general protection fault in f2fs_in_warm_node

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:2172 [inline]
RIP: 0010:is_node_folio fs/f2fs/f2fs.h:2182 [inline]
RIP: 0010:f2fs_in_warm_node_list+0xbd/0x290 fs/f2fs/node.c:330
Code: 00 00 4d 03 3c 24 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 d1 99 13 fe 4d 8b 3f 49 83 c7 30 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 b4 99 13 fe 4d 3b 37 74 19 e8 6a
RSP: 0018:ffffc90000147930 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffffea0000bd3800 RCX: ffff88801b6dbc80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: ffff88804d45f780 R08: ffff88805ba956f3 R09: 1ffff1100b752ade
R10: dffffc0000000000 R11: ffffed100b752adf R12: ffff88802617a798
R13: dffffc0000000000 R14: ffff88805f220250 R15: 0000000000000030
FS:  0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe64dce5000 CR3: 000000003eb70000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 f2fs_write_end_io+0x71c/0xb60 fs/f2fs/data.c:359
 blk_update_request+0x57e/0xe60 block/blk-mq.c:1007
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1169
 blk_flush_complete_seq+0x687/0xce0 block/blk-flush.c:191
 flush_end_io+0xc46/0xf30 block/blk-flush.c:250
 __blk_mq_end_request+0x530/0x740 block/blk-mq.c:1159
 blk_complete_reqs block/blk-mq.c:1244 [inline]
 blk_done_softirq+0x10a/0x160 block/blk-mq.c:1249
 handle_softirqs+0x1df/0x650 kernel/softirq.c:622
 run_ksoftirqd+0x52/0x190 kernel/softirq.c:1063
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:NODE_MAPPING fs/f2fs/f2fs.h:2172 [inline]
RIP: 0010:is_node_folio fs/f2fs/f2fs.h:2182 [inline]
RIP: 0010:f2fs_in_warm_node_list+0xbd/0x290 fs/f2fs/node.c:330
Code: 00 00 4d 03 3c 24 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 d1 99 13 fe 4d 8b 3f 49 83 c7 30 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 b4 99 13 fe 4d 3b 37 74 19 e8 6a
RSP: 0018:ffffc90000147930 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffffea0000bd3800 RCX: ffff88801b6dbc80
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000100
RBP: ffff88804d45f780 R08: ffff88805ba956f3 R09: 1ffff1100b752ade
R10: dffffc0000000000 R11: ffffed100b752adf R12: ffff88802617a798
R13: dffffc0000000000 R14: ffff88805f220250 R15: 0000000000000030
FS:  0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe64dce5000 CR3: 000000003eb70000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	4d 03 3c 24          	add    (%r12),%r15
   6:	4c 89 f8             	mov    %r15,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  12:	74 08                	je     0x1c
  14:	4c 89 ff             	mov    %r15,%rdi
  17:	e8 d1 99 13 fe       	call   0xfe1399ed
  1c:	4d 8b 3f             	mov    (%r15),%r15
  1f:	49 83 c7 30          	add    $0x30,%r15
  23:	4c 89 f8             	mov    %r15,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 ff             	mov    %r15,%rdi
  34:	e8 b4 99 13 fe       	call   0xfe1399ed
  39:	4d 3b 37             	cmp    (%r15),%r14
  3c:	74 19                	je     0x57
  3e:	e8                   	.byte 0xe8
  3f:	6a                   	.byte 0x6a