I can reliably create a kernel oops that crashes my router by adding a new IPv6 server (v6 IP literal, and the connection fails) in znc. Other IPv6 connections, in znc and in other apps, work fine.
TP-Link Archer A7 v5, local build on 19.07 branch compiled last Friday. No ridiculous kernel option changes or anything, just a few pretty standard kmods (listed below.) Warning and subsequent oops from crashlog:
<4>[ 262.403973] ------------[ cut here ]------------
<4>[ 262.408781] WARNING: CPU: 0 PID: 0 at net/ipv4/tcp_timer.c:429 tcp_retransmit_timer+0x140/0x70c
<4>[ 262.417775] Modules linked in: ath9k ath9k_common ath9k_hw ath10k_pci ath10k_core ath nf_conntrack_ipv6 mac80211 lz4 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CT xt_CLASSIFY nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache lz4_decompress lz4_compress iptable_raw iptable_mangle iptable_filter ipt_ECN ip_tables compat fuse sch_cake nf_conntrack sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_tcindex
<4>[ 262.491646] cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred sg ledtrig_usbport nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 msdos ifb sit tunnel4 ip_tunnel loop vfat fat cifs nls_utf8 nls_iso8859_1 nls_cp437 sha256_generic md5 md4 hmac ecb des_generic usb_storage ehci_platform sd_mod scsi_mod ehci_hcd gpio_button_hotplug exfat usbcore nls_base usb_common aead crypto_null crc32c_generic cryptomgr lzo lzo_decompress lzo_compress crypto_acompress ext4 mbcache jbd2 crypto_hash crc16 zram zsmalloc
<4>[ 262.544418] CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.145 #0
<4>[ 262.550522] Stack : 80510000 804e224c 00000000 00000000 804b84d4 87c07dc4 804f7d0c 804f7927
<4>[ 262.559167] 804b4650 00000000 80643670 000001ad 80502ef4 00000001 87c07d78 214d680b
<4>[ 262.567812] 00000000 00000000 80640000 000054e8 00000000 00000000 00000008 00000000
<4>[ 262.576458] 00000110 6efe2db0 0000010f 00000000 00000000 00000009 00000000 804dd274
<4>[ 262.585111] 8036223c 000001ad 80502ef4 80502eb4 00000002 80270b24 00000000 80640000
<4>[ 262.593743] ...
<4>[ 262.596280] Call Trace:
<4>[ 262.598821] [<8006aa9c>] show_stack+0x58/0x100
<4>[ 262.603429] [<80085120>] __warn+0xe4/0x13c
<4>[ 262.607669] [<80085208>] warn_slowpath_null+0x1c/0x34
<4>[ 262.612890] [<8036223c>] tcp_retransmit_timer+0x140/0x70c
<4>[ 262.618471] [<803629f8>] tcp_write_timer_handler+0x1f0/0x580
<4>[ 262.624317] [<80362db0>] tcp_write_timer+0x28/0xb0
<4>[ 262.629285] [<800bea60>] call_timer_fn.isra.26+0x24/0x84
<4>[ 262.634780] [<800bec34>] run_timer_softirq+0x174/0x1ec
<4>[ 262.640086] [<8041dd98>] __do_softirq+0xe8/0x2bc
<4>[ 262.644883] [<80222530>] plat_irq_dispatch+0xc0/0x120
<4>[ 262.650101] [<800658d8>] handle_int+0x138/0x144
<4>[ 262.654786] [<800673cc>] r4k_wait_irqoff+0x18/0x24
<4>[ 262.659732] ---[ end trace fe1c0d61de505a2c ]---
<1>[ 262.664523] CPU 0 Unable to handle kernel paging request at virtual address 00000020, epc == 8036021c, ra == 803600dc
<4>[ 262.675482] Oops[#1]:
<4>[ 262.677831] CPU: 0 PID: 0 Comm: swapper Tainted: G W 4.14.145 #0
<4>[ 262.685192] task: 804f7a30 task.stack: 804f2000
<4>[ 262.689867] $ 0 : 00000000 00000001 fffffff5 00000010
<4>[ 262.695269] $ 4 : 00000000 00000000 00000001 00000000
<4>[ 262.700671] $ 8 : 00000001 66f0d47e 05b579e8 2be8a6b4
