general protection fault in ip6_tnl_exit_rtnl

netdevsim netdevsim0 eth1 (unregistering): unset [1, 1] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 eth0 (unregistering): unset [1, 0] type 2 family 0 port 20001 - 0
netdevsim netdevsim0 eth0 (unregistering): unset [1, 1] type 2 family 0 port 6081 - 0
Oops: general protection fault, probably for non-canonical address 0xdffffc001fffe001: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x00000000ffff0008-0x00000000ffff000f]
CPU: 0 UID: 0 PID: 22530 Comm: kworker/u8:32 Not tainted 6.16.0-syzkaller-12063-g37816488247d #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: netns cleanup_net
RIP: 0010:ip6_tnl_exit_rtnl_net+0x1bf/0x4c0 net/ipv6/ip6_tunnel.c:2261
Code: e7 e8 95 ff da f7 4d 8b 24 24 4d 85 e4 75 0f e8 e7 94 77 f7 e9 15 01 00 00 e8 dd 94 77 f7 4d 8d 74 24 08 4d 89 f5 49 c1 ed 03 <41> 80 7c 1d 00 00 74 08 4c 89 f7 e8 61 ff da f7 49 8b 2e 4c 01 fd
RSP: 0018:ffffc900046e7880 EFLAGS: 00010202
RAX: 1ffff11004865f05 RBX: dffffc0000000000 RCX: ffff88807af9bc00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff8f534927 R09: 1ffffffff1ea6924
R10: dffffc0000000000 R11: fffffbfff1ea6925 R12: 00000000ffff0000
R13: 000000001fffe001 R14: 00000000ffff0008 R15: 0000000000000108
FS:  0000000000000000(0000) GS:ffff888125c21000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8edc3f84c0 CR3: 000000000df36000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 ops_exit_rtnl_list net/core/net_namespace.c:180 [inline]
 ops_undo_list+0x34d/0x990 net/core/net_namespace.c:247
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:682
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x70e/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ip6_tnl_exit_rtnl_net+0x1bf/0x4c0 net/ipv6/ip6_tunnel.c:2261
Code: e7 e8 95 ff da f7 4d 8b 24 24 4d 85 e4 75 0f e8 e7 94 77 f7 e9 15 01 00 00 e8 dd 94 77 f7 4d 8d 74 24 08 4d 89 f5 49 c1 ed 03 <41> 80 7c 1d 00 00 74 08 4c 89 f7 e8 61 ff da f7 49 8b 2e 4c 01 fd
RSP: 0018:ffffc900046e7880 EFLAGS: 00010202
RAX: 1ffff11004865f05 RBX: dffffc0000000000 RCX: ffff88807af9bc00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffff8f534927 R09: 1ffffffff1ea6924
R10: dffffc0000000000 R11: fffffbfff1ea6925 R12: 00000000ffff0000
R13: 000000001fffe001 R14: 00000000ffff0008 R15: 0000000000000108
FS:  0000000000000000(0000) GS:ffff888125c21000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8edc3f84c0 CR3: 000000000df36000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 95 ff da f7       	call   0xf7daff9a
   5:	4d 8b 24 24          	mov    (%r12),%r12
   9:	4d 85 e4             	test   %r12,%r12
   c:	75 0f                	jne    0x1d
   e:	e8 e7 94 77 f7       	call   0xf77794fa
  13:	e9 15 01 00 00       	jmp    0x12d
  18:	e8 dd 94 77 f7       	call   0xf77794fa
  1d:	4d 8d 74 24 08       	lea    0x8(%r12),%r14
  22:	4d 89 f5             	mov    %r14,%r13
  25:	49 c1 ed 03          	shr    $0x3,%r13
* 29:	41 80 7c 1d 00 00    	cmpb   $0x0,0x0(%r13,%rbx,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 f7             	mov    %r14,%rdi
  34:	e8 61 ff da f7       	call   0xf7daff9a
  39:	49 8b 2e             	mov    (%r14),%rbp
  3c:	4c 01 fd             	add    %r15,%rbp