------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:28!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 5954 Comm: kworker/u8:7 Not tainted 6.16.0-rc5-syzkaller-00204-gdae7f9cbd190 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: netns cleanup_net
RIP: 0010:__phys_addr+0x16b/0x180 arch/x86/mm/physaddr.c:28
Code: 49 af 00 e9 45 ff ff ff e8 32 c7 4b 00 48 c7 c7 d0 f6 fa 8d 48 89 de 4c 89 f2 e8 a0 c4 82 03 e9 4d ff ff ff e8 16 c7 4b 00 90 <0f> 0b e8 0e c7 4b 00 90 0f 0b e8 06 c7 4b 00 90 0f 0b 0f 1f 00 90
RSP: 0018:ffffc90000a08b58 EFLAGS: 00010246
RAX: ffffffff81746f5a RBX: 00007780ffff0000 RCX: ffff88802e4c5a00
RDX: 0000000000000100 RSI: 000000017fff0000 RDI: 00007780ffff0000
RBP: ffffc90000a08e30 R08: 0000000000000000 R09: ffffffff81a8c5a4
R10: dffffc0000000000 R11: ffffffff89f64d50 R12: ffffffff89f64d50
R13: ffffffff81a8c5a4 R14: 000000017fff0000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125d1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557608fe6f80 CR3: 000000000df38000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 virt_to_folio include/linux/mm.h:1178 [inline]
 kfree+0x77/0x440 mm/slub.c:4834
 in_dev_free_rcu+0x49/0x60 net/ipv4/devinet.c:245
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 3b fd 55 f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 03 1e 1f f6 65 8b 05 ac 8a 2e 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc9000ace70c0 EFLAGS: 00000206
RAX: 44fe3823f13a5f00 RBX: 0000000000000a06 RCX: 44fe3823f13a5f00
RDX: 0000000000000006 RSI: ffffffff8d998bbb RDI: 0000000000000001
RBP: ffffc9000ace7150 R08: ffffffff8fa1f3f7 R09: 1ffffffff1f43e7e
R10: dffffc0000000000 R11: fffffbfff1f43e7f R12: dffffc0000000000
R13: ffff888072e10e00 R14: ffffffff99d7b708 R15: 1ffff9200159ce18
 debug_object_activate+0x2e2/0x420 lib/debugobjects.c:836
 debug_rcu_head_queue kernel/rcu/rcu.h:236 [inline]
 __call_rcu_common kernel/rcu/tree.c:3079 [inline]
 call_rcu+0xaa/0x9c0 kernel/rcu/tree.c:3214
 kernfs_put+0x19e/0x480 fs/kernfs/dir.c:591
 kernfs_remove_by_name_ns+0xb7/0x130 fs/kernfs/dir.c:1718
 kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
 remove_files fs/sysfs/group.c:28 [inline]
 sysfs_remove_group+0xfc/0x2c0 fs/sysfs/group.c:322
 sysfs_remove_groups+0x54/0xb0 fs/sysfs/group.c:346
 device_remove_groups drivers/base/core.c:2846 [inline]
 device_remove_attrs+0x208/0x260 drivers/base/core.c:2982
 device_del+0x509/0x8e0 drivers/base/core.c:3880
 unregister_netdevice_many_notify+0x1d52/0x2320 net/core/dev.c:12112
 unregister_netdevice_many net/core/dev.c:12140 [inline]
 default_device_exit_batch+0x819/0x890 net/core/dev.c:12644
 ops_exit_list net/core/net_namespace.c:206 [inline]
 ops_undo_list+0x522/0x990 net/core/net_namespace.c:253
 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__phys_addr+0x16b/0x180 arch/x86/mm/physaddr.c:28
Code: 49 af 00 e9 45 ff ff ff e8 32 c7 4b 00 48 c7 c7 d0 f6 fa 8d 48 89 de 4c 89 f2 e8 a0 c4 82 03 e9 4d ff ff ff e8 16 c7 4b 00 90 <0f> 0b e8 0e c7 4b 00 90 0f 0b e8 06 c7 4b 00 90 0f 0b 0f 1f 00 90
RSP: 0018:ffffc90000a08b58 EFLAGS: 00010246
RAX: ffffffff81746f5a RBX: 00007780ffff0000 RCX: ffff88802e4c5a00
RDX: 0000000000000100 RSI: 000000017fff0000 RDI: 00007780ffff0000
RBP: ffffc90000a08e30 R08: 0000000000000000 R09: ffffffff81a8c5a4
R10: dffffc0000000000 R11: ffffffff89f64d50 R12: ffffffff89f64d50
R13: ffffffff81a8c5a4 R14: 000000017fff0000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125d1b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557608fe6f80 CR3: 000000000df38000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	74 05                	je     0x7
   2:	e8 3b fd 55 f6       	call   0xf655fd42
   7:	48 c7 44 24 20 00 00 	movq   $0x0,0x20(%rsp)
   e:	00 00
  10:	9c                   	pushf
  11:	8f 44 24 20          	pop    0x20(%rsp)
  15:	f6 44 24 21 02       	testb  $0x2,0x21(%rsp)
  1a:	75 4f                	jne    0x6b
  1c:	f7 c3 00 02 00 00    	test   $0x200,%ebx
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	bf 01 00 00 00       	mov    $0x1,%edi
* 2a:	e8 03 1e 1f f6       	call   0xf61f1e32 <-- trapping instruction
  2f:	65 8b 05 ac 8a 2e 07 	mov    %gs:0x72e8aac(%rip),%eax        # 0x72e8ae2
  36:	85 c0                	test   %eax,%eax
  38:	74 40                	je     0x7a
  3a:	48                   	rex.W
  3b:	c7                   	.byte 0xc7
  3c:	04 24                	add    $0x24,%al
  3e:	0e                   	(bad)
  3f:	36                   	ss