Unable to handle kernel paging request at virtual address ffff700021885a00 KASAN: probably wild-memory-access in range [0xffff80010c42d000-0xffff80010c42d007] Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000206d55000 [ffff700021885a00] pgd=0000000000000000, p4d=000000023ea67003, pud=000000023ea66003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 7915 Comm: syz.3.164 Not tainted syzkaller #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : update_or_create_fnhe+0x864/0x12cc net/ipv4/route.c:732 lr : find_next_bit include/linux/find.h:70 [inline] lr : update_or_create_fnhe+0x818/0x12cc net/ipv4/route.c:728 sp : ffff80009d7a6880 x29: ffff80009d7a6940 x28: ffffffffffffffff x27: ffff800092e86000 x26: 1ffff00011e2fc48 x25: ffff0000d763c880 x24: ffff80010c42d000 x23: 0000000000000000 x22: 1fffe0001a54fa4b x21: 0000000000000000 x20: ffff0000d2a7d258 x19: dfff800000000000 x18: 00000000ffffffff x17: ffff800093599000 x16: ffff800080537e24 x15: 0000000000000001 x14: 1fffe00020580060 x13: 0000000000000000 x12: 0000000000000000 x11: ffff600020580061 x10: 0000000000ff0100 x9 : 0000000000000000 x8 : 1ffff00021885a00 x7 : ffff80008022ae74 x6 : ffff80008022b0b8 x5 : ffff0000f9b06ab0 x4 : ffff80009d7a66a0 x3 : ffff800089987b6c x2 : 0000000000000001 x1 : 0000000000000003 x0 : 0000000000000000 Call trace: update_or_create_fnhe+0x864/0x12cc net/ipv4/route.c:732 (P) __ip_rt_update_pmtu+0x5c4/0x7a8 net/ipv4/route.c:1063 ipv4_update_pmtu+0x1c4/0x2b8 net/ipv4/route.c:1098 icmp_err+0x204/0x400 net/ipv4/icmp.c:1587 gue_err_proto_handler+0xc0/0x178 net/ipv4/fou_core.c:1089 gue_err+0x720/0xaa4 net/ipv4/fou_core.c:1155 __udp4_lib_err_encap_no_sk net/ipv4/udp.c:845 [inline] __udp4_lib_err_encap net/ipv4/udp.c:912 [inline] __udp4_lib_err+0xc08/0xfc4 net/ipv4/udp.c:951 udp_err+0x8c/0xa0 net/ipv4/udp.c:1027 icmp_socket_deliver+0x16c/0x3b0 net/ipv4/icmp.c:1043 icmp_unreach+0x430/0x7a0 net/ipv4/icmp.c:1163 icmp_rcv+0xd04/0x1274 net/ipv4/icmp.c:1491 ip_protocol_deliver_rcu+0x1f8/0x484 net/ipv4/ip_input.c:207 ip_local_deliver_finish+0x2fc/0x644 net/ipv4/ip_input.c:241 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318 ip_local_deliver+0x120/0x194 net/ipv4/ip_input.c:262 dst_input include/net/dst.h:474 [inline] ip_rcv_finish+0x21c/0x248 net/ipv4/ip_input.c:453 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318 ip_rcv+0x7c/0x9c net/ipv4/ip_input.c:573 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x1c8/0x844 net/core/dev.c:6397 tun_rx_batched+0x478/0x5b4 drivers/net/tun.c:-1 tun_get_user+0x2354/0x359c drivers/net/tun.c:1953 tun_chr_write_iter+0xfc/0x204 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x540/0xa3c fs/read_write.c:686 ksys_write+0x120/0x210 fs/read_write.c:738 __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:746 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Code: 97a0daa7 f9400308 8b170118 d343ff08 (38736908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 97a0daa7 bl 0xfffffffffe836a9c 4: f9400308 ldr x8, [x24] 8: 8b170118 add x24, x8, x23 c: d343ff08 lsr x8, x24, #3 * 10: 38736908 ldrb w8, [x8, x19] <-- trapping instruction