------------[ cut here ]------------
kernel BUG at net/ipv4/tcp_output.c:2591!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 6596 Comm: syz-executor154 Not tainted 4.4.132-g4b08356 #50
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801c8240000 task.stack: ffff8801c1e78000
RIP: 0010:[<ffffffff8328aff5>]  [<ffffffff8328aff5>] __tcp_retransmit_skb+0x17e5/0x1860 net/ipv4/tcp_output.c:2591
RSP: 0018:ffff8801db207b60  EFLAGS: 00010206
RAX: ffff8801c8240000 RBX: ffff8801c86daf28 RCX: ffff8800b3370244
RDX: 0000000000000100 RSI: ffffffff8328aff5 RDI: ffff8801c86daf2c
RBP: ffff8801db207c08 R08: 000000212202db5e R09: 0000000000000006
R10: ffffed0043fffa01 R11: 0000000000000001 R12: 000000004b11c8b4
R13: 000000004b02e3fc R14: ffff8801c86daf00 R15: ffff8800b3370000
FS:  00007f6b1eb02700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffc5facfcc CR3: 00000000b328d000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 000000212202db5e ffffffffffffffff 000000212224b80d ffff8800b3370000
 0000000000000004 ffff8800b3370854 00000000ffffffff ffff8800b3370244
 ffff8801db207bc8 ffffffff833a936e ffff8800b3370000 ffffffff833a8f50
Call Trace:
 <IRQ> 
 [<ffffffff8328b763>] tcp_retransmit_skb+0x23/0x2c0 net/ipv4/tcp_output.c:2664
 [<ffffffff8329104d>] tcp_retransmit_timer+0x7bd/0x1ed0 net/ipv4/tcp_timer.c:461
 [<ffffffff83292951>] tcp_write_timer_handler+0x1f1/0x6f0 net/ipv4/tcp_timer.c:543
 [<ffffffff83292f0a>] tcp_write_timer+0xba/0xd0 net/ipv4/tcp_timer.c:561
 [<ffffffff8129085c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
 [<ffffffff81291582>] __run_timers kernel/time/timer.c:1261 [inline]
 [<ffffffff81291582>] run_timer_softirq+0x642/0xb90 kernel/time/timer.c:1444
 [<ffffffff838c376c>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
 [<ffffffff8113f75d>] invoke_softirq kernel/softirq.c:350 [inline]
 [<ffffffff8113f75d>] irq_exit+0x10d/0x140 kernel/softirq.c:391
 [<ffffffff838c2ed1>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
 [<ffffffff838c2ed1>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:926
 [<ffffffff838c1e10>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741
 <EOI> 
 [<ffffffff8101687b>] print_context_stack+0x4b/0xd0 arch/x86/kernel/dumpstack.c:107
 [<ffffffff81015dba>] dump_trace+0x17a/0x360 arch/x86/kernel/dumpstack_64.c:243
 [<ffffffff810341d6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814f8143>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814f8427>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814f8427>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814f8c04>] kasan_krealloc+0x64/0x80 mm/kasan/kasan.c:654
 [<ffffffff814f1dfa>] ksize+0x8a/0xf0 mm/slub.c:3727
 [<ffffffff81479b37>] __do_krealloc mm/slab_common.c:1193 [inline]
 [<ffffffff81479b37>] __krealloc+0x27/0xb0 mm/slab_common.c:1222
 [<ffffffff830f7f63>] __nf_ct_ext_add_length+0x223/0xb50 net/netfilter/nf_conntrack_extend.c:104
 [<ffffffff8312d9c6>] nf_ct_nat_ext_add+0xf6/0x130 net/netfilter/nf_nat_core.c:373
 [<ffffffff8337e062>] nf_nat_ipv4_fn+0x122/0x690 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c:284
 [<ffffffff8337f502>] nf_nat_ipv4_local_fn+0x122/0x470 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c:422
 [<ffffffff833951ec>] iptable_nat_ipv4_local_fn+0x2c/0x40 net/ipv4/netfilter/iptable_nat.c:64
 [<ffffffff830c0e32>] nf_iterate+0x182/0x210 net/netfilter/core.c:274
 [<ffffffff830c1076>] nf_hook_slow+0x1b6/0x340 net/netfilter/core.c:306
 [<ffffffff832182e4>] nf_hook_thresh include/linux/netfilter.h:187 [inline]
 [<ffffffff832182e4>] nf_hook include/linux/netfilter.h:197 [inline]
 [<ffffffff832182e4>] __ip_local_out+0x2b4/0x440 net/ipv4/ip_output.c:108
 [<ffffffff83218499>] ip_local_out+0x29/0x180 net/ipv4/ip_output.c:117
 [<ffffffff8321980e>] ip_queue_xmit+0x88e/0x1ab0 net/ipv4/ip_output.c:461
 [<ffffffff8327f3b2>] tcp_transmit_skb+0x1642/0x2bf0 net/ipv4/tcp_output.c:1029
 [<ffffffff83287e09>] tcp_connect+0x1d59/0x2c60 net/ipv4/tcp_output.c:3276
 [<ffffffff832998a1>] tcp_v4_connect+0xf31/0x1890 net/ipv4/tcp_ipv4.c:246
 [<ffffffff832f7aa9>] __inet_stream_connect+0x2a9/0xc30 net/ipv4/af_inet.c:615
 [<ffffffff832f8485>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:676
 [<ffffffff82f1d788>] SYSC_connect+0x1b8/0x300 net/socket.c:1557
 [<ffffffff82f200c4>] SyS_connect+0x24/0x30 net/socket.c:1538
 [<ffffffff838c02a5>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: e0 26 fe e9 aa ed ff ff e8 89 e0 26 fe e9 4f f5 ff ff e8 7f e0 26 fe e9 6b f5 ff ff e8 95 e0 26 fe e9 d3 ef ff ff e8 fb 61 0c fe <0f> 0b 4c 89 f7 e8 81 e0 26 fe e9 d9 ec ff ff e8 f7 e0 26 fe e9 
RIP  [<ffffffff8328aff5>] __tcp_retransmit_skb+0x17e5/0x1860 net/ipv4/tcp_output.c:2591
 RSP <ffff8801db207b60>
---[ end trace f8ddff88097077a9 ]---