BUG: unable to handle page fault for address: ffffffff00000028
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD b68f067 P4D b68f067 PUD 0 
Oops: 0002 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 14554 Comm: kworker/u4:12 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:arch_atomic_fetch_add arch/x86/include/asm/atomic.h:184 [inline]
RIP: 0010:atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:112 [inline]
RIP: 0010:__refcount_add include/linux/refcount.h:193 [inline]
RIP: 0010:__refcount_inc include/linux/refcount.h:250 [inline]
RIP: 0010:refcount_inc include/linux/refcount.h:267 [inline]
RIP: 0010:get_task_struct include/linux/sched/task.h:105 [inline]
RIP: 0010:kthread_stop+0x90/0x710 kernel/kthread.c:643
Code: 89 de e8 e3 af 29 00 84 db 0f 85 71 04 00 00 e8 96 a9 29 00 4c 8d 65 28 be 04 00 00 00 bb 01 00 00 00 4c 89 e7 e8 40 17 70 00 <f0> 0f c1 5d 28 31 ff 89 de e8 b2 b0 29 00 85 db 0f 84 ad 05 00 00
RSP: 0018:ffffc90004aaf960 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffffff814dc910
RDX: fffffbffe0000006 RSI: 0000000000000004 RDI: ffffffff00000028
RBP: ffffffff00000000 R08: 0000000000000001 R09: ffffffff0000002b
R10: fffffbffe0000005 R11: 0000000000000000 R12: ffffffff00000028
R13: dffffc0000000000 R14: 0000000000000008 R15: ffffe8ffffc4e250
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff00000028 CR3: 0000000079072000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __netif_napi_del.part.0+0x3b1/0x520 net/core/dev.c:6997
 __netif_napi_del+0x3c/0x50 net/core/dev.c:6986
 gro_cells_destroy net/core/gro_cells.c:102 [inline]
 gro_cells_destroy+0x115/0x360 net/core/gro_cells.c:92
 ip6gre_dev_free+0x15/0x60 net/ipv6/ip6_gre.c:1412
 netdev_run_todo+0x6b4/0xa80 net/core/dev.c:10624
 ip6gre_exit_batch_net+0x4ac/0x760 net/ipv6/ip6_gre.c:1630
 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:593
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2297
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Modules linked in:
CR2: ffffffff00000028
---[ end trace ba52272225006e34 ]---
RIP: 0010:arch_atomic_fetch_add arch/x86/include/asm/atomic.h:184 [inline]
RIP: 0010:atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:112 [inline]
RIP: 0010:__refcount_add include/linux/refcount.h:193 [inline]
RIP: 0010:__refcount_inc include/linux/refcount.h:250 [inline]
RIP: 0010:refcount_inc include/linux/refcount.h:267 [inline]
RIP: 0010:get_task_struct include/linux/sched/task.h:105 [inline]
RIP: 0010:kthread_stop+0x90/0x710 kernel/kthread.c:643
Code: 89 de e8 e3 af 29 00 84 db 0f 85 71 04 00 00 e8 96 a9 29 00 4c 8d 65 28 be 04 00 00 00 bb 01 00 00 00 4c 89 e7 e8 40 17 70 00 <f0> 0f c1 5d 28 31 ff 89 de e8 b2 b0 29 00 85 db 0f 84 ad 05 00 00
RSP: 0018:ffffc90004aaf960 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffffffff814dc910
RDX: fffffbffe0000006 RSI: 0000000000000004 RDI: ffffffff00000028
RBP: ffffffff00000000 R08: 0000000000000001 R09: ffffffff0000002b
R10: fffffbffe0000005 R11: 0000000000000000 R12: ffffffff00000028
R13: dffffc0000000000 R14: 0000000000000008 R15: ffffe8ffffc4e250
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff00000028 CR3: 0000000079072000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	89 de                	mov    %ebx,%esi
   2:	e8 e3 af 29 00       	callq  0x29afea
   7:	84 db                	test   %bl,%bl
   9:	0f 85 71 04 00 00    	jne    0x480
   f:	e8 96 a9 29 00       	callq  0x29a9aa
  14:	4c 8d 65 28          	lea    0x28(%rbp),%r12
  18:	be 04 00 00 00       	mov    $0x4,%esi
  1d:	bb 01 00 00 00       	mov    $0x1,%ebx
  22:	4c 89 e7             	mov    %r12,%rdi
  25:	e8 40 17 70 00       	callq  0x70176a
* 2a:	f0 0f c1 5d 28       	lock xadd %ebx,0x28(%rbp) <-- trapping instruction
  2f:	31 ff                	xor    %edi,%edi
  31:	89 de                	mov    %ebx,%esi
  33:	e8 b2 b0 29 00       	callq  0x29b0ea
  38:	85 db                	test   %ebx,%ebx
  3a:	0f 84 ad 05 00 00    	je     0x5ed