list_del corruption, ffff8880633a6c90->next is NULL
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:53!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 5944 Comm: dhcpcd-run-hook Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f e9 52 5c f8 06 cc 48 c7 c7 a0 e8 27 8c 48 89 de e8 12 51 6e fc 90 <0f> 0b 48 c7 c7 00 e9 27 8c 48 89 de e8 00 51 6e fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000007d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff8880633a6c90 RCX: 6c62c60e739a7500
RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000203 R08: ffffc90000007ae7 R09: 1ffff92000000f5c
R10: dffffc0000000000 R11: fffff52000000f5d R12: 1ffff1100c674d92
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055fda56e7008 CR3: 0000000021374000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del_init include/linux/list.h:295 [inline]
 dst_destroy+0x202/0x5a0 net/core/dst.c:163
 rcu_do_batch kernel/rcu/tree.c:2617 [inline]
 rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869
 handle_softirqs+0x22a/0x870 kernel/softirq.c:626
 __do_softirq kernel/softirq.c:660 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:727
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:743
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:mas_start+0x3e5/0x560 lib/maple_tree.c:1212
Code: a1 fd ff ff 4c 89 ff e8 59 91 89 f6 e9 94 fd ff ff e8 df 69 1f f6 45 31 e4 4c 89 e0 48 83 c4 40 5b 41 5c 41 5d 41 5e 41 5f 5d <e9> d6 8a 0b 00 cc 48 8b 44 24 28 80 3c 28 00 74 08 4c 89 ef e8 42
RSP: 0018:ffffc900036273f8 EFLAGS: 00000282
RAX: ffff888078797000 RBX: ffffc90003627738 RCX: ffff8880279b0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffffffffff R08: ffff8880279b0000 R09: 0000000000000006
R10: 0000000000000007 R11: 0000000000000000 R12: 0000000000000000
R13: 1ffff920006c4ee7 R14: ffffc90003627778 R15: dffffc0000000000
 mas_state_walk lib/maple_tree.c:2945 [inline]
 mas_walk lib/maple_tree.c:4366 [inline]
 mas_find_setup lib/maple_tree.c:5345 [inline]
 mas_find+0x8aa/0xd30 lib/maple_tree.c:5385
 vms_complete_munmap_vmas+0x812/0xc60 mm/vma.c:1341
 do_vmi_align_munmap+0x3b7/0x4b0 mm/vma.c:1585
 do_vmi_munmap+0x252/0x2d0 mm/vma.c:1633
 __vm_munmap+0x22c/0x3d0 mm/vma.c:3254
 elf_map fs/binfmt_elf.c:398 [inline]
 elf_load+0x2c3/0x6a0 fs/binfmt_elf.c:423
 load_elf_interp+0x4ce/0xb60 fs/binfmt_elf.c:690
 load_elf_binary+0x1b2f/0x2980 fs/binfmt_elf.c:1255
 search_binary_handler fs/exec.c:1664 [inline]
 exec_binprm fs/exec.c:1696 [inline]
 bprm_execve+0x93d/0x1460 fs/exec.c:1748
 do_execveat_common+0x50d/0x690 fs/exec.c:1846
 __do_sys_execve fs/exec.c:1930 [inline]
 __se_sys_execve fs/exec.c:1924 [inline]
 __x64_sys_execve+0x97/0xc0 fs/exec.c:1924
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1f831b8107
Code: Unable to access opcode bytes at 0x7f1f831b80dd.
RSP: 002b:00007f1f83021e68 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00007fffad2dd6c0 RCX: 00007f1f831b8107
RDX: 0000557c07f9e690 RSI: 00007fffad2dd8b0 RDI: 0000557bcef3d6bd
RBP: 00007f1f83021ff0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000202 R12: 0000000000000001
R13: 00007fffad2dd3a0 R14: 00007f1f83021f20 R15: 0000000000000040
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0xdf/0x190 lib/list_debug.c:52
Code: 49 39 1f 0f 85 9e 00 00 00 b0 01 5b 41 5c 41 5d 41 5e 41 5f e9 52 5c f8 06 cc 48 c7 c7 a0 e8 27 8c 48 89 de e8 12 51 6e fc 90 <0f> 0b 48 c7 c7 00 e9 27 8c 48 89 de e8 00 51 6e fc 90 0f 0b 4c 89
RSP: 0018:ffffc90000007d58 EFLAGS: 00010046
RAX: 0000000000000033 RBX: ffff8880633a6c90 RCX: 6c62c60e739a7500
RDX: 0000000000000100 RSI: 0000000000000101 RDI: 0000000000000000
RBP: 0000000000000203 R08: ffffc90000007ae7 R09: 1ffff92000000f5c
R10: dffffc0000000000 R11: fffff52000000f5d R12: 1ffff1100c674d92
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1f831b80dd CR3: 0000000021374000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	a1 fd ff ff 4c 89 ff 	movabs 0x59e8ff894cfffffd,%eax
   7:	e8 59
   9:	91                   	xchg   %eax,%ecx
   a:	89 f6                	mov    %esi,%esi
   c:	e9 94 fd ff ff       	jmp    0xfffffda5
  11:	e8 df 69 1f f6       	call   0xf61f69f5
  16:	45 31 e4             	xor    %r12d,%r12d
  19:	4c 89 e0             	mov    %r12,%rax
  1c:	48 83 c4 40          	add    $0x40,%rsp
  20:	5b                   	pop    %rbx
  21:	41 5c                	pop    %r12
  23:	41 5d                	pop    %r13
  25:	41 5e                	pop    %r14
  27:	41 5f                	pop    %r15
  29:	5d                   	pop    %rbp
* 2a:	e9 d6 8a 0b 00       	jmp    0xb8b05 <-- trapping instruction
  2f:	cc                   	int3
  30:	48 8b 44 24 28       	mov    0x28(%rsp),%rax
  35:	80 3c 28 00          	cmpb   $0x0,(%rax,%rbp,1)
  39:	74 08                	je     0x43
  3b:	4c 89 ef             	mov    %r13,%rdi
  3e:	e8                   	.byte 0xe8
  3f:	42                   	rex.X