------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:2632!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
QAT: Invalid ioctl
QAT: Invalid ioctl
   (ftrace buffer empty)
Modules linked in:
CPU: 3 PID: 17007 Comm: syz-executor4 Not tainted 4.13.0-rc5-next-20170815+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003e0cc100 task.stack: ffff880023ec8000
RIP: 0010:skb_copy_and_csum_bits+0x60f/0x710 net/core/skbuff.c:2632
RSP: 0018:ffff88006df067a8 EFLAGS: 00010206
RAX: ffff88003e0cc100 RBX: 000000005c1b1397 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffff88006ceb5a44 RDI: ffff88006980b508
RBP: ffff88006df06830 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003c R11: ffffed000d6f645c R12: ffff88006b7b2068
R13: ffff88006d027cc0 R14: 000000000000003c R15: 00000000000001e8
FS:  0000000000000000(0000) GS:ffff88006df00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000209ca000 CR3: 000000006c9d9000 CR4: 00000000000026e0
DR0: 0000000020000008 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
QAT: Invalid ioctl
QAT: Invalid ioctl
Call Trace:
 <IRQ>
 icmp_glue_bits+0x7f/0x1d0 net/ipv4/icmp.c:357
 __ip_append_data.isra.47+0x1716/0x24a0 net/ipv4/ip_output.c:1018
 ip_append_data.part.49+0xde/0x150 net/ipv4/ip_output.c:1170
 ip_append_data+0x5a/0x80 net/ipv4/ip_output.c:1159
 icmp_push_reply+0x169/0x4c0 net/ipv4/icmp.c:375
 icmp_send+0x1127/0x19a0 net/ipv4/icmp.c:741
 ip_fragment.constprop.50+0x1ac/0x200 net/ipv4/ip_output.c:552
 ip_finish_output+0x5b5/0xb00 net/ipv4/ip_output.c:315
 NF_HOOK_COND include/linux/netfilter.h:237 [inline]
 ip_output+0x1cc/0x850 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:471 [inline]
 ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
 ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
 tcp_transmit_skb+0x1923/0x32d0 net/ipv4/tcp_output.c:1121
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
kvm: pic: non byte read
 __tcp_retransmit_skb+0x608/0x1ff0 net/ipv4/tcp_output.c:2875
 tcp_retransmit_skb+0x2e/0x230 net/ipv4/tcp_output.c:2889
 tcp_retransmit_timer+0xcee/0x2a10 net/ipv4/tcp_timer.c:476
 tcp_write_timer_handler+0x335/0x810 net/ipv4/tcp_timer.c:561
 tcp_write_timer+0x146/0x160 net/ipv4/tcp_timer.c:579
 call_timer_fn+0x233/0x830 kernel/time/timer.c:1268
QAT: Invalid ioctl
QAT: Invalid ioctl
 expire_timers kernel/time/timer.c:1307 [inline]
 __run_timers+0x7fd/0xb90 kernel/time/timer.c:1601
 run_timer_softirq+0x21/0x80 kernel/time/timer.c:1614
 __do_softirq+0x2f5/0xba3 kernel/softirq.c:284
 invoke_softirq kernel/softirq.c:364 [inline]
 irq_exit+0x1cc/0x200 kernel/softirq.c:405
 exiting_irq arch/x86/include/asm/apic.h:638 [inline]
 smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:1044
 apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:577
 </IRQ>
RIP: 0010:__read_once_size include/linux/compiler.h:276 [inline]
RIP: 0010:atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:page_ref_count include/linux/page_ref.h:66 [inline]
RIP: 0010:page_expected_state mm/page_alloc.c:911 [inline]
RIP: 0010:free_pages_check mm/page_alloc.c:949 [inline]
RIP: 0010:free_pages_prepare mm/page_alloc.c:1032 [inline]
RIP: 0010:__free_pages_ok+0x188e/0x3150 mm/page_alloc.c:1248
RSP: 0018:ffff880023ecdc68 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff10
RAX: dffffc0000000000 RBX: ffffea00008e8000 RCX: 0000000000000000
RDX: ffff880023ecddb0 RSI: 0000000000000000 RDI: 0000000000000004
RBP: ffff880023ece458 R08: 0000000000000001 R09: ffffea00008e8000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880023ece430
R13: 0000000000000001 R14: ffffea00008e3c00 R15: 0000000000000000
QAT: Invalid ioctl
QAT: Invalid ioctl
 free_compound_page+0x5e/0x70 mm/page_alloc.c:590
 free_transhuge_page+0x2d2/0x430 mm/huge_memory.c:2681
 __put_compound_page+0x87/0xb0 mm/swap.c:95
 release_pages+0x60a/0x11d0 mm/swap.c:777
 free_pages_and_swap_cache+0x2af/0x400 mm/swap_state.c:314
 tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:258
 zap_pmd_range mm/memory.c:1310 [inline]
 zap_pud_range mm/memory.c:1376 [inline]
 zap_p4d_range mm/memory.c:1397 [inline]
 unmap_page_range+0x185b/0x22a0 mm/memory.c:1418
 unmap_single_vma+0x15f/0x2d0 mm/memory.c:1463
 unmap_vmas+0xf1/0x1b0 mm/memory.c:1493
 exit_mmap+0x22a/0x560 mm/mmap.c:3004
 __mmput kernel/fork.c:905 [inline]
 mmput+0x223/0x6e0 kernel/fork.c:927
 exit_mm kernel/exit.c:544 [inline]
 do_exit+0x9a1/0x1b30 kernel/exit.c:852
 do_group_exit+0x149/0x400 kernel/exit.c:968
 get_signal+0x7e8/0x17e0 kernel/signal.c:2330
 do_signal+0x94/0x1ee0 arch/x86/kernel/signal.c:808
 exit_to_usermode_loop+0x224/0x300 arch/x86/entry/common.c:158
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath+0x42f/0x500 arch/x86/entry/common.c:266
 entry_SYSCALL_64_fastpath+0xbc/0xbe
RIP: 0033:0x446739
RSP: 002b:00007f1c6a1afcf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 0000000000708020 RCX: 0000000000446739
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000708020
RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1c6a1b09c0 R15: 00007f1c6a1b0700
Code: fd 49 63 c4 48 01 45 c8 01 45 b8 41 01 c5 e9 23 ff ff ff 8b 5d d4 e8 81 69 8e fd 8b 45 c0 85 c0 0f 84 b1 fe ff ff e8 71 69 8e fd <0f> 0b 45 31 f6 e9 15 fb ff ff 8b 5d d4 e9 9a fe ff ff e8 5a 69 
RIP: skb_copy_and_csum_bits+0x60f/0x710 net/core/skbuff.c:2632 RSP: ffff88006df067a8
---[ end trace 905fd77bedcbf3bf ]---