------------[ cut here ]------------
WARNING: CPU: 0 PID: 15322 at net/ipv4/route.c:1275 ip_rt_bug+0x2c/0x110 net/ipv4/route.c:1275
Modules linked in:
CPU: 0 UID: 0 PID: 15322 Comm: syz.5.12044 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:ip_rt_bug+0x2c/0x110 net/ipv4/route.c:1275
Code: 1e fa 41 57 41 56 41 55 41 54 53 48 89 d3 e8 cb 02 0f f8 66 90 e8 c4 02 0f f8 31 ff 48 89 de ba 02 00 00 00 e8 a5 03 6f ff 90 <0f> 0b 90 31 c0 5b 41 5c 41 5d 41 5e 41 5f e9 91 93 98 01 cc f3 0f
RSP: 0018:ffffc90000007620 EFLAGS: 00010286
RAX: 0e468dfb8b0e3c00 RBX: ffff88807e04b500 RCX: 0e468dfb8b0e3c00
RDX: 0000000000000002 RSI: ffffffff8d70ed5a RDI: ffffffff8bbf08e0
RBP: 0000000000000001 R08: ffffffff8f7cf477 R09: 1ffffffff1ef9e8e
R10: dffffc0000000000 R11: fffffbfff1ef9e8f R12: dffffc0000000000
R13: dffffc0000000000 R14: ffff88807e04b500 R15: ffff8881456b1e00
FS: 00007fcd4aea76c0(0000) GS:ffff888126138000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcd4ae85f98 CR3: 000000005f06a000 CR4: 00000000003526f0
Call Trace:
ip_local_out net/ipv4/ip_output.c:131 [inline]
ip_send_skb net/ipv4/ip_output.c:1508 [inline]
ip_push_pending_frames+0xbe/0x150 net/ipv4/ip_output.c:1528
__icmp_send+0xfc3/0x1320 net/ipv4/icmp.c:787
ipv4_send_dest_unreach net/ipv4/route.c:1255 [inline]
ipv4_link_failure+0x65e/0xa50 net/ipv4/route.c:1262
dst_link_failure include/net/dst.h:432 [inline]
arp_error_report+0x118/0x160 net/ipv4/arp.c:296
neigh_invalidate+0x235/0x460 net/core/neighbour.c:1082
neigh_timer_handler+0x949/0x1150 net/core/neighbour.c:1173
call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1799 [inline]
__run_timers kernel/time/timer.c:2373 [inline]
__run_timer_base+0x61a/0x860 kernel/time/timer.c:2385
run_timer_base kernel/time/timer.c:2394 [inline]
run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2404
handle_softirqs+0x286/0x870 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:check_preemption_disabled+0x17/0x120 lib/smp_processor_id.c:14
Code: 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 53 48 83 ec 10 65 48 8b 05 de b4 27 07 48 89 44 24 08 <65> 8b 05 e6 b4 27 07 65 8b 0d db b4 27 07 f7 c1 ff ff ff 7f 74 23
RSP: 0018:ffffc9000d21f3d0 EFLAGS: 00000282
RAX: 0e468dfb8b0e3c00 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff8bbf08c0 RDI: ffffffff8bbf0880
RBP: ffffffff822dccdb R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000406 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8880b883b580 R14: 0000000000000000 R15: 0000000000000001
rcu_is_watching_curr_cpu include/linux/context_tracking.h:128 [inline]
rcu_is_watching+0x15/0xb0 kernel/rcu/tree.c:751
trace_lock_acquire include/trace/events/lock.h:24 [inline]
lock_acquire+0x5f/0x360 kernel/locking/lockdep.c:5831
local_trylock_acquire include/linux/local_lock_internal.h:48 [inline]
consume_obj_stock mm/memcontrol.c:2926 [inline]
obj_cgroup_charge_account+0x15b/0x660 mm/memcontrol.c:3070
__memcg_slab_post_alloc_hook+0x3db/0x7d0 mm/memcontrol.c:3188
memcg_slab_post_alloc_hook mm/slub.c:2342 [inline]
slab_post_alloc_hook mm/slub.c:4989 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_lru_noprof+0x410/0x6d0 mm/slub.c:5307
__d_alloc+0x36/0x7a0 fs/dcache.c:1690
prepare_anon_dentry fs/libfs.c:2181 [inline]
path_from_stashed+0x384/0x5c0 fs/libfs.c:2249
proc_ns_get_link+0xec/0x210 fs/proc/namespaces.c:61
pick_link+0x636/0xe80 fs/namei.c:-1
step_into+0xbc9/0xe80 fs/namei.c:2021
open_last_lookups fs/namei.c:3922 [inline]
path_openat+0x1bc6/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd49f8df90
Code: 48 89 44 24 20 75 93 44 89 54 24 0c e8 69 95 02 00 44 8b 54 24 0c 89 da 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 38 44 89 c7 89 44 24 0c e8 bc 95 02 00 8b 44
RSP: 002b:00007fcd4aea6f60 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcd49f8df90
RDX: 0000000000000000 RSI: 00007fcd4a01407e RDI: 00000000ffffff9c
RBP: 00007fcd4a01407e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007fcd4a1e6038 R14: 00007fcd4a1e5fa0 R15: 00007ffce0fcfdd8
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 90 90 90 90 90 add %dl,-0x6f6f6f70(%rax)
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 55 push %rbp
14: 41 57 push %r15
16: 41 56 push %r14
18: 53 push %rbx
19: 48 83 ec 10 sub $0x10,%rsp
1d: 65 48 8b 05 de b4 27 mov %gs:0x727b4de(%rip),%rax # 0x727b503
24: 07
25: 48 89 44 24 08 mov %rax,0x8(%rsp)
* 2a: 65 8b 05 e6 b4 27 07 mov %gs:0x727b4e6(%rip),%eax # 0x727b517 <-- trapping instruction
31: 65 8b 0d db b4 27 07 mov %gs:0x727b4db(%rip),%ecx # 0x727b513
38: f7 c1 ff ff ff 7f test $0x7fffffff,%ecx
3e: 74 23 je 0x63