------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1294!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 21978 Comm: syz-executor.2 Not tainted 4.9.189+ #4
task: 00000000ba4efe23 task.stack: 00000000cba13ba8
RIP: 0010:[<ffffffff8252ae16>]  [<000000008b62d2ed>] skb_queue_prev include/linux/skbuff.h:1294 [inline]
RIP: 0010:[<ffffffff8252ae16>]  [<000000008b62d2ed>] tcp_write_queue_prev include/net/tcp.h:1563 [inline]
RIP: 0010:[<ffffffff8252ae16>]  [<000000008b62d2ed>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP: 0010:[<ffffffff8252ae16>]  [<000000008b62d2ed>] tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
RSP: 0018:ffff8801db607b90  EFLAGS: 00010206
RAX: ffff8801d2790000 RBX: ffff8801d1eade80 RCX: 1ffff1003a3d5c4d
RDX: 0000000000000100 RSI: ffffffff8252ae16 RDI: ffff8801d5cca288
RBP: ffff8801db607be0 R08: 0000000002080020 R09: ffff8801d5cca2a8
R10: ffff88021fffd010 R11: 0000015ffec720a3 R12: 0000000000000000
R13: ffff8801d1eae070 R14: ffff8801d5cca280 R15: ffff8801d1eae0c4
FS:  00007fd06f2a4700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001bff320 CR3: 00000001d6e36000 CR4: 00000000001606b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Stack:
 ffff8801d5cca280 ffff8801d1eae070 ffff8801d5cca2f8 ffff880102080020
 000068000000ffcb 0000000000006800 ffff8801d1eade80 ffff8801d5cca280
 000000000000ffcb ffff8801d5cca2b4 ffff8801db607c30 ffffffff8253e775
Call Trace:
 <IRQ> [ 1510.386725]  [<000000003b6aebe7>] tcp_write_wakeup+0x345/0x5b0 net/ipv4/tcp_output.c:3613
 [<00000000f5d9ae7e>] tcp_send_probe0+0x4b/0x400 net/ipv4/tcp_output.c:3641
 [<00000000341472e7>] tcp_probe_timer net/ipv4/tcp_timer.c:379 [inline]
 [<00000000341472e7>] tcp_write_timer_handler+0x6a0/0x7a0 net/ipv4/tcp_timer.c:596
 [<00000000fe99cd8c>] tcp_write_timer+0xc5/0x190 net/ipv4/tcp_timer.c:610
 [<00000000f7fd41f5>] call_timer_fn+0x167/0x6d0 kernel/time/timer.c:1319
 [<00000000c8da5247>] expire_timers+0x25b/0x5c0 kernel/time/timer.c:1359
 [<000000009c95dd84>] __run_timers kernel/time/timer.c:1674 [inline]
 [<000000009c95dd84>] run_timer_softirq+0x1ff/0x620 kernel/time/timer.c:1687
 [<00000000e708af80>] __do_softirq+0x22d/0x964 kernel/softirq.c:288
 [<00000000125f3798>] invoke_softirq kernel/softirq.c:368 [inline]
 [<00000000125f3798>] irq_exit+0x119/0x160 kernel/softirq.c:409
 [<00000000f3440fa6>] exiting_irq arch/x86/include/asm/apic.h:669 [inline]
 [<00000000f3440fa6>] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:962
 [<000000005a559c2d>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:653
 <EOI> [ 1510.549180]  [<00000000b6e9c179>] ? arch_local_irq_restore arch/x86/include/asm/paravirt.h:768 [inline]
 <EOI> [ 1510.549180]  [<00000000b6e9c179>] ? __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:162 [inline]
 <EOI> [ 1510.549180]  [<00000000b6e9c179>] ? _raw_spin_unlock_irqrestore+0x5f/0x70 kernel/locking/spinlock.c:191
 [<00000000d66c3fc7>] spin_unlock_irqrestore include/linux/spinlock.h:362 [inline]
 [<00000000d66c3fc7>] avc_reclaim_node security/selinux/avc.c:541 [inline]
 [<00000000d66c3fc7>] avc_alloc_node security/selinux/avc.c:559 [inline]
 [<00000000d66c3fc7>] avc_alloc_node+0x29a/0x3c0 security/selinux/avc.c:547
 [<00000000dc0b91df>] avc_insert security/selinux/avc.c:670 [inline]
 [<00000000dc0b91df>] avc_compute_av+0x182/0x610 security/selinux/avc.c:976
 [<0000000065f90256>] avc_has_perm_noaudit+0x2a8/0x300 security/selinux/avc.c:1112
 [<00000000e4042474>] selinux_inode_permission+0x2db/0x4c0 security/selinux/hooks.c:3060
 [<0000000072b15f05>] security_inode_permission+0xb9/0x100 security/security.c:611
 [<000000002fe90bb2>] __inode_permission2+0x96/0x2e0 fs/namei.c:435
 [<0000000072c77410>] inode_permission2+0x32/0x110 fs/namei.c:485
 [<00000000985e4cc2>] may_lookup fs/namei.c:1724 [inline]
 [<00000000985e4cc2>] link_path_walk+0x1ba/0x1210 fs/namei.c:2105
 [<00000000273c9c36>] path_openat+0x18e/0x2f60 fs/namei.c:3580
 [<00000000b82b1760>] do_filp_open+0x1a1/0x280 fs/namei.c:3615
 [<00000000a7ecfdf6>] do_sys_open+0x2f0/0x610 fs/open.c:1097
 [<0000000088688aac>] SYSC_open fs/open.c:1115 [inline]
 [<0000000088688aac>] SyS_open+0x2d/0x40 fs/open.c:1110
 [<00000000c2e3ee6e>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288
 [<0000000059fbce97>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: c1 ea 03 80 3c 02 00 0f 85 3a 01 00 00 4c 8b ab f8 01 00 00 ba 00 00 00 00 4c 3b 6d b8 4c 0f 44 ea e9 f9 fc ff ff e8 5a 75 df fe <0f> 0b e8 93 36 fd fe e9 6e f0 ff ff e8 89 36 fd fe e9 68 f3 ff 
RIP  [<000000008b62d2ed>] skb_queue_prev include/linux/skbuff.h:1294 [inline]
RIP  [<000000008b62d2ed>] tcp_write_queue_prev include/net/tcp.h:1563 [inline]
RIP  [<000000008b62d2ed>] tcp_rtx_queue_tail include/net/tcp.h:1616 [inline]
RIP  [<000000008b62d2ed>] tcp_fragment+0x1266/0x1390 net/ipv4/tcp_output.c:1195
 RSP <ffff8801db607b90>
---[ end trace 231036a4d2f7495c ]---