==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230 at addr ffff8801d89b6a9c
Write of size 4 by task syz-executor6/28050
CPU: 1 PID: 28050 Comm: syz-executor6 Not tainted 4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a6b07608 ffffffff81d94429 ffff8801da001c80 ffff8801d89b6a98
 ffff8801d89b6aa0 ffffed003b136d53 ffff8801d89b6a9c ffff8801a6b07630
 ffffffff8153e3ac ffffed003b136d53 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153eacc>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153eacc>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff834132ea>] ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89b6a98, in cache kmalloc-8 size: 8
Allocated:
PID = 28050
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 25593
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 SYSC_request_key security/keys/keyctl.c:235 [inline]
 SyS_request_key+0x22f/0x2d0 security/keys/keyctl.c:158
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801d89b6980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6a00: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
>ffff8801d89b6a80: fb fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb
                            ^
 ffff8801d89b6b00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6b80: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231 at addr ffff8801d89b6aa0
Write of size 2 by task syz-executor6/28050
CPU: 1 PID: 28050 Comm: syz-executor6 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a6b07608 ffffffff81d94429 ffff8801da001c80 ffff8801d89b6a98
 ffff8801d89b6aa0 ffffed003b136d54 ffff8801d89b6aa0 ffff8801a6b07630
 ffffffff8153e3ac ffffed003b136d54 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea9c>] kasan_report mm/kasan/report.c:333 [inline]
 [<ffffffff8153ea9c>] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333
 [<ffffffff834132cc>] ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89b6a98, in cache kmalloc-8 size: 8
Allocated:
PID = 28050
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 25593
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 SYSC_request_key security/keys/keyctl.c:235 [inline]
 SyS_request_key+0x22f/0x2d0 security/keys/keyctl.c:158
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801d89b6980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6a00: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
>ffff8801d89b6a80: fb fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb
                               ^
 ffff8801d89b6b00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6b80: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232 at addr ffff8801d89b6aa2
Write of size 2 by task syz-executor6/28050
CPU: 1 PID: 28050 Comm: syz-executor6 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a6b07608 ffffffff81d94429 ffff8801da001c80 ffff8801d89b6a98
 ffff8801d89b6aa0 ffffed003b136d54 ffff8801d89b6aa2 ffff8801a6b07630
 ffffffff8153e3ac ffffed003b136d54 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea9c>] kasan_report mm/kasan/report.c:333 [inline]
 [<ffffffff8153ea9c>] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333
 [<ffffffff834132e0>] ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89b6a98, in cache kmalloc-8 size: 8
Allocated:
PID = 8
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 25593
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 SYSC_request_key security/keys/keyctl.c:235 [inline]
 SyS_request_key+0x22f/0x2d0 security/keys/keyctl.c:158
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801d89b6980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6a00: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
>ffff8801d89b6a80: fb fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb
                               ^
 ffff8801d89b6b00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6b80: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234 at addr ffff8801d89b6ab0
Write of size 8 by task syz-executor6/28050
CPU: 0 PID: 28050 Comm: syz-executor6 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a6b07608 ffffffff81d94429 ffff8801da001c80 ffff8801d89b6ab0
 ffff8801d89b6ab8 ffffed003b136d56 ffff8801d89b6ab0 ffff8801a6b07630
 ffffffff8153e3ac ffffed003b136d56 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153eafc>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153eafc>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff834133e8>] ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89b6ab0, in cache kmalloc-8 size: 8
Allocated:
PID = 25860
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 SYSC_signalfd4 fs/signalfd.c:275 [inline]
 SyS_signalfd4 fs/signalfd.c:255 [inline]
 SYSC_signalfd fs/signalfd.c:312 [inline]
 SyS_signalfd+0x1ea/0x430 fs/signalfd.c:309
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 25867
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 signalfd_release+0x37/0x50 fs/signalfd.c:56
 __fput+0x28c/0x6e0 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d89b6980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6a00: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
>ffff8801d89b6a80: fb fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb
