------------[ cut here ]------------
kernel BUG at arch/x86/mm/physaddr.c:28!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc7-syzkaller-00120-g5f33ebd2018c #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:__phys_addr+0x16b/0x180 arch/x86/mm/physaddr.c:28
Code: 9d ab 00 e9 45 ff ff ff e8 82 b6 4b 00 48 c7 c7 10 f7 fa 8d 48 89 de 4c 89 f2 e8 60 58 7a 03 e9 4d ff ff ff e8 66 b6 4b 00 90 <0f> 0b e8 5e b6 4b 00 90 0f 0b e8 56 b6 4b 00 90 0f 0b 0f 1f 00 90
RSP: 0000:ffffc90000007b58 EFLAGS: 00010246
RAX: ffffffff81746f5a RBX: 00007780ffff0000 RCX: ffffffff8de95280
RDX: 0000000000000100 RSI: 000000017fff0000 RDI: 00007780ffff0000
RBP: ffffc90000007e30 R08: 0000000000000000 R09: ffffffff81a8c084
R10: dffffc0000000000 R11: ffffffff89edbc30 R12: ffffffff89edbc30
R13: ffffffff81a8c084 R14: 000000017fff0000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125c57000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000382030 CR3: 0000000024c2c000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 virt_to_folio include/linux/mm.h:1178 [inline]
 kfree+0x77/0x440 mm/slub.c:4834
 in_dev_free_rcu+0x49/0x60 net/ipv4/devinet.c:245
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca5/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:tick_nohz_idle_enter+0x22e/0x2f0 kernel/time/tick-sched.c:1267
Code: e8 03 42 80 3c 38 00 74 08 48 89 df e8 3b d0 6d 00 80 0b 01 48 89 df e8 e0 00 00 00 e8 0b 75 15 00 fb 48 c7 04 24 0e 36 e0 45 <4b> c7 04 3c 00 00 00 00 65 48 8b 05 32 53 ea 10 48 3b 44 24 48 0f
RSP: 0000:ffffffff8de07d00 EFLAGS: 00000286
RAX: 6c2199a951bace00 RBX: ffff8880b8628400 RCX: 6c2199a951bace00
RDX: 0000000000000000 RSI: ffffffff8d982ff2 RDI: ffffffff8be1ba80
RBP: ffffffff8de07d90 R08: ffffffff8fa0b3f7 R09: 1ffffffff1f4167e
R10: dffffc0000000000 R11: fffffbfff1f4167f R12: 1ffffffff1bc0fa0
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
 do_idle+0x9e/0x510 kernel/sched/idle.c:271
 cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:423
 rest_init+0x2de/0x300 init/main.c:745
 start_kernel+0x47d/0x500 init/main.c:1102
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
 common_startup_64+0x13e/0x147
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__phys_addr+0x16b/0x180 arch/x86/mm/physaddr.c:28
Code: 9d ab 00 e9 45 ff ff ff e8 82 b6 4b 00 48 c7 c7 10 f7 fa 8d 48 89 de 4c 89 f2 e8 60 58 7a 03 e9 4d ff ff ff e8 66 b6 4b 00 90 <0f> 0b e8 5e b6 4b 00 90 0f 0b e8 56 b6 4b 00 90 0f 0b 0f 1f 00 90
RSP: 0000:ffffc90000007b58 EFLAGS: 00010246
RAX: ffffffff81746f5a RBX: 00007780ffff0000 RCX: ffffffff8de95280
RDX: 0000000000000100 RSI: 000000017fff0000 RDI: 00007780ffff0000
RBP: ffffc90000007e30 R08: 0000000000000000 R09: ffffffff81a8c084
R10: dffffc0000000000 R11: ffffffff89edbc30 R12: ffffffff89edbc30
R13: ffffffff81a8c084 R14: 000000017fff0000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125c57000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000382030 CR3: 0000000024c2c000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	e8 03 42 80 3c       	call   0x3c804208
   5:	38 00                	cmp    %al,(%rax)
   7:	74 08                	je     0x11
   9:	48 89 df             	mov    %rbx,%rdi
   c:	e8 3b d0 6d 00       	call   0x6dd04c
  11:	80 0b 01             	orb    $0x1,(%rbx)
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 e0 00 00 00       	call   0xfc
  1c:	e8 0b 75 15 00       	call   0x15752c
  21:	fb                   	sti
  22:	48 c7 04 24 0e 36 e0 	movq   $0x45e0360e,(%rsp)
  29:	45
* 2a:	4b c7 04 3c 00 00 00 	movq   $0x0,(%r12,%r15,1) <-- trapping instruction
  31:	00
  32:	65 48 8b 05 32 53 ea 	mov    %gs:0x10ea5332(%rip),%rax        # 0x10ea536c
  39:	10
  3a:	48 3b 44 24 48       	cmp    0x48(%rsp),%rax
  3f:	0f                   	.byte 0xf