syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 1 UID: 0 PID: 20 Comm: rcuop/0 Not tainted syzkaller #0 a8cf528afde17777b8d0df17d514b1350887467d
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:dst_dev_put+0x2a/0x2a0 net/core/dst.c:146
Code: f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 89 fb 49 bc 00 00 00 00 00 fc ff df e8 1d 03 14 fd 49 89 dd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 48 89 df e8 86 2b 6a fd 4c 8b 33 48 8d 7b
RSP: 0018:ffffc900001479e8 EFLAGS: 00010202
RAX: ffffffff8471e123 RBX: 0000000000000020 RCX: ffff888103661300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000020
RBP: ffffc90000147a10 R08: ffff88810436852b R09: 1ffff1102086d0a5
R10: dffffc0000000000 R11: ffffed102086d0a6 R12: dffffc0000000000
R13: 0000000000000004 R14: 0000607e08e0a668 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2e00a0 CR3: 000000010e330000 CR4: 00000000003526b0
Call Trace:
 <TASK>
 rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:206 [inline]
 fib_nh_common_release+0x18e/0x390 net/ipv4/fib_semantics.c:217
 fib6_nh_release+0x5ab/0x5d0 net/ipv6/route.c:3709
 fib6_info_destroy_rcu+0xc9/0x1c0 net/ipv6/ip6_fib.c:177
 rcu_do_batch+0x5a3/0xd20 kernel/rcu/tree.c:2575
 nocb_cb_wait kernel/rcu/tree_nocb.h:923 [inline]
 rcu_nocb_cb_kthread+0x4dc/0xac0 kernel/rcu/tree_nocb.h:957
 kthread+0x2c7/0x370 kernel/kthread.c:389
 ret_from_fork+0x67/0xa0 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dst_dev_put+0x2a/0x2a0 net/core/dst.c:146
Code: f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 89 fb 49 bc 00 00 00 00 00 fc ff df e8 1d 03 14 fd 49 89 dd 49 c1 ed 03 <43> 80 7c 25 00 00 74 08 48 89 df e8 86 2b 6a fd 4c 8b 33 48 8d 7b
RSP: 0018:ffffc900001479e8 EFLAGS: 00010202
RAX: ffffffff8471e123 RBX: 0000000000000020 RCX: ffff888103661300
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000020
RBP: ffffc90000147a10 R08: ffff88810436852b R09: 1ffff1102086d0a5
R10: dffffc0000000000 R11: ffffed102086d0a6 R12: dffffc0000000000
R13: 0000000000000004 R14: 0000607e08e0a668 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c2e00a0 CR3: 000000010e330000 CR4: 00000000003526b0
----------------
Code disassembly (best guess):
   0:	f3 0f 1e fa          	endbr64
   4:	55                   	push   %rbp
   5:	48 89 e5             	mov    %rsp,%rbp
   8:	41 57                	push   %r15
   a:	41 56                	push   %r14
   c:	41 55                	push   %r13
   e:	41 54                	push   %r12
  10:	53                   	push   %rbx
  11:	48 89 fb             	mov    %rdi,%rbx
  14:	49 bc 00 00 00 00 00 	movabs $0xdffffc0000000000,%r12
  1b:	fc ff df
  1e:	e8 1d 03 14 fd       	call   0xfd140340
  23:	49 89 dd             	mov    %rbx,%r13
  26:	49 c1 ed 03          	shr    $0x3,%r13
* 2a:	43 80 7c 25 00 00    	cmpb   $0x0,0x0(%r13,%r12,1) <-- trapping instruction
  30:	74 08                	je     0x3a
  32:	48 89 df             	mov    %rbx,%rdi
  35:	e8 86 2b 6a fd       	call   0xfd6a2bc0
  3a:	4c 8b 33             	mov    (%rbx),%r14
  3d:	48                   	rex.W
  3e:	8d                   	.byte 0x8d
  3f:	7b                   	.byte 0x7b