------------[ cut here ]------------
WARNING: CPU: 3 PID: 3737 at net/ipv4/route.c:1245 ip_rt_bug+0x22/0x130 net/ipv4/route.c:1244
Modules linked in:
CPU: 3 PID: 3737 Comm: udevd Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:ip_rt_bug+0x22/0x130 net/ipv4/route.c:1245
Code: b9 9d 01 0f 1f 44 00 00 55 48 89 d5 53 48 83 ec 08 e8 72 70 d0 f9 66 90 e8 6b 70 d0 f9 e8 66 70 d0 f9 48 89 ef e8 ae 8a 7e ff <0f> 0b 48 83 c4 08 31 c0 5b 5d c3 e8 4e 70 d0 f9 48 8d 7d 10 48 b8
RSP: 0018:ffffc900007d88a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88805d3a6100 RCX: 0000000000000100
RDX: ffff88805cea4040 RSI: ffffffff87a67412 RDI: 0000000000000000
RBP: ffff888022fb73c0 R08: 0000000000000001 R09: ffffffff8ff76a9f
R10: 0000000000000001 R11: 000000000008808a R12: ffff88801e6c1b00
R13: ffff888022fb73c0 R14: 0000000000000000 R15: ffff888022fb7418
FS:  00007fd9aa0ed840(0000) GS:ffff88802cd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f379d6adc0 CR3: 000000005ce80000 CR4: 0000000000152ee0
Call Trace:
 <IRQ>
 dst_output include/net/dst.h:450 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 ip_send_skb net/ipv4/ip_output.c:1555 [inline]
 ip_push_pending_frames+0x125/0x2b0 net/ipv4/ip_output.c:1575
 icmp_push_reply+0x351/0x4a0 net/ipv4/icmp.c:393
 __icmp_send+0xb99/0x13c0 net/ipv4/icmp.c:769
 ipv4_send_dest_unreach net/ipv4/route.c:1225 [inline]
 ipv4_link_failure+0x5d5/0x9f0 net/ipv4/route.c:1232
 dst_link_failure include/net/dst.h:429 [inline]
 arp_error_report+0xc7/0x1c0 net/ipv4/arp.c:295
 neigh_invalidate+0x20d/0x560 net/core/neighbour.c:1025
 neigh_timer_handler+0xd47/0x10e0 net/core/neighbour.c:1112
 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421
 expire_timers kernel/time/timer.c:1466 [inline]
 __run_timers.part.0+0x675/0xa20 kernel/time/timer.c:1734
 __run_timers kernel/time/timer.c:1715 [inline]
 run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:check_kcov_mode kernel/kcov.c:166 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x7/0x60 kernel/kcov.c:200
Code: 45 00 5d be 03 00 00 00 e9 06 c2 63 02 66 0f 1f 44 00 00 48 8b be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 65 8b 05 89 8b 8b 7e <89> c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 40 70 02 00 a9
RSP: 0018:ffffc9000321f5a0 EFLAGS: 00000246
RAX: 0000000080000000 RBX: 000000000000000d RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88805cea4040 RDI: 0000000000000003
RBP: ffff88801979ce00 R08: 0000000000000000 R09: 000000000000000d
R10: ffffffff83aa4447 R11: 0000000000000010 R12: 0000000000000002
R13: 0000000000000179 R14: dffffc0000000000 R15: 0000000000000000
 tomoyo_domain_quota_is_ok+0x31a/0x550 security/tomoyo/util.c:1092
 tomoyo_supervisor+0x2f2/0xf00 security/tomoyo/common.c:2089
 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
 tomoyo_path_permission security/tomoyo/file.c:587 [inline]
 tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573
 tomoyo_check_open_permission+0x33e/0x380 security/tomoyo/file.c:777
 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline]
 tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:306
 security_file_open+0x45/0xb0 security/security.c:1635
 do_dentry_open+0x353/0x1250 fs/open.c:809
 do_open fs/namei.c:3426 [inline]
 path_openat+0x1cad/0x2750 fs/namei.c:3559
 do_filp_open+0x1aa/0x400 fs/namei.c:3586
 do_sys_openat2+0x16d/0x4d0 fs/open.c:1212
 do_sys_open fs/open.c:1228 [inline]
 __do_sys_openat fs/open.c:1244 [inline]
 __se_sys_openat fs/open.c:1239 [inline]
 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1239
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fd9aa244697
Code: 25 00 00 41 00 3d 00 00 41 00 74 37 64 8b 04 25 18 00 00 00 85 c0 75 5b 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 85 00 00 00 48 83 c4 68 5d 41 5c c3 0f 1f
RSP: 002b:00007ffe02200b50 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 000055f379d06ce0 RCX: 00007fd9aa244697
RDX: 0000000000080000 RSI: 00007ffe02200c88 RDI: 00000000ffffff9c
RBP: 00007ffe02200c88 R08: 0000000000000008 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000080000
R13: 000055f379d06ce0 R14: 0000000000000001 R15: 000055f3786e1160
 </TASK>
----------------
Code disassembly (best guess):
   0:	45 00 5d be          	add    %r11b,-0x42(%r13)
   4:	03 00                	add    (%rax),%eax
   6:	00 00                	add    %al,(%rax)
   8:	e9 06 c2 63 02       	jmpq   0x263c213
   d:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  13:	48 8b be b0 01 00 00 	mov    0x1b0(%rsi),%rdi
  1a:	e8 b4 ff ff ff       	callq  0xffffffd3
  1f:	31 c0                	xor    %eax,%eax
  21:	c3                   	retq
  22:	90                   	nop
  23:	65 8b 05 89 8b 8b 7e 	mov    %gs:0x7e8b8b89(%rip),%eax        # 0x7e8b8bb3
* 2a:	89 c1                	mov    %eax,%ecx <-- trapping instruction
  2c:	48 8b 34 24          	mov    (%rsp),%rsi
  30:	81 e1 00 01 00 00    	and    $0x100,%ecx
  36:	65 48 8b 14 25 40 70 	mov    %gs:0x27040,%rdx
  3d:	02 00
  3f:	a9                   	.byte 0xa9