------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:2257!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 21203 Comm: syz-executor.1 Not tainted 4.9.194+ #0
task: 000000008208c5f3 task.stack: 00000000871c4d86
RIP: 0010:[<ffffffff822e902d>]  [<00000000e53ca433>] skb_copy_and_csum_bits+0x6bd/0x7e0 net/core/skbuff.c:2257
RSP: 0018:ffff8801db607230  EFLAGS: 00010206
RAX: ffff8801919e97c0 RBX: 0000000000000000 RCX: 1ffff10035668979
RDX: 0000000000000100 RSI: ffffffff822e902d RDI: ffff8801ab344bc8
RBP: ffff8801db6072c0 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003c R11: ffff88019c486b5f R12: 00000000fededb71
R13: 0000000000000000 R14: ffff8801ab344bc0 R15: 000000000000003c
FS:  00007f0e4b076700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020158000 CR3: 00000001753fa000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
 ffff8801c6009348 ffffffff82545a85 ffffffff812685b7 ffff88019c4868e8
 0000003c812692df ffffffff8283097d ffffffff810f2499 ffffffff8282f4be
 ffff8801c6009344 ffffffff811f481b 000001e8fededb71 ffff8801c6009280
Call Trace:
 [<00000000df2b3a80>] icmp_glue_bits+0x7f/0x1d0 net/ipv4/icmp.c:344
 [<00000000a2f2ecd9>] __ip_append_data.isra.0+0x1de1/0x2940 net/ipv4/ip_output.c:1082
 [<00000000592fdb6e>] ip_append_data.part.0+0xec/0x160 net/ipv4/ip_output.c:1232
 [<000000008da22fa1>] ip_append_data+0x69/0x90 net/ipv4/ip_output.c:1221
 [<00000000dd8bd13b>] icmp_push_reply+0x199/0x510 net/ipv4/icmp.c:362
 [<000000008eafb92e>] __icmp_send+0xad9/0x1420 net/ipv4/icmp.c:728
 [<000000002e9e9162>] icmp_send include/net/icmp.h:47 [inline]
 [<000000002e9e9162>] ip_fragment net/ipv4/ip_output.c:551 [inline]
 [<000000002e9e9162>] ip_fragment.constprop.0+0x1b9/0x210 net/ipv4/ip_output.c:538
 [<0000000099f50c0c>] ip_finish_output+0x7cb/0xce0 net/ipv4/ip_output.c:311
 [<000000008c3c9445>] NF_HOOK_COND include/linux/netfilter.h:246 [inline]
 [<000000008c3c9445>] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401
 [<00000000910f16f3>] dst_output include/net/dst.h:507 [inline]
 [<00000000910f16f3>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124
 [<00000000a306588c>] ip_queue_xmit+0x8a5/0x1890 net/ipv4/ip_output.c:500
 [<0000000086ced09c>] __tcp_transmit_skb+0x1943/0x2f20 net/ipv4/tcp_output.c:1041
 [<00000000f3e3e751>] tcp_transmit_skb net/ipv4/tcp_output.c:1057 [inline]
 [<00000000f3e3e751>] __tcp_retransmit_skb+0x61a/0x1b30 net/ipv4/tcp_output.c:2781
 [<000000000c31bed3>] tcp_retransmit_skb+0x29/0x2b0 net/ipv4/tcp_output.c:2800
 [<000000003d204eb7>] tcp_retransmit_timer+0x948/0x2320 net/ipv4/tcp_timer.c:508
 [<00000000625a1d55>] tcp_write_timer_handler+0x412/0x7a0 net/ipv4/tcp_timer.c:592
 [<000000004c5a17db>] tcp_write_timer+0xc5/0x190 net/ipv4/tcp_timer.c:610
 [<00000000328ddb95>] call_timer_fn+0x167/0x6d0 kernel/time/timer.c:1319
 [<0000000021a714f7>] expire_timers+0x25b/0x5c0 kernel/time/timer.c:1359
 [<00000000ef2cf9d6>] __run_timers kernel/time/timer.c:1674 [inline]
 [<00000000ef2cf9d6>] run_timer_softirq+0x1ff/0x620 kernel/time/timer.c:1687
 [<000000003ddfe328>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
 [<00000000a2c247cd>] invoke_softirq kernel/softirq.c:368 [inline]
 [<00000000a2c247cd>] irq_exit+0x119/0x160 kernel/softirq.c:409
 [<00000000a5f51a44>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
 [<00000000a5f51a44>] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:1000
 [<0000000083b38ec5>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:653
ip6_tunnel:  xmit: Local address not yet configured!
 <EOI> [ 1038.691791]  [<00000000e01690cb>] ? arch_local_irq_restore arch/x86/include/asm/paravirt.h:768 [inline]
 <EOI> [ 1038.691791]  [<00000000e01690cb>] ? __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:162 [inline]
 <EOI> [ 1038.691791]  [<00000000e01690cb>] ? _raw_spin_unlock_irqrestore+0x5f/0x70 kernel/locking/spinlock.c:191
 [<000000008f432b38>] spin_unlock_irqrestore include/linux/spinlock.h:362 [inline]
 [<000000008f432b38>] __wake_up_sync_key+0x4b/0x60 kernel/sched/wait.c:146
 [<00000000259fa3ae>] pipe_write+0x912/0xe40 fs/pipe.c:484
 [<00000000c52ae262>] new_sync_write fs/read_write.c:498 [inline]
 [<00000000c52ae262>] __vfs_write+0x3c1/0x560 fs/read_write.c:511
 [<000000007a1f6833>] vfs_write+0x185/0x520 fs/read_write.c:559
 [<000000008bf9b84d>] SYSC_write fs/read_write.c:607 [inline]
 [<000000008bf9b84d>] SyS_write+0x121/0x270 fs/read_write.c:599
 [<0000000028b604ec>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<0000000014e49cba>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: ff ff e8 f7 96 03 ff be bf 08 00 00 48 c7 c7 80 62 c7 82 e8 b6 55 df fe e9 5d fe ff ff 44 8b 7d d4 e9 d9 fd ff ff e8 d3 96 03 ff <0f> 0b 4c 89 f7 e8 f9 57 21 ff e9 dc fa ff ff 48 89 55 b8 e8 2b 
RIP  [<00000000e53ca433>] skb_copy_and_csum_bits+0x6bd/0x7e0 net/core/skbuff.c:2257
 RSP <ffff8801db607230>
---[ end trace 06762ab87f9d6cd8 ]---