------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:28!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6094 Comm: kworker/u8:10 Not tainted 6.16.0-syzkaller-11743-g6bcdbd62bd56 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: netns cleanup_net
RIP: 0010:__phys_addr+0xfa/0x180 arch/x86/mm/physaddr.c:28
Code: 48 d3 e8 48 89 c3 48 89 c6 e8 22 d7 4e 00 48 85 db 75 11 e8 a8 db 4e 00 48 89 e8 5b 5d 41 5c e9 37 8a a3 ff e8 97 db 4e 00 90 <0f> 0b e8 8f db 4e 00 48 c7 c0 10 b0 3a 8e 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90000007d70 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000017fff0000 RCX: ffffffff816cb653
RDX: ffff88802d231e00 RSI: ffffffff816cb6d9 RDI: 0000000000000006
RBP: 00007780ffff0000 R08: 0000000000000006 R09: 000000017fff0000
R10: 00007780ffff0000 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff81a23057 R14: ffffc90000007e90 R15: 0000000000000008
FS:  0000000000000000(0000) GS:ffff8881246c7000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f22bad20f98 CR3: 000000004c1ba000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 virt_to_folio include/linux/mm.h:1180 [inline]
 kfree+0x66/0x4d0 mm/slub.c:4871
 in_dev_free_rcu+0x44/0x60 net/ipv4/devinet.c:245
 rcu_do_batch kernel/rcu/tree.c:2605 [inline]
 rcu_core+0x79c/0x1530 kernel/rcu/tree.c:2861
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:finish_task_switch.isra.0+0x22a/0xc10 kernel/sched/core.c:5225
Code: fb 09 00 00 44 8b 05 49 51 22 0f 45 85 c0 0f 85 be 01 00 00 4c 89 e7 e8 a4 f6 ff ff e8 0f 6e 3a 00 fb 65 48 8b 1d fe 84 4c 12 <48> 8d bb 18 16 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
RSP: 0018:ffffc9000aa471a8 EFLAGS: 00000202
RAX: 00000000004eab43 RBX: ffff88802d231e00 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff8de49a8d RDI: ffffffff8c161780
RBP: ffffc9000aa471f0 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90ab2a97 R11: 0000000000000000 R12: ffff8880b843a440
R13: ffff888030b4da00 R14: ffff8880b843a440 R15: ffff8880b843b2b0
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x1198/0x5de0 kernel/sched/core.c:6961
 preempt_schedule_irq+0x51/0x90 kernel/sched/core.c:7288
 irqentry_exit+0x36/0x90 kernel/entry/common.c:197
 asm_sysvec_reschedule_ipi+0x1a/0x20 arch/x86/include/asm/idtentry.h:707
RIP: 0010:lock_acquire+0x62/0x350 kernel/locking/lockdep.c:5872
Code: c7 3d 12 83 f8 07 0f 87 bc 02 00 00 89 c0 48 0f a3 05 62 61 13 0f 0f 82 74 02 00 00 8b 35 0a 93 13 0f 85 f6 0f 85 8d 00 00 00 <48> 8b 44 24 30 65 48 2b 05 b9 c6 3d 12 0f 85 c7 02 00 00 48 83 c4
RSP: 0018:ffffc9000aa47498 EFLAGS: 00000206
RAX: 0000000000000046 RBX: ffffffff8e5c1160 RCX: 00000000ea2818d4
RDX: 0000000000000000 RSI: ffffffff8de246c8 RDI: ffffffff8c161780
RBP: 0000000000000002 R08: 3803dae90af9619f R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 kernfs_root+0x34/0x2a0 fs/kernfs/kernfs-internal.h:75
 kernfs_drain+0x84/0x570 fs/kernfs/dir.c:493
 __kernfs_remove+0x271/0x8a0 fs/kernfs/dir.c:1508
 kernfs_remove_by_name_ns+0x68/0x110 fs/kernfs/dir.c:1717
 kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
 remove_files+0x96/0x1c0 fs/sysfs/group.c:28
 sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:322
 sysfs_remove_groups fs/sysfs/group.c:346 [inline]
 sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:338
 device_remove_groups drivers/base/core.c:2843 [inline]
 device_remove_attrs+0x203/0x290 drivers/base/core.c:2979
 device_del+0x38e/0x9f0 drivers/base/core.c:3877
 unregister_netdevice_many_notify+0x14f0/0x24c0 net/core/dev.c:12191
 unregister_netdevice_many net/core/dev.c:12219 [inline]
 default_device_exit_batch+0x853/0xaf0 net/core/dev.c:12723
 ops_exit_list net/core/net_namespace.c:204 [inline]
 ops_undo_list+0x363/0xab0 net/core/net_namespace.c:251
 cleanup_net+0x408/0x890 net/core/net_namespace.c:682
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
vkms_vblank_simulate: vblank timer overrun
---[ end trace 0000000000000000 ]---
RIP: 0010:__phys_addr+0xfa/0x180 arch/x86/mm/physaddr.c:28
Code: 48 d3 e8 48 89 c3 48 89 c6 e8 22 d7 4e 00 48 85 db 75 11 e8 a8 db 4e 00 48 89 e8 5b 5d 41 5c e9 37 8a a3 ff e8 97 db 4e 00 90 <0f> 0b e8 8f db 4e 00 48 c7 c0 10 b0 3a 8e 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90000007d70 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 000000017fff0000 RCX: ffffffff816cb653
RDX: ffff88802d231e00 RSI: ffffffff816cb6d9 RDI: 0000000000000006
RBP: 00007780ffff0000 R08: 0000000000000006 R09: 000000017fff0000
R10: 00007780ffff0000 R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff81a23057 R14: ffffc90000007e90 R15: 0000000000000008
FS:  0000000000000000(0000) GS:ffff8881246c7000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f22bad20f98 CR3: 000000004c1ba000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	fb                   	sti
   1:	09 00                	or     %eax,(%rax)
   3:	00 44 8b 05          	add    %al,0x5(%rbx,%rcx,4)
   7:	49 51                	rex.WB push %r9
   9:	22 0f                	and    (%rdi),%cl
   b:	45 85 c0             	test   %r8d,%r8d
   e:	0f 85 be 01 00 00    	jne    0x1d2
  14:	4c 89 e7             	mov    %r12,%rdi
  17:	e8 a4 f6 ff ff       	call   0xfffff6c0
  1c:	e8 0f 6e 3a 00       	call   0x3a6e30
  21:	fb                   	sti
  22:	65 48 8b 1d fe 84 4c 	mov    %gs:0x124c84fe(%rip),%rbx        # 0x124c8528
  29:	12
* 2a:	48 8d bb 18 16 00 00 	lea    0x1618(%rbx),%rdi <-- trapping instruction
  31:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  38:	fc ff df
  3b:	48 89 fa             	mov    %rdi,%rdx
  3e:	48                   	rex.W
  3f:	c1                   	.byte 0xc1