==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:141 [inline]
BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237
Read of size 8 at addr ffff8800aeecadd8 by task syz-executor7/5983

CPU: 0 PID: 5983 Comm: syz-executor7 Not tainted 4.4.153-g5e24b4e #90
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 2b57909e4fdb930f ffff8801bcd3f5c8 ffffffff81e162ed
 ffffea0002bbb280 ffff8800aeecadd8 0000000000000000 ffff8800aeecadd8
 0000000000001200 ffff8801bcd3f600 ffffffff8151b4d9 ffff8800aeecadd8
Call Trace:
 [<ffffffff81e162ed>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e162ed>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8151b4d9>] print_address_description+0x6c/0x216 mm/kasan/report.c:252
 [<ffffffff8151b7f8>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8151b7f8>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff814fe784>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff834361fc>] ip6_dst_idev include/net/ip6_fib.h:141 [inline]
 [<ffffffff834361fc>] ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237
 [<ffffffff834f63c5>] inet6_csk_xmit+0x245/0x490 net/ipv6/inet6_connection_sock.c:176
 [<ffffffff835a5a0c>] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline]
 [<ffffffff835a5a0c>] l2tp_xmit_skb+0xb9c/0xe80 net/l2tp/l2tp_core.c:1179
 [<ffffffff835b1f60>] pppol2tp_sendmsg+0x4e0/0x7d0 net/l2tp/l2tp_ppp.c:355
 [<ffffffff82f2757c>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff82f2757c>] sock_sendmsg+0xcc/0x110 net/socket.c:648
 [<ffffffff82f28d41>] ___sys_sendmsg+0x441/0x880 net/socket.c:1975
 [<ffffffff82f2b32e>] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2060
 [<ffffffff82f2b515>] SYSC_sendmmsg net/socket.c:2090 [inline]
 [<ffffffff82f2b515>] SyS_sendmmsg+0x35/0x60 net/socket.c:2085
 [<ffffffff838cc865>] entry_SYSCALL_64_fastpath+0x22/0x9e

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8800aeecadc0
 which belongs to the cache ip_dst_cache of size 208
The buggy address is located 24 bytes inside of
 208-byte region [ffff8800aeecadc0, ffff8800aeecae90)
The buggy address belongs to the page:
BUG: unable to handle kernel paging request at ffffff70858b4977
IP: [<ffffffff81c70b1c>] task_has_perm+0xdc/0x330 security/selinux/hooks.c:1522
PGD 4c0e067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3901 Comm: syz-executor7 Not tainted 4.4.153-g5e24b4e #90
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8800ac406000 task.stack: ffff8801be138000
RIP: 0010:[<ffffffff81c70b1c>]  [<ffffffff81c70b1c>] task_has_perm+0xdc/0x330 security/selinux/hooks.c:1522
RSP: 0018:ffff8801be13fbc0  EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000
RDX: 1fffffee10b1692e RSI: ffffffff81c70af2 RDI: ffffff70858b4977
RBP: ffff8801be13fbe0 R08: ffff8800ac406928 R09: 0000000000000000
R10: 0000000000000001 R11: ffff8800ac406000 R12: ffffff70858b48ff
R13: ffff8800ac406000 R14: ffff8801be13fea4 R15: ffff8801be13fea0
FS:  0000000001069940(0063) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffff70858b4977 CR3: 00000001be056000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff81c70a40 ffffffff8148fd47 dffffc0000000000 ffffffff8148fd47
 ffff8801be13fbf8 ffffffff81c70d93 ffffffff84605e80 ffff8801be13fc28
 ffffffff81c55f83 ffff8801be13fc28 0000000040000005 0000000048dffffc
Call Trace:
 [<ffffffff81c70d93>] selinux_task_wait+0x23/0x30 security/selinux/hooks.c:3763
 [<ffffffff81c55f83>] security_task_wait+0x73/0xb0 security/security.c:986
 [<ffffffff8113a2a8>] wait_consider_task+0x298/0x35f0 kernel/exit.c:1326
 [<ffffffff8113d964>] do_wait_thread kernel/exit.c:1439 [inline]
 [<ffffffff8113d964>] do_wait+0x364/0xa30 kernel/exit.c:1510
 [<ffffffff8113e8db>] SYSC_wait4 kernel/exit.c:1641 [inline]
 [<ffffffff8113e8db>] SyS_wait4+0x12b/0x1f0 kernel/exit.c:1606
 [<ffffffff838cc865>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: ff 49 8d 7c 24 78 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 42 02 00 00 48 b8 00 00 00 00 00 fc ff df <4d> 8b 64 24 78 49 8d 7c 24 04 48 89 fa 48 c1 ea 03 0f b6 14 02 
RIP  [<ffffffff81c70b1c>] task_has_perm+0xdc/0x330 security/selinux/hooks.c:1522
 RSP <ffff8801be13fbc0>
CR2: ffffff70858b4977
---[ end trace e5f0de0f6a315659 ]---