audit: type=1400 audit(1520959877.398:6): avc:  denied  { map } for  pid=4229 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1520959883.820:7): avc:  denied  { map } for  pid=4243 comm="syzkaller484805" path="/root/syzkaller484805214" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192 [inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801d0ffa018 by task syzkaller484805/4244

CPU: 1 PID: 4244 Comm: syzkaller484805 Not tainted 4.16.0-rc4+ #263
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 ip6_dst_idev include/net/ip6_fib.h:192 [inline]
 ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
 l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
 l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
 pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:639
 SYSC_sendto+0x361/0x5c0 net/socket.c:1748
 SyS_sendto+0x40/0x50 net/socket.c:1716
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441659
RSP: 002b:00007ffca16de468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441659
RDX: 0000000000000000 RSI: 0000000020001180 RDI: 0000000000000004
RBP: 0000000000000003 R08: 00000000200021c0 R09: 0000000000000080
R10: 0000000000040001 R11: 0000000000000216 R12: 0000000000000000
R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 2679:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541
 anon_vma_chain_alloc mm/rmap.c:128 [inline]
 anon_vma_clone+0x139/0x700 mm/rmap.c:268
 anon_vma_fork+0xe4/0x870 mm/rmap.c:331
 dup_mmap kernel/fork.c:468 [inline]
 dup_mm kernel/fork.c:1233 [inline]
 copy_mm+0xb4d/0x131f kernel/fork.c:1287
 copy_process.part.38+0x1f56/0x4b60 kernel/fork.c:1793
 copy_process kernel/fork.c:1606 [inline]
 _do_fork+0x1f7/0xf70 kernel/fork.c:2087
 SYSC_clone kernel/fork.c:2194 [inline]
 SyS_clone+0x37/0x50 kernel/fork.c:2188
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 2685:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
 __cache_free mm/slab.c:3485 [inline]
 kmem_cache_free+0x83/0x2a0 mm/slab.c:3743
 anon_vma_chain_free mm/rmap.c:133 [inline]
 unlink_anon_vmas+0x20d/0x9f0 mm/rmap.c:400
 free_pgtables+0xe7/0x330 mm/memory.c:627
 exit_mmap+0x291/0x500 mm/mmap.c:3039
 __mmput kernel/fork.c:960 [inline]
 mmput+0x223/0x6d0 kernel/fork.c:981
 exec_mmap fs/exec.c:1039 [inline]
 flush_old_exec+0xc8b/0x2010 fs/exec.c:1271
 load_elf_binary+0x87b/0x4c10 fs/binfmt_elf.c:864
 search_binary_handler+0x142/0x6b0 fs/exec.c:1638
 exec_binprm fs/exec.c:1680 [inline]
 do_execveat_common.isra.30+0x1754/0x23c0 fs/exec.c:1802
 do_execve fs/exec.c:1847 [inline]
 SYSC_execve fs/exec.c:1928 [inline]
 SyS_execve+0x39/0x50 fs/exec.c:1923
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8801d0ffa000
 which belongs to the cache anon_vma_chain of size 64
The buggy address is located 24 bytes inside of
 64-byte region [ffff8801d0ffa000, ffff8801d0ffa040)
The buggy address belongs to the page:
page:ffffea000743fe80 count:1 mapcount:0 mapping:ffff8801d0ffa000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801d0ffa000 0000000000000000 000000010000002a
raw: ffffea000741f2a0 ffffea000743f5a0 ffff8801dad33500 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d0ff9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d0ff9f80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801d0ffa000: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
                            ^
 ffff8801d0ffa080: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801d0ffa100: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================