==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x1f95/0x2320 net/ipv6/ip6_tunnel.c:987
Read of size 16 at addr ffff8800b52a4730 by task syz-executor.5/18851
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!
Dead loop on virtual device ip6_vti0, fix it urgently!

CPU: 1 PID: 18851 Comm: syz-executor.5 Not tainted 4.4.174+ #4
input: syz1 as /devices/virtual/input/input1409
audit: type=1400 audit(1574779737.658:735): avc:  denied  { create } for  pid=18859 comm="syz-executor.0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=0
 0000000000000000 c60de58e6b911967 ffff8800a4deee70 ffffffff81aad1a1
 0000000000000000 ffffea0002d4a900 ffff8800b52a4730 0000000000000010
 ffff8800b52a4480 ffff8800a4deeea8 ffffffff81490120 0000000000000000
Call Trace:
 [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81490120>] print_address_description+0x6f/0x21b mm/kasan/report.c:252
 [<ffffffff81490358>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff81490358>] kasan_report mm/kasan/report.c:408 [inline]
 [<ffffffff81490358>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
 [<ffffffff81484faf>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439
 [<ffffffff826b3105>] ip6_tnl_xmit2+0x1f95/0x2320 net/ipv6/ip6_tunnel.c:987
 [<ffffffff826b4e59>] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1134 [inline]
 [<ffffffff826b4e59>] ip6_tnl_xmit+0xa09/0xe00 net/ipv6/ip6_tunnel.c:1212
 [<ffffffff82245071>] __netdev_start_xmit include/linux/netdevice.h:3750 [inline]
 [<ffffffff82245071>] netdev_start_xmit include/linux/netdevice.h:3759 [inline]
 [<ffffffff82245071>] xmit_one net/core/dev.c:2781 [inline]
 [<ffffffff82245071>] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797
 [<ffffffff822473cb>] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229
 [<ffffffff82247948>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263
 [<ffffffff8225c136>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369
 [<ffffffff823c5412>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff823c5412>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213
 [<ffffffff823c805c>] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635
 [<ffffffff823cbd7b>] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505
 [<ffffffff823cc1e9>] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286
 [<ffffffff823cf9f1>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff823cf9f1>] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347
 [<ffffffff823cd21c>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff823cd21c>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119
 [<ffffffff823d300e>] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453
 [<ffffffff82478ded>] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842
 [<ffffffff8247fb9f>] udp_sendmsg+0x16cf/0x1c60 net/ipv4/udp.c:1072
 [<ffffffff826137a2>] udpv6_sendmsg+0x12f2/0x24f0 net/ipv6/udp.c:1173
 [<ffffffff824a8b42>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755
 [<ffffffff821d838e>] sock_sendmsg_nosec net/socket.c:638 [inline]
 [<ffffffff821d838e>] sock_sendmsg+0xbe/0x110 net/socket.c:648
 [<ffffffff821dc4f1>] SYSC_sendto net/socket.c:1678 [inline]
 [<ffffffff821dc4f1>] SyS_sendto+0x201/0x340 net/socket.c:1646
 [<ffffffff8serialport: VM disconnected.