------------[ cut here ]------------ kernel BUG at ./include/linux/skbuff.h:1406! invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI Modules linked in: CPU: 0 PID: 10393 Comm: syz-executor.2 Not tainted 4.14.141+ #40 task: 0000000066b1ed56 task.stack: 00000000b643a868 RIP: 0010:skb_queue_prev include/linux/skbuff.h:1406 [inline] RIP: 0010:tcp_write_queue_prev include/net/tcp.h:1651 [inline] RIP: 0010:tcp_rtx_queue_tail include/net/tcp.h:1706 [inline] RIP: 0010:tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284 RSP: 0018:ffff8881dba07bf8 EFLAGS: 00010206 RAX: ffff8881aee42f00 RBX: ffff8881aeb38a80 RCX: 1ffff11035d67199 RDX: 0000000000000100 RSI: ffff8881af61b180 RDI: ffff8881af61b188 RBP: ffff8881af61b180 R08: 0000000001080020 R09: ffff88821ffff008 R10: ffff88821ffff017 R11: ffff88821ffff010 R12: 0000000000000000 R13: 0000000000004480 R14: 0000000001080020 R15: ffff8881aeb38cd0 FS: 0000000000000000(0000) GS:ffff8881dba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200014c0 CR3: 0000000137c26001 CR4: 00000000001606b0 DR0: 0000000020000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: tcp_write_wakeup+0x32b/0x570 net/ipv4/tcp_output.c:3708 tcp_send_probe0+0x46/0x3cc net/ipv4/tcp_output.c:3736 tcp_probe_timer net/ipv4/tcp_timer.c:365 [inline] tcp_write_timer_handler+0x687/0x780 net/ipv4/tcp_timer.c:583 tcp_write_timer+0xc9/0x170 net/ipv4/tcp_timer.c:597 call_timer_fn+0x15b/0x6a0 kernel/time/timer.c:1279 expire_timers+0x227/0x4c0 kernel/time/timer.c:1318 __run_timers kernel/time/timer.c:1634 [inline] run_timer_softirq+0x1eb/0x5d0 kernel/time/timer.c:1647 __do_softirq+0x234/0x9ec kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x114/0x150 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:648 [inline] smp_apic_timer_interrupt+0x1a7/0x650 arch/x86/kernel/apic/apic.c:1102 apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:792 RIP: 0010:unwind_next_frame+0x34c/0x1810 arch/x86/kernel/unwind_orc.c:354 RSP: 0018:ffff8881b06bf428 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff10 RAX: ffffffffabc0b00b RBX: ffff8881b06bf4f8 RCX: 0000000000000000 RDX: 0000000000000015 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 1ffff110360d7e8c R08: ffffffffabc0b00a R09: ffff8881b06bfbd0 R10: ffff8881b06bf52d R11: 000000000001c033 R12: ffffffffabc0b006 R13: ffff8881b06bf530 R14: ffff8881b06bf540 R15: 0000000000000001 __save_stack_trace+0x7a/0xf0 arch/x86/kernel/stacktrace.c:44 save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055 pte_lock_deinit include/linux/mm.h:1798 [inline] pgtable_page_dtor include/linux/mm.h:1830 [inline] ___pte_free_tlb+0x39/0xa0 arch/x86/mm/pgtable.c:59 __pte_free_tlb arch/x86/include/asm/pgalloc.h:73 [inline] free_pte_range mm/memory.c:449 [inline] free_pmd_range mm/memory.c:467 [inline] free_pud_range mm/memory.c:501 [inline] free_p4d_range mm/memory.c:534 [inline] free_pgd_range+0x491/0xb60 mm/memory.c:614 free_pgtables+0x11c/0x1c0 mm/memory.c:646 exit_mmap+0x222/0x440 mm/mmap.c:3073 __mmput kernel/fork.c:940 [inline] mmput+0xeb/0x370 kernel/fork.c:961 exit_mm kernel/exit.c:545 [inline] do_exit+0x905/0x2a20 kernel/exit.c:862 do_group_exit+0x100/0x2e0 kernel/exit.c:978 get_signal+0x39f/0x1cc0 kernel/signal.c:2422 do_signal+0x96/0x15d0 arch/x86/kernel/signal.c:814 exit_to_usermode_loop+0x11d/0x160 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x3a3/0x520 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x459879 RSP: 002b:00007faae6610cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000075bfd0 RCX: 0000000000459879 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bfd0 RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000075bfd4 R13: 00007ffcf4deec3f R14: 00007faae66119c0 R15: 000000000075bfd4 Code: ea 03 80 3c 02 00 0f 85 2c 01 00 00 4c 8b bb 58 02 00 00 ba 00 00 00 00 4c 3b 7c 24 18 4c 0f 44 fa e9 bd fc ff ff e8 4a d0 da fe <0f> 0b e8 c3 98 fd fe e9 4d ef ff ff e8 b9 98 fd fe e9 2d f2 ff RIP: skb_queue_prev include/linux/skbuff.h:1406 [inline] RSP: ffff8881dba07bf8 RIP: tcp_write_queue_prev include/net/tcp.h:1651 [inline] RSP: ffff8881dba07bf8 RIP: tcp_rtx_queue_tail include/net/tcp.h:1706 [inline] RSP: ffff8881dba07bf8 RIP: tcp_fragment+0x12c6/0x13e0 net/ipv4/tcp_output.c:1284 RSP: ffff8881dba07bf8 ---[ end trace 1f3fd6ffaff2e554 ]---