syzbot

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:dst_dev_put+0x27/0x290 net/core/dst.c:146
Code: 90 90 90 f3 0f 1e fa 55 41 57 41 56 41 55 41 54 53 49 89 fd 49 bf 00 00 00 00 00 fc ff df e8 60 8f e5 f7 4d 89 ec 49 c1 ec 03 <43> 80 3c 3c 00 74 08 4c 89 ef e8 ca bb 4d f8 4d 8b 75 00 49 8d 7d
RSP: 0018:ffffc9000041f8d8 EFLAGS: 00010246
RAX: ffffffff89dde730 RBX: 0000000000000001 RCX: ffff88801caec880
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 1ffffffff1cab054 R08: ffffffff8a87efd9 R09: 1ffff110025e50c0
R10: dffffc0000000000 R11: ffffed10025e50c1 R12: 0000000000000000
R13: 0000000000000001 R14: 00000000fffffff8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88808c825000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f86df5ff000 CR3: 000000004ef8e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rt_fibinfo_free_cpus net/ipv4/fib_semantics.c:201 [inline]
 fib_nh_common_release+0x1fc/0x420 net/ipv4/fib_semantics.c:212
 fib6_info_destroy_rcu+0xc0/0x1b0 net/ipv6/ip6_fib.c:177
 rcu_do_batch kernel/rcu/tree.c:2568 [inline]
 rcu_core+0xaac/0x17a0 kernel/rcu/tree.c:2824
 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:561
 run_ksoftirqd+0xcf/0x130 kernel/softirq.c:950
 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164
 kthread+0x7a9/0x920 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:dst_dev_put+0x27/0x290 net/core/dst.c:146
Code: 90 90 90 f3 0f 1e fa 55 41 57 41 56 41 55 41 54 53 49 89 fd 49 bf 00 00 00 00 00 fc ff df e8 60 8f e5 f7 4d 89 ec 49 c1 ec 03 <43> 80 3c 3c 00 74 08 4c 89 ef e8 ca bb 4d f8 4d 8b 75 00 49 8d 7d
RSP: 0018:ffffc9000041f8d8 EFLAGS: 00010246
RAX: ffffffff89dde730 RBX: 0000000000000001 RCX: ffff88801caec880
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 1ffffffff1cab054 R08: ffffffff8a87efd9 R09: 1ffff110025e50c0
R10: dffffc0000000000 R11: ffffed10025e50c1 R12: 0000000000000000
R13: 0000000000000001 R14: 00000000fffffff8 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88808c825000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f86df5ff000 CR3: 000000004ef8e000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	f3 0f 1e fa          	endbr64
   7:	55                   	push   %rbp
   8:	41 57                	push   %r15
   a:	41 56                	push   %r14
   c:	41 55                	push   %r13
   e:	41 54                	push   %r12
  10:	53                   	push   %rbx
  11:	49 89 fd             	mov    %rdi,%r13
  14:	49 bf 00 00 00 00 00 	movabs $0xdffffc0000000000,%r15
  1b:	fc ff df
  1e:	e8 60 8f e5 f7       	call   0xf7e58f83
  23:	4d 89 ec             	mov    %r13,%r12
  26:	49 c1 ec 03          	shr    $0x3,%r12
* 2a:	43 80 3c 3c 00       	cmpb   $0x0,(%r12,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 ef             	mov    %r13,%rdi
  34:	e8 ca bb 4d f8       	call   0xf84dbc03
  39:	4d 8b 75 00          	mov    0x0(%r13),%r14
  3d:	49                   	rex.WB
  3e:	8d                   	.byte 0x8d
  3f:	7d                   	.byte 0x7d