------------[ cut here ]------------
WARNING: CPU: 1 PID: 23472 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295
Modules linked in:
CPU: 1 PID: 23472 Comm: syz-executor.2 Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295
Code: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 92 41 4f fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 fb 3d 4f fa <0f> 0b e9 06 f9 ff ff e8 8f b7 96 fa e9 69 f0 ff ff e8 75 b7 96 fa
RSP: 0018:ffffc90000dc04f0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000ffffff1c RCX: 0000000000000100
RDX: ffff888020038000 RSI: ffffffff87298235 RDI: 0000000000000003
RBP: ffff88804b097280 R08: 00000000ffffff1c R09: 0000000000000000
R10: ffffffff87297b39 R11: 0000000000000000 R12: ffff888078b8ba00
R13: ffff88807d6a52c0 R14: ffff88804799e2c0 R15: 000000000000009c
FS: 0000555556564400(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020023000 CR3: 000000004771a000 CR4: 00000000003506e0
DR0: 0000000000000006 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline]
tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630
tcp_ooo_try_coalesce net/ipv4/tcp_input.c:4675 [inline]
tcp_data_queue_ofo net/ipv4/tcp_input.c:4861 [inline]
tcp_data_queue+0x2007/0x4bb0 net/ipv4/tcp_input.c:5085
tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947
tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719
tcp_v4_rcv+0x27d7/0x3170 net/ipv4/tcp_ipv4.c:2119
ip_protocol_deliver_rcu+0xa3/0xf30 net/ipv4/ip_input.c:204
ip_local_deliver_finish+0x20a/0x370 net/ipv4/ip_input.c:231
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip_local_deliver+0x1b3/0x200 net/ipv4/ip_input.c:252
dst_input include/net/dst.h:461 [inline]
ip_rcv_finish+0x1cb/0x2f0 net/ipv4/ip_input.c:429
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:540
deliver_skb net/core/dev.c:2135 [inline]
deliver_ptype_list_skb net/core/dev.c:2150 [inline]
__netif_receive_skb_core+0xf94/0x3850 net/core/dev.c:5307
__netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5349
__netif_receive_skb+0x24/0x1b0 net/core/dev.c:5465
process_backlog+0x2a5/0x6c0 net/core/dev.c:5797
__napi_poll+0xb3/0x6e0 net/core/dev.c:6365
napi_poll net/core/dev.c:6432 [inline]
net_rx_action+0x801/0xb40 net/core/dev.c:6519
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:lock_acquire+0x1ef/0x510 kernel/locking/lockdep.c:5607
Code: e5 a4 7e 83 f8 01 0f 85 b4 02 00 00 9c 58 f6 c4 02 0f 85 9f 02 00 00 48 83 7c 24 08 00 74 01 fb 48 b8 00 00 00 00 00 fc ff df <48> 01 c3 48 c7 03 00 00 00 00 48 c7 43 08 00 00 00 00 48 8b 84 24
RSP: 0018:ffffc9000287f9d0 EFLAGS: 00000206
RAX: dffffc0000000000 RBX: 1ffff9200050ff3c RCX: eb80112f77adcc7c
RDX: 1ffff1100400714b RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff8ffc6947
R10: fffffbfff1ff8d28 R11: 0000000000000001 R12: 0000000000000002
R13: 0000000000000000 R14: ffffffff8bb84ca0 R15: 0000000000000000
rcu_lock_acquire include/linux/rcupdate.h:268 [inline]
rcu_read_lock include/linux/rcupdate.h:694 [inline]
percpu_ref_tryget_many.constprop.0+0x2b/0x190 include/linux/percpu-refcount.h:241
percpu_ref_tryget include/linux/percpu-refcount.h:266 [inline]
css_tryget include/linux/cgroup.h:354 [inline]
css_tryget include/linux/cgroup.h:351 [inline]
get_mem_cgroup_from_objcg+0x141/0x170 mm/memcontrol.c:2758
obj_cgroup_charge_pages+0xe/0x90 mm/memcontrol.c:3015
__memcg_kmem_charge_page+0x392/0x5f0 mm/memcontrol.c:3044
memcg_kmem_charge_page include/linux/memcontrol.h:1696 [inline]
memcg_charge_kernel_stack kernel/fork.c:418 [inline]
dup_task_struct kernel/fork.c:891 [inline]
copy_process+0x80a/0x7250 kernel/fork.c:1998
kernel_clone+0xe7/0xab0 kernel/fork.c:2565
__do_sys_clone+0xc8/0x110 kernel/fork.c:2682
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb1075d3471
Code: 48 85 ff 74 3d 48 85 f6 74 38 48 83 ee 10 48 89 4e 08 48 89 3e 48 89 d7 4c 89 c2 4d 89 c8 4c 8b 54 24 08 b8 38 00 00 00 0f 05 <48> 85 c0 7c 13 74 01 c3 31 ed 58 5f ff d0 48 89 c7 b8 3c 00 00 00
RSP: 002b:00007fb107c18a68 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 00007fb105e81700 RCX: 00007fb1075d3471
RDX: 00007fb105e819d0 RSI: 00007fb105e812f0 RDI: 00000000003d0f00
RBP: 00007fb107c18cb0 R08: 00007fb105e81700 R09: 00007fb105e81700
R10: 00007fb105e819d0 R11: 0000000000000206 R12: 00007fb107c18b1e
R13: 00007fb107c18b1f R14: 00007fb105e81300 R15: 0000000000022000
----------------
Code disassembly (best guess):
0: e5 a4 in $0xa4,%eax
2: 7e 83 jle 0xffffff87
4: f8 clc
5: 01 0f add %ecx,(%rdi)
7: 85 b4 02 00 00 9c 58 test %esi,0x589c0000(%rdx,%rax,1)
e: f6 c4 02 test $0x2,%ah
11: 0f 85 9f 02 00 00 jne 0x2b6
17: 48 83 7c 24 08 00 cmpq $0x0,0x8(%rsp)
1d: 74 01 je 0x20
1f: fb sti
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 48 01 c3 add %rax,%rbx <-- trapping instruction
2d: 48 c7 03 00 00 00 00 movq $0x0,(%rbx)
34: 48 c7 43 08 00 00 00 movq $0x0,0x8(%rbx)
3b: 00
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 84 .byte 0x84
3f: 24 .byte 0x24