------------[ cut here ]------------
kernel BUG at net/netfilter/nf_conntrack_core.c:570!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 17217 Comm: syz.1.3059 Not tainted 5.15.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
RIP: 0010:nf_ct_del_from_dying_or_unconfirmed_list net/netfilter/nf_conntrack_core.c:570 [inline]
RIP: 0010:__nf_conntrack_confirm+0x109d/0x10a0 net/netfilter/nf_conntrack_core.c:1207
Code: fc ff ff e8 f5 8a 69 f9 48 c7 c7 c0 03 64 8d 48 c7 c6 80 56 03 8b 48 8b 54 24 08 e8 2d 02 e9 fb e9 fa f1 ff ff e8 d3 8a 69 f9 <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 89 fb 48 bd 00 00 00 00
RSP: 0000:ffffc90000007500 EFLAGS: 00010246
RAX: ffffffff880e329d RBX: ffffe8ffffc27000 RCX: ffff888023098000
RDX: 0000000000000100 RSI: 0000000000000004 RDI: ffffc90000007480
RBP: ffff888060085800 R08: 0000000000000004 R09: 0000000000000003
R10: fffff52000000e90 R11: 1ffff92000000e90 R12: 0000000000034fa4
R13: 0000000000000000 R14: ffff888060085858 R15: 0000000000000000
FS:  000055557151d500(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c230000 CR3: 0000000064aba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 nf_conntrack_confirm include/net/netfilter/nf_conntrack_core.h:62 [inline]
 nf_confirm+0x381/0x4b0 net/netfilter/nf_conntrack_proto.c:154
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xb9/0x200 net/netfilter/core.c:584
 nf_hook+0x1f2/0x350 include/linux/netfilter.h:257
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip_output+0x1ea/0x2b0 net/ipv4/ip_output.c:430
 dst_output include/net/dst.h:452 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 __ip_queue_xmit+0x11c3/0x1c00 net/ipv4/ip_output.c:532
 __tcp_transmit_skb+0x1d2a/0x3410 net/ipv4/tcp_output.c:1404
 tcp_send_probe0+0x4d/0x450 net/ipv4/tcp_output.c:4118
 tcp_probe_timer net/ipv4/tcp_timer.c:395 [inline]
 tcp_write_timer_handler+0x686/0x9a0 net/ipv4/tcp_timer.c:659
 tcp_write_timer+0x126/0x280 net/ipv4/tcp_timer.c:675
 call_timer_fn+0x16c/0x530 kernel/time/timer.c:1451
 expire_timers kernel/time/timer.c:1496 [inline]
 __run_timers+0x525/0x7c0 kernel/time/timer.c:1767
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
 handle_softirqs+0x328/0x820 kernel/softirq.c:558
 __do_softirq kernel/softirq.c:592 [inline]
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x12f/0x220 kernel/softirq.c:641
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:653
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:qlist_free_all+0x2d/0x90 mm/kasan/quarantine.c:176
Code: 56 41 55 41 54 53 4c 8b 3f 4d 85 ff 74 6d 49 89 f6 48 89 fb 49 bc 00 00 00 00 00 ea ff ff eb 1a 4c 01 e0 48 8b 70 18 4d 8b 2f <4c> 89 ff e8 db 03 00 00 4d 89 ef 4d 85 ed 74 2a 4c 89 f6 4d 85 f6
RSP: 0000:ffffc9000316f8a0 EFLAGS: 00000286
RAX: ffffea0001699200 RBX: ffffc9000316f8d0 RCX: ffffea0001699200
RDX: 0000000000000000 RSI: ffff888016842140 RDI: 0000000000000000
RBP: ffffc9000316fb28 R08: ffff88801f664280 R09: 00000000800c0009
R10: fffffbfff1ff341f R11: 1ffffffff1ff341e R12: ffffea0000000000
R13: ffff88801f664640 R14: 0000000000000000 R15: ffff88805a64a000
 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xd0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x4c/0x380 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x100/0x290 mm/slub.c:3233
