list_del corruption, ffff88806bde8c90->next is NULL
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 3 Comm: pool_workqueue_ Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc cc 48 c7 c7 a0 fc 29 8c 48 89 de e8 42 ee 63 fc 90 <0f> 0b 48 c7 c7 00 fd 29 8c 48 89 de e8 30 ee 63 fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000007d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff88806bde8c90 RCX: fefe8bc4ae308e00
RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000203 R08: ffffc90000007ae7 R09: 1ffff92000000f5c
R10: dffffc0000000000 R11: fffff52000000f5d R12: 1ffff1100d7bd192
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125002000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2046a2ff8 CR3: 0000000063286000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del_init include/linux/list.h:295 [inline]
 dst_destroy+0x202/0x5a0 net/core/dst.c:163
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x870 kernel/softirq.c:626
 __do_softirq kernel/softirq.c:660 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:727
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lockdep_unregister_key+0x2d5/0x350 kernel/locking/lockdep.c:6616
Code: 41 0c 09 00 89 c6 48 c7 c7 50 37 4a 96 e8 d3 80 1a 0a 90 e9 65 fe ff ff e8 18 ce 17 0a 41 f7 c7 00 02 00 00 74 b3 fb 40 84 ed <75> b2 eb c3 90 0f 0b 90 e9 26 ff ff ff 90 0f 0b 90 e9 2e ff ff ff
RSP: 0018:ffffc90000087c90 EFLAGS: 00000246
RAX: 0000000000000046 RBX: ffff88802a3c1d38 RCX: 0000000000000046
RDX: ffffffff9405b2b8 RSI: ffffffff8e0337fa RDI: ffffffff8c29f960
RBP: ffff88801d6b1e00 R08: ffffffff81af5a88 R09: ffffffff8e960620
R10: dffffc0000000000 R11: fffff52000010f8d R12: 0000000000000000
R13: ffff88802a3c1d39 R14: 0000000000001000 R15: 0000000000000a03
 wq_unregister_lockdep kernel/workqueue.c:4906 [inline]
 pwq_release_workfn+0x6ea/0x880 kernel/workqueue.c:5202
 kthread_worker_fn+0x509/0xb70 kernel/kthread.c:1025
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc cc 48 c7 c7 a0 fc 29 8c 48 89 de e8 42 ee 63 fc 90 <0f> 0b 48 c7 c7 00 fd 29 8c 48 89 de e8 30 ee 63 fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000007d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff88806bde8c90 RCX: fefe8bc4ae308e00
RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000203 R08: ffffc90000007ae7 R09: 1ffff92000000f5c
R10: dffffc0000000000 R11: fffff52000000f5d R12: 1ffff1100d7bd192
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125002000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff2046a2ff8 CR3: 0000000063286000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	09 00                	or     %eax,(%rax)
   2:	89 c6                	mov    %eax,%esi
   4:	48 c7 c7 50 37 4a 96 	mov    $0xffffffff964a3750,%rdi
   b:	e8 d3 80 1a 0a       	call   0xa1a80e3
  10:	90                   	nop
  11:	e9 65 fe ff ff       	jmp    0xfffffe7b
  16:	e8 18 ce 17 0a       	call   0xa17ce33
  1b:	41 f7 c7 00 02 00 00 	test   $0x200,%r15d
  22:	74 b3                	je     0xffffffd7
  24:	fb                   	sti
  25:	40 84 ed             	test   %bpl,%bpl
* 28:	75 b2                	jne    0xffffffdc <-- trapping instruction
  2a:	eb c3                	jmp    0xffffffef
  2c:	90                   	nop
  2d:	0f 0b                	ud2
  2f:	90                   	nop
  30:	e9 26 ff ff ff       	jmp    0xffffff5b
  35:	90                   	nop
  36:	0f 0b                	ud2
  38:	90                   	nop
  39:	e9 2e ff ff ff       	jmp    0xffffff6c