Oops: general protection fault, probably for non-canonical address 0xe000080fdb502307: 0000 [#1] SMP KASAN PTI
KASAN: probably user-memory-access in range [0x0000607eda811838-0x0000607eda81183f]
CPU: 0 UID: 0 PID: 16233 Comm: kworker/0:2 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: mld mld_ifc_work
RIP: 0010:bond_header_create+0x150/0x300 drivers/net/bonding/bond_main.c:1522
Code: e8 e5 77 59 fb 45 85 f6 0f 84 a5 00 00 00 e8 97 73 59 fb eb 05 e8 90 73 59 fb 48 85 ed 0f 84 89 00 00 00 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 91 d1 c2 fb 48 8b 6d 00 4c 8d 75
RSP: 0000:ffffc90006e3f630 EFLAGS: 00010202
RAX: 00000c0fdb502307 RBX: ffffffff866ccaeb RCX: ffff8880276c8000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000607eda811838 R08: ffffffff866ccaeb R09: ffffffff8e75d720
R10: dffffc0000000000 R11: ffffffff866ccab0 R12: 00000000000086dd
R13: ffff888027b58500 R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125448000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d80aff8 CR3: 000000001dbda000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 dev_hard_header include/linux/netdevice.h:3440 [inline]
 neigh_connected_output+0x286/0x460 net/core/neighbour.c:1644
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246
 dst_output include/net/dst.h:470 [inline]
 NF_HOOK+0x177/0x4f0 include/linux/netfilter.h:318
 mld_sendpack+0x8b4/0xe40 net/ipv6/mcast.c:1855
 mld_send_cr net/ipv6/mcast.c:2154 [inline]
 mld_ifc_work+0x835/0xe70 net/ipv6/mcast.c:2693
 process_one_work kernel/workqueue.c:3278 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3361
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3442
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bond_header_create+0x150/0x300 drivers/net/bonding/bond_main.c:1522
Code: e8 e5 77 59 fb 45 85 f6 0f 84 a5 00 00 00 e8 97 73 59 fb eb 05 e8 90 73 59 fb 48 85 ed 0f 84 89 00 00 00 48 89 e8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 ef e8 91 d1 c2 fb 48 8b 6d 00 4c 8d 75
RSP: 0000:ffffc90006e3f630 EFLAGS: 00010202
RAX: 00000c0fdb502307 RBX: ffffffff866ccaeb RCX: ffff8880276c8000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000607eda811838 R08: ffffffff866ccaeb R09: ffffffff8e75d720
R10: dffffc0000000000 R11: ffffffff866ccab0 R12: 00000000000086dd
R13: ffff888027b58500 R14: 0000000000000001 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888125448000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffff5a34fe8 CR3: 00000000341c8000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	e8 e5 77 59 fb       	call   0xfb5977ea
   5:	45 85 f6             	test   %r14d,%r14d
   8:	0f 84 a5 00 00 00    	je     0xb3
   e:	e8 97 73 59 fb       	call   0xfb5973aa
  13:	eb 05                	jmp    0x1a
  15:	e8 90 73 59 fb       	call   0xfb5973aa
  1a:	48 85 ed             	test   %rbp,%rbp
  1d:	0f 84 89 00 00 00    	je     0xac
  23:	48 89 e8             	mov    %rbp,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	48 89 ef             	mov    %rbp,%rdi
  34:	e8 91 d1 c2 fb       	call   0xfbc2d1ca
  39:	48 8b 6d 00          	mov    0x0(%rbp),%rbp
  3d:	4c                   	rex.WR
  3e:	8d                   	.byte 0x8d
  3f:	75                   	.byte 0x75