------------[ cut here ]------------
kernel BUG at ./include/linux/skbuff.h:1406!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Modules linked in:
CPU: 0 PID: 10393 Comm: syz-executor.2 Not tainted 4.14.141+ #40
task: 0000000066b1ed56 task.stack: 00000000b643a868
RIP: 0010:skb_queue_prev include/linux/skbuff.h:1406 [inline]
RIP: 0010:tcp_write_queue_prev include/net/tcp.h:1651 [inline]
RIP: 0010:tcp_rtx_queue_tail include/net/tcp.h:1706 [inline]
RIP: 0010:tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284
RSP: 0018:ffff8881dba07bf8 EFLAGS: 00010206
RAX: ffff8881aee42f00 RBX: ffff8881aeb38a80 RCX: 1ffff11035d67199
RDX: 0000000000000100 RSI: ffff8881af61b180 RDI: ffff8881af61b188
RBP: ffff8881af61b180 R08: 0000000001080020 R09: ffff88821ffff008
R10: ffff88821ffff017 R11: ffff88821ffff010 R12: 0000000000000000
R13: 0000000000004480 R14: 0000000001080020 R15: ffff8881aeb38cd0
FS:  0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200014c0 CR3: 0000000137c26001 CR4: 00000000001606b0
DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 tcp_write_wakeup+0x32b/0x570 net/ipv4/tcp_output.c:3708
 tcp_send_probe0+0x46/0x3cc net/ipv4/tcp_output.c:3736
 tcp_probe_timer net/ipv4/tcp_timer.c:365 [inline]
 tcp_write_timer_handler+0x687/0x780 net/ipv4/tcp_timer.c:583
 tcp_write_timer+0xc9/0x170 net/ipv4/tcp_timer.c:597
 call_timer_fn+0x15b/0x6a0 kernel/time/timer.c:1279
 expire_timers+0x227/0x4c0 kernel/time/timer.c:1318
 __run_timers kernel/time/timer.c:1634 [inline]
 run_timer_softirq+0x1eb/0x5d0 kernel/time/timer.c:1647
 __do_softirq+0x234/0x9ec kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x114/0x150 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:648 [inline]
 smp_apic_timer_interrupt+0x1a7/0x650 arch/x86/kernel/apic/apic.c:1102
 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:792
 </IRQ>
RIP: 0010:unwind_next_frame+0x34c/0x1810 arch/x86/kernel/unwind_orc.c:354
RSP: 0018:ffff8881b06bf428 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff10
RAX: ffffffffabc0b00b RBX: ffff8881b06bf4f8 RCX: 0000000000000000
RDX: 0000000000000015 RSI: 0000000000000000 RDI: 0000000000000002
RBP: 1ffff110360d7e8c R08: ffffffffabc0b00a R09: ffff8881b06bfbd0
R10: ffff8881b06bf52d R11: 000000000001c033 R12: ffffffffabc0b006
R13: ffff8881b06bf530 R14: ffff8881b06bf540 R15: 0000000000000001
 __save_stack_trace+0x7a/0xf0 arch/x86/kernel/stacktrace.c:44
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055
 pte_lock_deinit include/linux/mm.h:1798 [inline]
 pgtable_page_dtor include/linux/mm.h:1830 [inline]
 ___pte_free_tlb+0x39/0xa0 arch/x86/mm/pgtable.c:59
 __pte_free_tlb arch/x86/include/asm/pgalloc.h:73 [inline]
 free_pte_range mm/memory.c:449 [inline]
 free_pmd_range mm/memory.c:467 [inline]
 free_pud_range mm/memory.c:501 [inline]
 free_p4d_range mm/memory.c:534 [inline]
 free_pgd_range+0x491/0xb60 mm/memory.c:614
 free_pgtables+0x11c/0x1c0 mm/memory.c:646
 exit_mmap+0x222/0x440 mm/mmap.c:3073
 __mmput kernel/fork.c:940 [inline]
 mmput+0xeb/0x370 kernel/fork.c:961
 exit_mm kernel/exit.c:545 [inline]
 do_exit+0x905/0x2a20 kernel/exit.c:862
 do_group_exit+0x100/0x2e0 kernel/exit.c:978
 get_signal+0x39f/0x1cc0 kernel/signal.c:2422
 do_signal+0x96/0x15d0 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x11d/0x160 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x3a3/0x520 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459879
RSP: 002b:00007faae6610cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 000000000075bfd0 RCX: 0000000000459879
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bfd0
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bfd4
R13: 00007ffcf4deec3f R14: 00007faae66119c0 R15: 000000000075bfd4
Code: ea 03 80 3c 02 00 0f 85 2c 01 00 00 4c 8b bb 58 02 00 00 ba 00 00 00 00 4c 3b 7c 24 18 4c 0f 44 fa e9 bd fc ff ff e8 4a d0 da fe <0f> 0b e8 c3 98 fd fe e9 4d ef ff ff e8 b9 98 fd fe e9 2d f2 ff 
RIP: skb_queue_prev include/linux/skbuff.h:1406 [inline] RSP: ffff8881dba07bf8
RIP: tcp_write_queue_prev include/net/tcp.h:1651 [inline] RSP: ffff8881dba07bf8
RIP: tcp_rtx_queue_tail include/net/tcp.h:1706 [inline] RSP: ffff8881dba07bf8
RIP: tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284 RSP: ffff8881dba07bf8
---[ end trace 1f3fd6ffaff2e554 ]---