------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:2625!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
binder_alloc: binder_alloc_mmap_handler: 10849 20000000-20002000 already mapped failed -16
Modules linked in:
CPU: 1 PID: 10841 Comm: syz-executor5 Not tainted 4.15.0-rc9+ #193
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_copy_and_csum_bits+0x5e4/0x6e0 net/core/skbuff.c:2625
RSP: 0018:ffff8801db3063b0 EFLAGS: 00010206
RAX: ffff8801cd9b6740 RBX: 0000000070fdb973 RCX: ffffffff843198e4
RDX: 0000000000000100 RSI: ffff8801d053fb4c RDI: ffff8801d0c36308
RBP: ffff8801db306430 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003c R11: ffffed003a2e52a3 R12: ffff8801d17292a8
R13: ffff8801d053fbc0 R14: 00000000000001e8 R15: 000000000000003c
FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000008064270 CR3: 0000000006a22006 CR4: 00000000001606e0
Call Trace:
 <IRQ>
 icmp_glue_bits+0x7f/0x1d0 net/ipv4/icmp.c:357
 __ip_append_data.isra.45+0x178e/0x2570 net/ipv4/ip_output.c:1018
 ip_append_data.part.46+0xde/0x150 net/ipv4/ip_output.c:1170
 ip_append_data+0x5a/0x80 net/ipv4/ip_output.c:1159
 icmp_push_reply+0x169/0x4f0 net/ipv4/icmp.c:375
 icmp_send+0x1148/0x19d0 net/ipv4/icmp.c:741
 ip_fragment.constprop.47+0x1ac/0x200 net/ipv4/ip_output.c:552
 ip_finish_output+0x698/0xd10 net/ipv4/ip_output.c:315
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_output+0x1d2/0x860 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:460 [inline]
 ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
 ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
 tcp_transmit_skb+0x1b12/0x38b0 net/ipv4/tcp_output.c:1176
 __tcp_retransmit_skb+0x684/0x2700 net/ipv4/tcp_output.c:2907
 tcp_retransmit_skb+0x2e/0x230 net/ipv4/tcp_output.c:2922
 tcp_retransmit_timer+0xd05/0x29f0 net/ipv4/tcp_timer.c:495
 tcp_write_timer_handler+0x335/0x820 net/ipv4/tcp_timer.c:580
 tcp_write_timer+0x152/0x170 net/ipv4/tcp_timer.c:600
 call_timer_fn+0x228/0x820 kernel/time/timer.c:1318
 expire_timers kernel/time/timer.c:1355 [inline]
 __run_timers+0x7ee/0xb70 kernel/time/timer.c:1658
 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1684
 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
 invoke_softirq kernel/softirq.c:365 [inline]
 irq_exit+0x1cc/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:541 [inline]
 smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:937
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x5e/0xba kernel/locking/spinlock.c:184
RSP: 0018:ffff8801bc51f048 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff11
RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000000
RDX: 1ffffffff0d5918d RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffff8801bc51f058 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff882572e8
R13: ffff8801bc51f210 R14: 0000000000000000 R15: dffffc0000000000
 __debug_check_no_obj_freed lib/debugobjects.c:758 [inline]
 debug_check_no_obj_freed+0x3da/0xf1f lib/debugobjects.c:774
 __vunmap+0x112/0x380 mm/vmalloc.c:1530
 vfree+0x50/0xe0 mm/vmalloc.c:1606
 sel_release_policy+0x67/0x90 security/selinux/selinuxfs.c:396
 __fput+0x327/0x7e0 fs/file_table.c:210
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x199/0x270 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x9bb/0x1ad0 kernel/exit.c:865
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x73f/0x16c0 kernel/signal.c:2335
 do_signal+0x90/0x1eb0 arch/x86/kernel/signal.c:809
 exit_to_usermode_loop+0x214/0x310 arch/x86/entry/common.c:158
 prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:264 [inline]
 do_syscall_32_irqs_on arch/x86/entry/common.c:333 [inline]
 do_fast_syscall_32+0xbfd/0xf9d arch/x86/entry/common.c:389
 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
RIP: 0023:0xf7fdbc79
RSP: 002b:00000000f77b610c EFLAGS: 00000296 ORIG_RAX: 00000000000000f0
RAX: fffffffffffffe00 RBX: 000000000813af98 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Code: fd 49 63 c4 48 01 45 c8 01 45 b8 41 01 c5 e9 1d ff ff ff 8b 5d d4 e8 9c 92 3e fd 8b 45 c0 85 c0 0f 84 ab fe ff ff e8 8c 92 3e fd <0f> 0b 45 31 ff e9 4c fb ff ff 8b 5d d4 e9 94 fe ff ff e8 75 92 
RIP: skb_copy_and_csum_bits+0x5e4/0x6e0 net/core/skbuff.c:2625 RSP: ffff8801db3063b0
---[ end trace ae8b3220cb2cf2f2 ]---