bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): Released all slaves
Unable to handle kernel paging request at virtual address dfff800000000000
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 45 Comm: kworker/u8:3 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: netns cleanup_net
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __hlist_del include/linux/list.h:988 [inline]
pc : hlist_del_init_rcu include/linux/rculist.h:184 [inline]
pc : napi_hash_del net/core/dev.c:6530 [inline]
pc : __netif_napi_del+0xac/0x75c net/core/dev.c:6744
lr : spin_lock include/linux/spinlock.h:351 [inline]
lr : napi_hash_del net/core/dev.c:6528 [inline]
lr : __netif_napi_del+0x6c/0x75c net/core/dev.c:6744
sp : ffff800097cd77f0
x29: ffff800097cd77f0 x28: 1fffffbff7ed45cc x27: dfff800000000000
x26: dfff800000000000 x25: ffff0000d17e2608 x24: 1fffffbff7ed8e07
x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000001
x20: fffffdffbf6c7038 x19: fffffdffbf6c6eb8 x18: 1fffe000366d31ee
x17: ffff8001241e1000 x16: ffff8000803600cc x15: ffff700012f9aee4
x14: 1ffff00012f9aee4 x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff700012f9aee4 x10: 1ffff00012f9aee4 x9 : 55a0cbad83670000
x8 : 0000000000000000 x7 : ffff8000894ca140 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff8000803601f4
x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000001
Call trace:
 __hlist_del include/linux/list.h:985 [inline]
 hlist_del_init_rcu include/linux/rculist.h:184 [inline]
 napi_hash_del net/core/dev.c:6530 [inline]
 __netif_napi_del+0xac/0x75c net/core/dev.c:6744
 gro_cells_destroy+0x120/0x348 net/core/gro_cells.c:117
 ip_tunnel_dev_free+0x20/0x38 net/ipv4/ip_tunnel.c:1100
 netdev_run_todo+0xc64/0xe5c net/core/dev.c:10762
 rtnl_unlock+0x14/0x20 net/core/rtnetlink.c:152
 cleanup_net+0x5cc/0x9b4 net/core/net_namespace.c:636
 process_one_work+0x79c/0x15b8 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x978/0xec4 kernel/workqueue.c:3389
 kthread+0x288/0x310 kernel/kthread.c:389
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: aa1603e0 97a97d5b d343fea8 f94002d6 (38776908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	aa1603e0 	mov	x0, x22
   4:	97a97d5b 	bl	0xfffffffffea5f570
   8:	d343fea8 	lsr	x8, x21, #3
   c:	f94002d6 	ldr	x22, [x22]
* 10:	38776908 	ldrb	w8, [x8, x23] <-- trapping instruction