------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:2632! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 12155 Comm: syz-executor5 Not tainted 4.13.0-rc5-next-20170816+ #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801ca0c8680 task.stack: ffff8801d30c8000 RIP: 0010:skb_copy_and_csum_bits+0x60f/0x710 net/core/skbuff.c:2632 RSP: 0018:ffff8801db3067a8 EFLAGS: 00010206 RAX: ffff8801ca0c8680 RBX: 00000000865e3e08 RCX: 0000000000000000 RDX: 0000000000000100 RSI: ffff8801d0fcc284 RDI: ffff8801bfa15948 RBP: ffff8801db306830 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003c R11: ffffed0039069b2c R12: ffff8801c834d6e8 R13: ffff8801caa712c0 R14: 000000000000003c R15: 00000000000001e8 FS: 00007fde12216700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000bffc CR3: 00000001cea79000 CR4: 00000000001406e0 Call Trace: icmp_glue_bits+0x7f/0x1d0 net/ipv4/icmp.c:357 __ip_append_data.isra.47+0x1716/0x24a0 net/ipv4/ip_output.c:1018 ip_append_data.part.49+0xde/0x150 net/ipv4/ip_output.c:1170 ip_append_data+0x5a/0x80 net/ipv4/ip_output.c:1159 icmp_push_reply+0x169/0x4c0 net/ipv4/icmp.c:375 icmp_send+0x1127/0x19a0 net/ipv4/icmp.c:741 ip_fragment.constprop.50+0x1ac/0x200 net/ipv4/ip_output.c:552 ip_finish_output+0x5b5/0xb00 net/ipv4/ip_output.c:315 NF_HOOK_COND include/linux/netfilter.h:237 [inline] ip_output+0x1cc/0x850 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:471 [inline] ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124 ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504 tcp_transmit_skb+0x1923/0x32d0 net/ipv4/tcp_output.c:1121 __tcp_retransmit_skb+0x608/0x1ff0 net/ipv4/tcp_output.c:2875 tcp_retransmit_skb+0x2e/0x230 net/ipv4/tcp_output.c:2889 tcp_retransmit_timer+0xcee/0x2a10 net/ipv4/tcp_timer.c:476 tcp_write_timer_handler+0x335/0x810 net/ipv4/tcp_timer.c:561 tcp_write_timer+0x146/0x160 net/ipv4/tcp_timer.c:579 call_timer_fn+0x233/0x830 kernel/time/timer.c:1268 expire_timers kernel/time/timer.c:1307 [inline] __run_timers+0x7fd/0xb90 kernel/time/timer.c:1601 run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614 __do_softirq+0x2f5/0xba3 kernel/softirq.c:284 invoke_softirq kernel/softirq.c:364 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:1044 apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:783 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:814 [inline] RIP: 0010:lock_acquire+0x256/0x580 kernel/locking/lockdep.c:4005 RSP: 0018:ffff8801d30ce7c8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10 RAX: dffffc0000000000 RBX: ffff8801ca0c8680 RCX: 0000000000000000 RDX: 1ffffffff0b58d69 RSI: 00000000bb212072 RDI: 0000000000000286 RBP: ffff8801d30ce8c0 R08: ffffffff81a5f3b0 R09: 0000000000000002 R10: ffff8801d30ce7a8 R11: 0000000000000000 R12: 1ffff1003a619cff R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000000 rcu_lock_acquire include/linux/rcupdate.h:244 [inline] rcu_read_lock include/linux/rcupdate.h:614 [inline] lock_page_memcg+0x8f/0x3b0 mm/memcontrol.c:1650 page_remove_file_rmap mm/rmap.c:1199 [inline] page_remove_rmap+0x393/0xcb0 mm/rmap.c:1284 zap_pte_range mm/memory.c:1266 [inline] zap_pmd_range mm/memory.c:1347 [inline] zap_pud_range mm/memory.c:1376 [inline] zap_p4d_range mm/memory.c:1397 [inline] unmap_page_range+0x1290/0x22a0 mm/memory.c:1418 unmap_single_vma+0x15f/0x2d0 mm/memory.c:1463 unmap_vmas+0xf1/0x1b0 mm/memory.c:1493 exit_mmap+0x22a/0x560 mm/mmap.c:3004 __mmput kernel/fork.c:905 [inline] mmput+0x223/0x6e0 kernel/fork.c:927 exit_mm kernel/exit.c:544 [inline] do_exit+0x9a1/0x1b30 kernel/exit.c:852 do_group_exit+0x149/0x400 kernel/exit.c:968 get_signal+0x7e8/0x17e0 kernel/signal.c:2330 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808 exit_to_usermode_loop+0x224/0x300 arch/x86/entry/common.c:158 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath+0x42f/0x500 arch/x86/entry/common.c:266 entry_SYSCALL_64_fastpath+0xbc/0xbe RIP: 0033:0x4512e9 RSP: 002b:00007fde12215cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 0000000000718170 RCX: 00000000004512e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000718170 RBP: 0000000000718150 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000a6f7ef R14: 00007fde122169c0 R15: 0000000000000004 Code: fd 49 63 c4 48 01 45 c8 01 45 b8 41 01 c5 e9 23 ff ff ff 8b 5d d4 e8 81 59 8e fd 8b 45 c0 85 c0 0f 84 b1 fe ff ff e8 71 59 8e fd <0f> 0b 45 31 f6 e9 15 fb ff ff 8b 5d d4 e9 9a fe ff ff e8 5a 59 RIP: skb_copy_and_csum_bits+0x60f/0x710 net/core/skbuff.c:2632 RSP: ffff8801db3067a8 ---[ end trace a3db2291bd090879 ]---