 ptlock_alloc+0x1c/0x60 mm/memory.c:5556
 ptlock_init include/linux/mm.h:2230 [inline]
 pgtable_pte_page_ctor include/linux/mm.h:2257 [inline]
 __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline]
 pte_alloc_one+0xc5/0x2f0 arch/x86/mm/pgtable.c:33
 do_fault_around mm/memory.c:4237 [inline]
 do_read_fault mm/memory.c:4258 [inline]
 do_fault mm/memory.c:4392 [inline]
 handle_pte_fault mm/memory.c:4650 [inline]
 __handle_mm_fault mm/memory.c:4785 [inline]
 handle_mm_fault+0x2518/0x43c0 mm/memory.c:4883
 do_user_addr_fault+0x489/0xc80 arch/x86/mm/fault.c:1357
 handle_page_fault arch/x86/mm/fault.c:1445 [inline]
 exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1501
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0033:0x7f59fd2f6c00
Code: 66 2e 0f 1f 84 00 00 00 00 00 48 c7 43 50 04 00 00 00 e9 06 fe ff ff 0f 1f 00 48 8b 0d 81 34 34 00 48 81 ce ff ff ff 3f 31 c0 <48> 3b 34 c1 74 5b 48 83 c0 01 48 83 f8 04 75 f0 e9 6b fe ff ff 0f
RSP: 002b:00007fffd34e2280 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00007f59fe16d720 RCX: 000000110c230000
RDX: 00000000000010d2 RSI: ffffffffbfffffff RDI: 0000000000000000
RBP: ffffffff819cb0d2 R08: 00007f59fd63e038 R09: 00007f59fd62a000
R10: 00007f59fca87008 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff819cb9b8 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 4f97e754daddfd69 ]---
RIP: 0010:nf_ct_del_from_dying_or_unconfirmed_list net/netfilter/nf_conntrack_core.c:570 [inline]
RIP: 0010:__nf_conntrack_confirm+0x109d/0x10a0 net/netfilter/nf_conntrack_core.c:1207
Code: fc ff ff e8 f5 8a 69 f9 48 c7 c7 c0 03 64 8d 48 c7 c6 80 56 03 8b 48 8b 54 24 08 e8 2d 02 e9 fb e9 fa f1 ff ff e8 d3 8a 69 f9 <0f> 0b 90 55 41 57 41 56 41 55 41 54 53 48 89 fb 48 bd 00 00 00 00
RSP: 0000:ffffc90000007500 EFLAGS: 00010246
RAX: ffffffff880e329d RBX: ffffe8ffffc27000 RCX: ffff888023098000
RDX: 0000000000000100 RSI: 0000000000000004 RDI: ffffc90000007480
RBP: ffff888060085800 R08: 0000000000000004 R09: 0000000000000003
R10: fffff52000000e90 R11: 1ffff92000000e90 R12: 0000000000034fa4
R13: 0000000000000000 R14: ffff888060085858 R15: 0000000000000000
FS:  000055557151d500(0000) GS:ffff8880b9000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c230000 CR3: 0000000064aba000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	56                   	push   %rsi
   1:	41 55                	push   %r13
   3:	41 54                	push   %r12
   5:	53                   	push   %rbx
   6:	4c 8b 3f             	mov    (%rdi),%r15
   9:	4d 85 ff             	test   %r15,%r15
   c:	74 6d                	je     0x7b
   e:	49 89 f6             	mov    %rsi,%r14
  11:	48 89 fb             	mov    %rdi,%rbx
  14:	49 bc 00 00 00 00 00 	movabs $0xffffea0000000000,%r12
  1b:	ea ff ff
  1e:	eb 1a                	jmp    0x3a
  20:	4c 01 e0             	add    %r12,%rax
  23:	48 8b 70 18          	mov    0x18(%rax),%rsi
  27:	4d 8b 2f             	mov    (%r15),%r13
* 2a:	4c 89 ff             	mov    %r15,%rdi <-- trapping instruction
  2d:	e8 db 03 00 00       	call   0x40d
  32:	4d 89 ef             	mov    %r13,%r15
  35:	4d 85 ed             	test   %r13,%r13
  38:	74 2a                	je     0x64
  3a:	4c 89 f6             	mov    %r14,%rsi
  3d:	4d 85 f6             	test   %r14,%r14