syzbot

bridge0: port 1(bridge_slave_0) entered disabled state
HfR: left promiscuous mode
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 UID: 0 PID: 25013 Comm: kworker/u11:28 Tainted: G     U  W    L XTNJ syzkaller #0 PREEMPT(full) 
Tainted: [U]=USER, [W]=WARN, [L]=SOFTLOCKUP, [X]=AUX, [T]=RANDSTRUCT, [N]=TEST, [J]=FWCTL
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
RIP: 0010:tipc_conn_close+0x48/0x1c0 net/tipc/topsrv.c:158
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 5b 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 08 48 8d 7d 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 45 01 00 00 4c 8b 6d 18 49 8d ad f0 03 00 00 48
RSP: 0018:ffffc90003ddf9d0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88803309cc00 RCX: 0000000000000007
RDX: 0000000000000003 RSI: ffffffff8b169a44 RDI: 0000000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff9088e8d7 R11: ffff88802ff029b0 R12: ffff88805a3e6800
R13: 0000000000000000 R14: ffff88803309cc08 R15: ffffed100b47cd13
FS:  0000000000000000(0000) GS:ffff8881248fc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559efbf8c000 CR3: 000000007edca000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 tipc_topsrv_stop net/tipc/topsrv.c:709 [inline]
 tipc_topsrv_exit_net+0x216/0x4c0 net/tipc/topsrv.c:732
 ops_exit_list net/core/net_namespace.c:199 [inline]
 ops_undo_list+0x2ee/0xab0 net/core/net_namespace.c:252
 cleanup_net+0x41b/0x830 net/core/net_namespace.c:696
 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:tipc_conn_close+0x48/0x1c0 net/tipc/topsrv.c:158
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 5b 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 08 48 8d 7d 18 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 45 01 00 00 4c 8b 6d 18 49 8d ad f0 03 00 00 48
RSP: 0018:ffffc90003ddf9d0 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff88803309cc00 RCX: 0000000000000007
RDX: 0000000000000003 RSI: ffffffff8b169a44 RDI: 0000000000000018
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff9088e8d7 R11: ffff88802ff029b0 R12: ffff88805a3e6800
R13: 0000000000000000 R14: ffff88803309cc08 R15: ffffed100b47cd13
FS:  0000000000000000(0000) GS:ffff8881248fc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f53e612f286 CR3: 000000001252e000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 5b 01 00 00    	jne    0x169
   e:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  15:	fc ff df
  18:	48 8b 6b 08          	mov    0x8(%rbx),%rbp
  1c:	48 8d 7d 18          	lea    0x18(%rbp),%rdi
  20:	48 89 fa             	mov    %rdi,%rdx
  23:	48 c1 ea 03          	shr    $0x3,%rdx
* 27:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2b:	0f 85 45 01 00 00    	jne    0x176
  31:	4c 8b 6d 18          	mov    0x18(%rbp),%r13
  35:	49 8d ad f0 03 00 00 	lea    0x3f0(%r13),%rbp
  3c:	48                   	rex.W