While auditing something unrelated, I noticed that this function seems to potentially dev_put() on an error pointer.
I guess the problem comes from the fact that there are two methods by which the device pointer is obtained. First, inet{,6}_fib_lookup_dev() which uses error pointers. Second, dev_get_by_index() which returns a valid device or NULL, and therefore does not use error pointers. If inet{,6}_fib_lookup_dev() returns an error pointer, the !dev check will not pass and dev_put() will operate on an error pointer and crash. If you agree with my analysis, could you please cook up and test a fix? Thank you!