=====================================================
BUG: KMSAN: uninit-value in __flush_smp_call_function_queue+0x362/0x18e0 kernel/smp.c:535
 __flush_smp_call_function_queue+0x362/0x18e0 kernel/smp.c:535
 generic_smp_call_function_single_interrupt+0x1c/0x30 kernel/smp.c:463
 __sysvec_call_function_single+0x4b/0x3e0 arch/x86/kernel/smp.c:271
 instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
 sysvec_call_function_single+0x7c/0x90 arch/x86/kernel/smp.c:266
 asm_sysvec_call_function_single+0x1f/0x30 arch/x86/include/asm/idtentry.h:704
 kmsan_phys_addr_valid arch/x86/include/asm/kmsan.h:55 [inline]
 kmsan_virt_addr_valid arch/x86/include/asm/kmsan.h:79 [inline]
 virt_to_page_or_null+0x27/0x170 mm/kmsan/shadow.c:75
 kmsan_get_shadow_origin_ptr+0x4a/0xb0 mm/kmsan/shadow.c:102
 get_shadow_origin_ptr mm/kmsan/instrumentation.c:38 [inline]
 __msan_metadata_ptr_for_load_4+0x24/0x40 mm/kmsan/instrumentation.c:93
 stack_trace_consume_entry+0x182/0x220 kernel/stacktrace.c:94
 arch_stack_walk+0x18e/0x280 arch/x86/kernel/stacktrace.c:27
 stack_trace_save+0xc2/0x100 kernel/stacktrace.c:122
 kmsan_save_stack_with_flags mm/kmsan/core.c:73 [inline]
 kmsan_internal_chain_origin+0x5d/0xd0 mm/kmsan/core.c:179
 kmsan_internal_memmove_metadata+0x181/0x230 mm/kmsan/core.c:135
 __msan_memcpy+0x105/0x1c0 mm/kmsan/instrumentation.c:200
 pskb_expand_head+0x5a2/0x1e00 net/core/skbuff.c:2322
 netlink_trim+0x3a3/0x450 net/netlink/af_netlink.c:1299
 netlink_broadcast_filtered+0x80/0x2820 net/netlink/af_netlink.c:1512
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 nlmsg_multicast include/net/netlink.h:1184 [inline]
 nlmsg_notify+0x15b/0x2f0 net/netlink/af_netlink.c:2593
 rtnl_notify net/core/rtnetlink.c:964 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:4472 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4488 [inline]
 rtnetlink_event+0x302/0x3d0 net/core/rtnetlink.c:7054
 notifier_call_chain kernel/notifier.c:85 [inline]
 raw_notifier_call_chain+0x106/0x480 kernel/notifier.c:453
 call_netdevice_notifiers_info net/core/dev.c:2249 [inline]
 __netdev_upper_dev_unlink+0x6b1/0x1a40 net/core/dev.c:9008
 netdev_upper_dev_unlink+0x26/0x30 net/core/dev.c:9035
 bond_upper_dev_unlink drivers/net/bonding/bond_main.c:1726 [inline]
 __bond_release_one+0x4e6/0x1850 drivers/net/bonding/bond_main.c:2468
 bond_uninit+0x471/0x970 drivers/net/bonding/bond_main.c:6059
 unregister_netdevice_many_notify+0x3df5/0x4c00 net/core/dev.c:12452
 unregister_netdevice_many+0x22/0x30 net/core/dev.c:12494
 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
 ops_undo_list+0x5d8/0xb80 net/core/net_namespace.c:248
 cleanup_net+0xc24/0x1460 net/core/net_namespace.c:702
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb82/0x1e80 kernel/workqueue.c:3359
 worker_thread+0xee4/0x1590 kernel/workqueue.c:3440
 kthread+0x53f/0x600 kernel/kthread.c:436
 ret_from_fork+0x20f/0x910 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Local variable iter created at:
 tdp_mmu_zap_leafs+0x52/0x6e0 arch/x86/kvm/mmu/tdp_mmu.c:983
 kvm_tdp_mmu_unmap_gfn_range+0x910/0xb50 arch/x86/kvm/mmu/tdp_mmu.c:1362

CPU: 0 UID: 0 PID: 35 Comm: kworker/u8:2 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: netns cleanup_net
=====================================================