list_del corruption, ffff888056e51090->next is NULL
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 582 Comm: kworker/u8:7 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: netns cleanup_net
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f e9 52 5c f8 06 cc 48 c7 c7 a0 e8 27 8c 48 89 de e8 12 51 6e fc 90 <0f> 0b 48 c7 c7 00 e9 27 8c 48 89 de e8 00 51 6e fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000a08d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff888056e51090 RCX: 67555e550c537f00
RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000203 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1cbd9ec R12: 1ffff1100adca212
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125557000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f32265e9e80 CR3: 000000007e38c000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del_init include/linux/list.h:295 [inline]
 dst_destroy+0x202/0x5a0 net/core/dst.c:163
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x870 kernel/softirq.c:626
 __do_softirq kernel/softirq.c:660 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:727
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:kfree+0x6e/0x630 mm/slub.c:6452
Code: ee 0d 73 0d e8 e3 00 87 ff 84 c0 0f 84 33 03 00 00 49 83 fc 11 0f 82 f9 02 00 00 48 8b 1d 52 15 f7 0b 4c 89 e7 e8 b2 8f 54 ff <48> c1 e8 06 48 83 e0 c0 48 8d 3c 03 48 8b 44 03 08 49 89 c6 49 ff
RSP: 0018:ffffc900039e76a0 EFLAGS: 00000293
RAX: 0000000057c2c000 RBX: ffffea0000000000 RCX: ffff8880257f5b80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900039e7850 R08: ffffffff9011e8b7 R09: 1ffffffff2023d16
R10: dffffc0000000000 R11: ffffffff8680b620 R12: ffff888057c2c000
R13: ffffffff89801d68 R14: ffffffff8680b620 R15: ffff88807d398618
 netdev_run_todo+0xf58/0x1130 net/core/dev.c:11736
 default_device_exit_batch+0x986/0xa00 net/core/dev.c:13087
 ops_exit_list net/core/net_namespace.c:205 [inline]
 ops_undo_list+0x52b/0x940 net/core/net_namespace.c:252
 cleanup_net+0x56b/0x800 net/core/net_namespace.c:704
 process_one_work+0x949/0x1650 kernel/workqueue.c:3279
 process_scheduled_works kernel/workqueue.c:3362 [inline]
 worker_thread+0xb46/0x1140 kernel/workqueue.c:3443
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f e9 52 5c f8 06 cc 48 c7 c7 a0 e8 27 8c 48 89 de e8 12 51 6e fc 90 <0f> 0b 48 c7 c7 00 e9 27 8c 48 89 de e8 00 51 6e fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000a08d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff888056e51090 RCX: 67555e550c537f00
RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000203 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffffbfff1cbd9ec R12: 1ffff1100adca212
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125557000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f32265e9e80 CR3: 000000007e38c000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	73 0d                	jae    0xf
   2:	e8 e3 00 87 ff       	call   0xff8700ea
   7:	84 c0                	test   %al,%al
   9:	0f 84 33 03 00 00    	je     0x342
   f:	49 83 fc 11          	cmp    $0x11,%r12
  13:	0f 82 f9 02 00 00    	jb     0x312
  19:	48 8b 1d 52 15 f7 0b 	mov    0xbf71552(%rip),%rbx        # 0xbf71572
  20:	4c 89 e7             	mov    %r12,%rdi
  23:	e8 b2 8f 54 ff       	call   0xff548fda
* 28:	48 c1 e8 06          	shr    $0x6,%rax <-- trapping instruction
  2c:	48 83 e0 c0          	and    $0xffffffffffffffc0,%rax
  30:	48 8d 3c 03          	lea    (%rbx,%rax,1),%rdi
  34:	48 8b 44 03 08       	mov    0x8(%rbx,%rax,1),%rax
  39:	49 89 c6             	mov    %rax,%r14
  3c:	49                   	rex.WB
  3d:	ff                   	.byte 0xff