<4>[ 262.706075] $12 : 39f46892 77570e58 00000123 00000000
<4>[ 262.711478] $16 : 85ea2080 00000000 85ea2164 80500000
<4>[ 262.716881] $20 : 80500000 ffffffff 80502ef4 80502eb4
<4>[ 262.722284] $24 : 00000003 80270b24
<4>[ 262.727687] $28 : 804f2000 87c07e50 80502ea0 803600dc
<4>[ 262.733090] Hi : 05b579e8
<4>[ 262.736056] Lo : 2be8a6b4
<4>[ 262.739027] epc : 8036021c tcp_retransmit_skb+0x15c/0x17c
<4>[ 262.744777] ra : 803600dc tcp_retransmit_skb+0x1c/0x17c
<4>[ 262.750437] Status: 1100dc03 KERNEL EXL IE
<4>[ 262.754756] Cause : 00800008 (ExcCode 02)
<4>[ 262.758886] BadVA : 00000020
<4>[ 262.761852] PrId : 00019750 (MIPS 74Kc)
<4>[ 262.765900] Modules linked in: ath9k ath9k_common ath9k_hw ath10k_pci ath10k_core ath nf_conntrack_ipv6 mac80211 lz4 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_recent xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_helper xt_ecn xt_dscp xt_conntrack xt_connmark xt_connlimit xt_connbytes xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CT xt_CLASSIFY nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache lz4_decompress lz4_compress iptable_raw iptable_mangle iptable_filter ipt_ECN ip_tables compat fuse sch_cake nf_conntrack sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_tcindex
<4>[ 262.839741] cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred sg ledtrig_usbport nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 msdos ifb sit tunnel4 ip_tunnel loop vfat fat cifs nls_utf8 nls_iso8859_1 nls_cp437 sha256_generic md5 md4 hmac ecb des_generic usb_storage ehci_platform sd_mod scsi_mod ehci_hcd gpio_button_hotplug exfat usbcore nls_base usb_common aead crypto_null crc32c_generic cryptomgr lzo lzo_decompress lzo_compress crypto_acompress ext4 mbcache jbd2 crypto_hash crc16 zram zsmalloc
<4>[ 262.892492] Process swapper (pid: 0, threadinfo=804f2000, task=804f7a30, tls=00000000)
<4>[ 262.900658] Stack : 0000003d 00000001 184252ee 80503d70 00000000 85ea2080 00000001 8036262c
<4>[ 262.909296] 18dad680 800cf404 80500000 804b904c 80503740 00000003 85ea2080 85ea2080
<4>[ 262.917934] 00000200 80500000 00000000 803629f8 805037d8 800c01c4 86de4bc0 86876a14
<4>[ 262.926570] 8686778c 85ea20e4 85ea2080 80362db0 804f9040 805011f8 00000000 87c07f5c
<4>[ 262.935199] 00000007 00000100 80362d88 800bea60 00000001 8006ddf4 87c90cb0 00000001
<4>[ 262.943827] ...
<4>[ 262.946356] Call Trace:
<4>[ 262.948878] [<8036021c>] tcp_retransmit_skb+0x15c/0x17c
<4>[ 262.954275] [<8036262c>] tcp_retransmit_timer+0x530/0x70c
<4>[ 262.959845] [<803629f8>] tcp_write_timer_handler+0x1f0/0x580
<4>[ 262.965687] [<80362db0>] tcp_write_timer+0x28/0xb0
<4>[ 262.970646] [<800bea60>] call_timer_fn.isra.26+0x24/0x84
<4>[ 262.976127] [<800bec34>] run_timer_softirq+0x174/0x1ec
<4>[ 262.981434] [<8041dd98>] __do_softirq+0xe8/0x2bc
<4>[ 262.986205] [<80222530>] plat_irq_dispatch+0xc0/0x120
<4>[ 262.991424] [<800658d8>] handle_int+0x138/0x144
<4>[ 262.996100] [<800673cc>] r4k_wait_irqoff+0x18/0x24
<4>[ 263.001043] Code: 00000000 ae000598 00002025 <96230020> 00641821 ae030598 8fbf001c 8fb10018 8fb00014
<4>[ 263.011117]
<4>[ 263.012679] ---[ end trace fe1c0d61de505a2d ]---
tcp_timer.c:429 is:
WARN_ON(tcp_write_queue_empty(sk));
root@gatekeeper:/sys/kernel/debug# uname -a
Linux gatekeeper 4.14.145 #0 Fri Sep 20 13:52:25 2019 mips GNU/Linux