330 security/selinux/hooks.c:1522
RSP: 0018:ffff8801c57c7978  EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 1fffffee10b1692e RSI: ffffffff81c70af2 RDI: ffffff70858b4977
RBP: ffff8801c57c7998 R08: ffff8801cb77b928 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8801cb77b000 R12: ffffff70858b48ff
R13: ffff8801cb77b000 R14: ffff8801c57c7c5c R15: ffff8801c57c7c58
FS:  0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:0000000009467900
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: ffffff70858b4977 CR3: 00000001c5d49000 CR4: 00000000001606f0
Stack:
 ffffffff81c70a40 ffffffff8148fd47 dffffc0000000000 ffffffff8148fd47
 ffff8801c57c79b0 ffffffff81c70d93 ffffffff84605e80 ffff8801c57c79e0
 ffffffff81c55f83 ffff8801c57c79e0 0000000040000005 0000000048dffffc
Call Trace:
 [<ffffffff81c70d93>] selinux_task_wait+0x23/0x30 security/selinux/hooks.c:3763
 [<ffffffff81c55f83>] security_task_wait+0x73/0xb0 security/security.c:986
 [<ffffffff8113a2a8>] wait_consider_task+0x298/0x35f0 kernel/exit.c:1326
 [<ffffffff8113d964>] do_wait_thread kernel/exit.c:1439 [inline]
 [<ffffffff8113d964>] do_wait+0x364/0xa30 kernel/exit.c:1510
 [<ffffffff8113e8db>] SYSC_wait4 kernel/exit.c:1641 [inline]
 [<ffffffff8113e8db>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606
 [<ffffffff812f9247>] C_SYSC_wait4+0x237/0x280 kernel/compat.c:543
 [<ffffffff812f95fc>] compat_SyS_wait4+0x2c/0x40 kernel/compat.c:536
 [<ffffffff811183a5>] sys32_waitpid+0x25/0x30 arch/x86/ia32/sys_ia32.c:172
 [<ffffffff81006d94>] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline]
 [<ffffffff81006d94>] do_fast_syscall_32+0x324/0x8b0 arch/x86/entry/common.c:460
 [<ffffffff838ce1c3>] sysenter_flags_fixed+0xd/0x1a
Code: ff 49 8d 7c 24 78 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 42 02 00 00 48 b8 00 00 00 00 00 fc ff df <4d> 8b 64 24 78 49 8d 7c 24 04 48 89 fa 48 c1 ea 03 0f b6 14 02 
RIP  [<ffffffff81c70b1c>] task_has_perm+0xdc/0x330 security/selinux/hooks.c:1522
 RSP <ffff8801c57c7978>
CR2: ffffff70858b4977
---[ end trace 524fd94a8dd7fadb ]---