list_del corruption, ffff88807be82090->next is NULL
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 8016 Comm: syz-executor Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc cc 48 c7 c7 a0 fc 29 8c 48 89 de e8 42 ee 63 fc 90 <0f> 0b 48 c7 c7 00 fd 29 8c 48 89 de e8 30 ee 63 fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000007d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff88807be82090 RCX: 3c8deb3b99b46200
RDX: 0000000000000100 RSI: 0000000000000102 RDI: 0000000000000000
RBP: 0000000000000203 R08: ffffffff8e952983 R09: 1ffffffff1d2a530
R10: dffffc0000000000 R11: fffffbfff1d2a531 R12: 1ffff1100f7d0412
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000555569e3f500(0000) GS:ffff888125002000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f228d785900 CR3: 0000000078a12000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del_init include/linux/list.h:295 [inline]
 dst_destroy+0x202/0x5a0 net/core/dst.c:163
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x870 kernel/softirq.c:626
 __do_softirq kernel/softirq.c:660 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:727
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:console_flush_one_record arch/x86/include/asm/irqflags.h:-1 [inline]
RIP: 0010:console_flush_all+0x801/0xb20 kernel/printk/printk.c:3343
Code: ff ff e8 02 f0 20 00 90 0f 0b 90 e9 85 fc ff ff e8 f4 ef 20 00 e8 2f ec 14 0a 48 85 db 74 c0 e8 e5 ef 20 00 fb 48 8b 5c 24 08 <48> 8b 44 24 20 42 80 3c 20 00 4c 8b 74 24 18 74 08 4c 89 f7 e8 46
RSP: 0018:ffffc90019b869c0 EFLAGS: 00000293
RAX: ffffffff81a5066b RBX: ffffc90019b86b20 RCX: ffff888029589e80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90019b86ad0 R08: ffffffff9033edb7 R09: 1ffffffff2067db6
R10: dffffc0000000000 R11: fffffbfff2067db7 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffffffff8f22c500
 __console_flush_and_unlock kernel/printk/printk.c:3373 [inline]
 console_unlock+0xd1/0x1c0 kernel/printk/printk.c:3413
 vprintk_emit+0x485/0x560 kernel/printk/printk.c:2479
 _printk+0xdd/0x130 kernel/printk/printk.c:2504
 batadv_hardif_enable_interface+0x748/0x980 net/batman-adv/hard-interface.c:751
 batadv_meshif_slave_add+0x79/0x100 net/batman-adv/mesh-interface.c:843
 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963
 do_setlink+0x1018/0x4590 net/core/rtnetlink.c:3165
 rtnl_changelink net/core/rtnetlink.c:3776 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3935 [inline]
 rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072
 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec+0x18f/0x1d0 net/socket.c:802
 __sock_sendmsg net/socket.c:817 [inline]
 __sys_sendto+0x3ff/0x590 net/socket.c:2286
 __do_sys_sendto net/socket.c:2293 [inline]
 __se_sys_sendto net/socket.c:2289 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2289
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f997175cfce
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007ffe9b543a78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000555569e3f500 RCX: 00007f997175cfce
RDX: 0000000000000028 RSI: 00007f9972544670 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00007ffe9b543af4 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f9972544670 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc cc 48 c7 c7 a0 fc 29 8c 48 89 de e8 42 ee 63 fc 90 <0f> 0b 48 c7 c7 00 fd 29 8c 48 89 de e8 30 ee 63 fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000007d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff88807be82090 RCX: 3c8deb3b99b46200
RDX: 0000000000000100 RSI: 0000000000000102 RDI: 0000000000000000
RBP: 0000000000000203 R08: ffffffff8e952983 R09: 1ffffffff1d2a530
R10: dffffc0000000000 R11: fffffbfff1d2a531 R12: 1ffff1100f7d0412
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000555569e3f500(0000) GS:ffff888125002000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f228d785900 CR3: 0000000078a12000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	ff                   	ljmp   (bad)
   1:	e8 02 f0 20 00       	call   0x20f008
   6:	90                   	nop
   7:	0f 0b                	ud2
   9:	90                   	nop
   a:	e9 85 fc ff ff       	jmp    0xfffffc94
   f:	e8 f4 ef 20 00       	call   0x20f008
  14:	e8 2f ec 14 0a       	call   0xa14ec48
  19:	48 85 db             	test   %rbx,%rbx
  1c:	74 c0                	je     0xffffffde
  1e:	e8 e5 ef 20 00       	call   0x20f008
  23:	fb                   	sti
  24:	48 8b 5c 24 08       	mov    0x8(%rsp),%rbx
* 29:	48 8b 44 24 20       	mov    0x20(%rsp),%rax <-- trapping instruction
  2e:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1)
  33:	4c 8b 74 24 18       	mov    0x18(%rsp),%r14
  38:	74 08                	je     0x42
  3a:	4c 89 f7             	mov    %r14,%rdi
  3d:	e8                   	.byte 0xe8
  3e:	46                   	rex.RX