                                     ^
 ffff8801d89b6b00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6b80: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239 at addr ffff8801d89b6ac0
Write of size 8 by task syz-executor6/28050
CPU: 0 PID: 28050 Comm: syz-executor6 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a6b07608 ffffffff81d94429 ffff8801da001c80 ffff8801d89b6ab0
 ffff8801d89b6ab8 ffffed003b136d58 ffff8801d89b6ac0 ffff8801a6b07630
 ffffffff8153e3ac ffffed003b136d58 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153eafc>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153eafc>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff834134a2>] ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89b6ab0, in cache kmalloc-8 size: 8
Allocated:
PID = 25860
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 SYSC_signalfd4 fs/signalfd.c:275 [inline]
 SyS_signalfd4 fs/signalfd.c:255 [inline]
 SYSC_signalfd fs/signalfd.c:312 [inline]
 SyS_signalfd+0x1ea/0x430 fs/signalfd.c:309
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 25867
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 signalfd_release+0x37/0x50 fs/signalfd.c:56
 __fput+0x28c/0x6e0 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x115/0x190 kernel/task_work.c:116
 exit_task_work include/linux/task_work.h:21 [inline]
 do_exit+0x7e7/0x2a40 kernel/exit.c:833
 do_group_exit+0x108/0x320 kernel/exit.c:937
 get_signal+0x4d4/0x14e0 kernel/signal.c:2315
 do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8801d89b6980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6a00: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
>ffff8801d89b6a80: fb fc fc 01 fc fc fb fc fc fb fc fc fb fc fc fb
                                           ^
 ffff8801d89b6b00: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
 ffff8801d89b6b80: fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc
==================================================================
==================================================================
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'.
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241 at addr ffff8801d89b6ac0
Read of size 8 by task syz-executor6/28050
CPU: 0 PID: 28050 Comm: syz-executor6 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a6b07608 ffffffff81d94429 ffff8801da001c80 ffff8801d89b6ab0
 ffff8801d89b6ab8 ffffed003b136d58 ffff8801d89b6ac0 ffff8801a6b07630
 ffffffff8153e3ac ffffed003b136d58 ffff8801da001c80 0000000000000000
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea09>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153ea09>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff83413456>] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89b6ab0, in cache kmalloc-8 size: 8
Allocated:
PID = 25860
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 SYSC_signalfd4 fs/signalfd.c:275 [inline]
 SyS_signalfd4 fs/signalfd.c:255 [inline]
 SYSC_signalfd fs/signalfd.c:312 [inline]
 SyS_signalfd+0x1ea/0x430 fs/signalfd.c:309
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3452639128
BUG: unable to handle kernel paging request at ffffffff87109fa8
IP: [<ffffffff81e43025>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
PGD 441e067 [  149.773861] PUD 441f063 
Oops: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 28050 Comm: syz-executor6 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cb9e6000 task.stack: ffff8801a6b00000
RIP: 0010:[<ffffffff81e43025>]  [<ffffffff81e43025>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
RSP: 0018:ffff8801a6b075d8  EFLAGS: 00010006
RAX: 00000000001f8801 RBX: ffff8801d89b6ac0 RCX: ffffc9000340d000
RDX: 0000000000000000 RSI: ffff8801a6b075e0 RDI: 0000000000003ff0
RBP: ffff8801a6b07608 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000000 R12: ffff8801d89b6ab0
R13: ffff8801d89b6ab8 R14: ffffed003b136d58 R15: ffff8801d89b6ac0
FS:  00007fcb68a67700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff87109fa8 CR3: 00000001d19d8000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff8156572e 0000000000000000 ffff8801da001c80 0000000000000008
 4a672058d3dd873e ffff8801da001c80 ffff8801a6b07630 ffffffff8153e3f8
 ffffed003b136d58 ffff8801da001c80 0000000000000000 ffff8801a6b076b8
Call Trace:
 [<ffffffff8153e3f8>] kasan_object_err+0x68/0x70 mm/kasan/report.c:170
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea09>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153ea09>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff83413456>] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Code: 92 52 ff 0f 0b e8 dc b9 6f ff eb de 66 2e 0f 1f 84 00 00 00 00 00 89 f8 c1 ef 11 55 25 ff ff 1f 00 81 e7 f0 3f 00 00 48 89 e5 5d <48> 03 3c c5 a0 5f 14 86 8b 47 0c 48 83 c7 18 c7 46 10 00 00 00 
RIP  [<ffffffff81e43025>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
 RSP <ffff8801a6b075d8>
CR2: ffffffff87109fa8
---[ end trace 9faf99a8c5b4e833 ]---