------------[ cut here ]------------
WARNING: ./include/linux/skbuff.h:1165 at skb_dst_check_unset include/linux/skbuff.h:1164 [inline], CPU#0: syz.0.726/8765
WARNING: ./include/linux/skbuff.h:1165 at skb_dst_set include/linux/skbuff.h:1211 [inline], CPU#0: syz.0.726/8765
WARNING: ./include/linux/skbuff.h:1165 at nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234, CPU#0: syz.0.726/8765
Modules linked in:
CPU: 0 UID: 0 PID: 8765 Comm: syz.0.726 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:skb_dst_check_unset include/linux/skbuff.h:1164 [inline]
RIP: 0010:skb_dst_set include/linux/skbuff.h:1211 [inline]
RIP: 0010:nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234
Code: 8b 0d d0 38 a8 08 48 3b 8c 24 e0 00 00 00 75 5d 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc e8 5d b7 a6 f7 90 <0f> 0b 90 e9 38 ff ff ff 44 89 f9 80 e1 07 fe c1 38 c1 0f 8c 2b fe
RSP: 0000:ffffc900000072c0 EFLAGS: 00010246
RAX: ffffffff8a19d773 RBX: ffff88807a645780 RCX: ffff88807ab23c00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900000073f0 R08: ffff88804e55a343 R09: 1ffff11009cab468
R10: dffffc0000000000 R11: ffffed1009cab469 R12: ffff888075f94101
R13: dffffc0000000001 R14: 1ffff92000000e5c R15: 0000000000000000
FS:  0000555585ba1500(0000) GS:ffff8881259ff000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c496498 CR3: 00000000756e4000 CR4: 00000000003526f0
Call Trace:
 <IRQ>
 nf_send_unreach+0x17b/0x6e0 net/ipv4/netfilter/nf_reject_ipv4.c:325
 nft_reject_inet_eval+0x4bc/0x690 net/netfilter/nft_reject_inet.c:27
 expr_call_ops_eval net/netfilter/nf_tables_core.c:237 [inline]
 nft_do_chain+0x40c/0x1920 net/netfilter/nf_tables_core.c:285
 nft_do_chain_inet+0x25d/0x340 net/netfilter/nft_chain_filter.c:161
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK+0x206/0x3a0 include/linux/netfilter.h:316
 __netif_receive_skb_one_core net/core/dev.c:5991 [inline]
 __netif_receive_skb+0x143/0x380 net/core/dev.c:6104
 process_backlog+0x60e/0x14f0 net/core/dev.c:6456
 __napi_poll+0xc4/0x360 net/core/dev.c:7506
 napi_poll net/core/dev.c:7569 [inline]
 net_rx_action+0x707/0xe30 net/core/dev.c:7696
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_irq_work arch/x86/kernel/irq_work.c:17 [inline]
 sysvec_irq_work+0xa3/0xc0 arch/x86/kernel/irq_work.c:17
 </IRQ>
 <TASK>
 asm_sysvec_irq_work+0x1a/0x20 arch/x86/include/asm/idtentry.h:733
RIP: 0010:finish_task_switch+0x26b/0x950 kernel/sched/core.c:5225
Code: 0f 84 3c 01 00 00 48 85 db 0f 85 63 01 00 00 e9 27 05 00 00 4c 8b 75 d0 4c 89 e7 e8 0f 38 ef 09 e8 2a 3a 36 00 fb 4c 8b 65 c0 <49> 8d bc 24 18 16 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 28 84 c0
RSP: 0000:ffffc9001bf3fc58 EFLAGS: 00000282
RAX: bfac6cd3ee7d6400 RBX: 0000000000000000 RCX: bfac6cd3ee7d6400
RDX: 0000000000000000 RSI: ffffffff8c035860 RDI: ffffffff8191ff56
RBP: ffffc9001bf3fcb0 R08: ffffffff8fc40337 R09: 1ffffffff1f88066
R10: dffffc0000000000 R11: fffffbfff1f88067 R12: ffff88807ab23c00
R13: dffffc0000000000 R14: ffff888028185a00 R15: ffff8880b863ab58
 context_switch kernel/sched/core.c:5360 [inline]
 __schedule+0x17a0/0x4cc0 kernel/sched/core.c:6961
 __schedule_loop kernel/sched/core.c:7043 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:7058
 exit_to_user_mode_loop kernel/entry/common.c:31 [inline]
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 irqentry_exit_to_user_mode+0x5d/0x120 kernel/entry/common.c:73
 asm_sysvec_reschedule_ipi+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0033:0x7f29fb46ec5c
Code: 31 c0 48 81 ce ff ff ff 3f 48 3b 34 c1 0f 84 3b 01 00 00 48 83 c0 01 48 83 f8 04 75 ec 31 f6 80 7c 24 1e 00 0f 85 8e 01 00 00 <41> 83 c7 01 45 3b 78 04 0f 82 6c ff ff ff 80 7b 4e 00 0f 84 17 03
RSP: 002b:00007ffc23b48350 EFLAGS: 00000202
RAX: 0000000000000001 RBX: 00007f29fc2e5720 RCX: ffffffff8b7968d5
RDX: 00000000000008d5 RSI: ffffffff8b7968d5 RDI: 0000000000000014
RBP: ffffffff8b7968d5 R08: 00007f29fb7b6038 R09: 00007f29fb7a2000
R10: 00007f29fafff008 R11: 0000000000000014 R12: 0000000000000014
R13: 0000000000000000 R14: ffffffff8b7965f0 R15: 000000000000b1b4
 </TASK>
----------------
Code disassembly (best guess):
   0:	0f 84 3c 01 00 00    	je     0x142
   6:	48 85 db             	test   %rbx,%rbx
   9:	0f 85 63 01 00 00    	jne    0x172
   f:	e9 27 05 00 00       	jmp    0x53b
  14:	4c 8b 75 d0          	mov    -0x30(%rbp),%r14
  18:	4c 89 e7             	mov    %r12,%rdi
  1b:	e8 0f 38 ef 09       	call   0x9ef382f
  20:	e8 2a 3a 36 00       	call   0x363a4f
  25:	fb                   	sti
  26:	4c 8b 65 c0          	mov    -0x40(%rbp),%r12
* 2a:	49 8d bc 24 18 16 00 	lea    0x1618(%r12),%rdi <-- trapping instruction
  31:	00
  32:	48 89 f8             	mov    %rdi,%rax
  35:	48 c1 e8 03          	shr    $0x3,%rax
  39:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
  3e:	84 c0                	test   %al,%al