syzbot

------------[ cut here ]------------
kernel BUG at net/ipv4/ip_output.c:776!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6028 Comm: syz-executor129 Not tainted 4.19.0-rc4+ #27
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:ip_do_fragment+0x246d/0x2ae0 net/ipv4/ip_output.c:776
Code: 8b 8d 70 fe ff ff e9 3a e8 ff ff 4c 89 ef e8 0a 9f 3d fb e9 1c e9 ff ff 4c 89 f7 e8 fd 9e 3d fb e9 94 e5 ff ff e8 43 3e fa fa <0f> 0b 4c 89 e7 e8 e9 9e 3d fb e9 58 e8 ff ff 4c 89 f7 89 8d 70 fe
RSP: 0018:ffff8801c1dd67d0 EFLAGS: 00010293
RAX: ffff8801c24f4680 RBX: ffff8801c64c4800 RCX: ffffffff86847f8e
RDX: 0000000000000000 RSI: ffffffff8684963d RDI: 0000000000000005
RBP: ffff8801c1dd69a8 R08: ffff8801c24f4680 R09: ffffed0037fd6018
R10: ffffed0037fd601a R11: ffff8801bfeb00d3 R12: ffff8801c64c48c4
R13: 00000000fffffff2 R14: ffff8801c64c48d0 R15: dffffc0000000000
FS:  0000000001ee2880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006cc090 CR3: 00000001c812e000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip_fragment.constprop.49+0x179/0x240 net/ipv4/ip_output.c:549
 ip_finish_output+0x6b4/0xf60 net/ipv4/ip_output.c:315
 NF_HOOK_COND include/linux/netfilter.h:276 [inline]
 ip_output+0x21d/0x8d0 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:444 [inline]
 ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124
 iptunnel_xmit+0x56a/0x8d0 net/ipv4/ip_tunnel_core.c:91
 ip_tunnel_xmit+0x1586/0x3ac3 net/ipv4/ip_tunnel.c:778
 __gre_xmit+0x5e1/0x980 net/ipv4/ip_gre.c:454
 ipgre_xmit+0x3e7/0xba0 net/ipv4/ip_gre.c:708
 __netdev_start_xmit include/linux/netdevice.h:4287 [inline]
 netdev_start_xmit include/linux/netdevice.h:4296 [inline]
 xmit_one net/core/dev.c:3216 [inline]
 dev_hard_start_xmit+0x27f/0xc70 net/core/dev.c:3232
 __dev_queue_xmit+0x2f3b/0x3980 net/core/dev.c:3802
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3835
 __bpf_tx_skb net/core/filter.c:2012 [inline]
 __bpf_redirect_common net/core/filter.c:2050 [inline]
 __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2057
 ____bpf_clone_redirect net/core/filter.c:2090 [inline]
 bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2062
 bpf_prog_bebbfe2050753572+0x23d/0x1000
Modules linked in:
---[ end trace 5178dd7eb0e3f9ee ]---
RIP: 0010:ip_do_fragment+0x246d/0x2ae0 net/ipv4/ip_output.c:776
Code: 8b 8d 70 fe ff ff e9 3a e8 ff ff 4c 89 ef e8 0a 9f 3d fb e9 1c e9 ff ff 4c 89 f7 e8 fd 9e 3d fb e9 94 e5 ff ff e8 43 3e fa fa <0f> 0b 4c 89 e7 e8 e9 9e 3d fb e9 58 e8 ff ff 4c 89 f7 89 8d 70 fe
RSP: 0018:ffff8801c1dd67d0 EFLAGS: 00010293
RAX: ffff8801c24f4680 RBX: ffff8801c64c4800 RCX: ffffffff86847f8e
RDX: 0000000000000000 RSI: ffffffff8684963d RDI: 0000000000000005
RBP: ffff8801c1dd69a8 R08: ffff8801c24f4680 R09: ffffed0037fd6018
R10: ffffed0037fd601a R11: ffff8801bfeb00d3 R12: ffff8801c64c48c4
R13: 00000000fffffff2 R14: ffff8801c64c48d0 R15: dffffc0000000000
FS:  0000000001ee2880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006cc090 CR3: 00000001c812e000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400