general protection fault in addrconf_add_ifaddr

[Hui Guo]

Hi Kernel Maintainers,
we found a crash "general protection fault in addrconf_add_ifaddr" (it
is a KASAN and makes the kernel reboot) in upstream, we also have
successfully reproduced it manually:

HEAD Commit: 9f867ba24d3665d9ac9d9ef1f51844eb4479b291
kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/.config

console output:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.log
repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.report
syz reproducer:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.prog
c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.cprog

Please let me know if there is anything I can help with.
Best,
Hui Guo

This is the crash log I got by reproducing the bug based on the above
environment，
I have piped this log through decode_stacktrace.sh to better
understand the cause of the bug.
=============================================================================================
2025/04/06 02:22:59 parsed 1
programsa/ghui/docker_data/workdir/upstream/ghui_syzkaller_upstream_linux_6_upstream/crashes/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.prog
[ 86.179154][ T9592] Adding 124996k swap on ./swap-file. Priority:0
extents:1 across:124996k
[ 87.644012][ T60] audit: type=1400 audit(1743906187.305:14): avc:
denied { execmem } for pid=9608 comm="syz-executor"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=un1
[ 87.761387][ T5240] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 87.764562][ T5240] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 87.765968][ T5240] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 87.767698][ T5240] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 87.772260][ T5240] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 88.154097][ T60] audit: type=1401 audit(1743906187.815:15):
op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768"
[ 88.319741][ T12] wlan0: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 88.320838][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 88.377747][ T9629] chnl_net:caif_netlink_parms(): no params data found
[ 88.377904][ T1155] wlan1: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 88.379844][ T1155] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 88.457479][ T9629] bridge0: port 1(bridge_slave_0) entered blocking state
[ 88.458808][ T9629] bridge0: port 1(bridge_slave_0) entered disabled state
[ 88.459788][ T9629] bridge_slave_0: entered allmulticast mode
[ 88.461242][ T9629] bridge_slave_0: entered promiscuous mode
[ 88.463760][ T9629] bridge0: port 2(bridge_slave_1) entered blocking state
[ 88.464785][ T9629] bridge0: port 2(bridge_slave_1) entered disabled state
[ 88.465822][ T9629] bridge_slave_1: entered allmulticast mode
[ 88.468044][ T9629] bridge_slave_1: entered promiscuous mode
[ 88.502986][ T9629] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 88.505841][ T9629] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 88.543640][ T9629] team0: Port device team_slave_0 added
[ 88.545637][ T9629] team0: Port device team_slave_1 added
[ 88.581650][ T9629] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 88.582413][ T9629] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this interface will be
fragmented .
[ 88.585340][ T9629] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 88.590220][ T9629] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 88.591134][ T9629] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this interface will be
fragmented .
[ 88.594386][ T9629] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 88.642273][ T9629] hsr_slave_0: entered promiscuous mode
[ 88.643637][ T9629] hsr_slave_1: entered promiscuous mode
[ 88.804702][ T9629] netdevsim netdevsim9 netdevsim0: renamed from eth0
[ 88.810111][ T9629] netdevsim netdevsim9 netdevsim1: renamed from eth1
[ 88.813180][ T9629] netdevsim netdevsim9 netdevsim2: renamed from eth2
[ 88.815381][ T9629] netdevsim netdevsim9 netdevsim3: renamed from eth3
[ 88.828851][ T9629] bridge0: port 2(bridge_slave_1) entered blocking state
[ 88.829814][ T9629] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 88.830877][ T9629] bridge0: port 1(bridge_slave_0) entered blocking state
[ 88.831656][ T9629] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 88.861702][ T9629] 8021q: adding VLAN 0 to HW filter on device bond0
[ 88.874562][T10046] bridge0: port 1(bridge_slave_0) entered disabled state
[ 88.876863][T10046] bridge0: port 2(bridge_slave_1) entered disabled state
[ 88.889439][ T9629] 8021q: adding VLAN 0 to HW filter on device team0
[ 88.894746][ T96] bridge0: port 1(bridge_slave_0) entered blocking state
[ 88.895679][ T96] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 88.900531][ T96] bridge0: port 2(bridge_slave_1) entered blocking state
[ 88.901442][ T96] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 89.014295][ T9629] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 89.153586][ T9629] veth0_vlan: entered promiscuous mode
[ 89.157428][ T9629] veth1_vlan: entered promiscuous mode
[ 89.173404][ T9629] veth0_macvtap: entered promiscuous mode
[ 89.176012][ T9629] veth1_macvtap: entered promiscuous mode
[ 89.184642][ T9629] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 89.193218][ T9629] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 89.197719][ T9629] netdevsim netdevsim9 netdevsim0: set [1, 0] type
2 family 0 port 6081 - 0
[ 89.200444][ T9629] netdevsim netdevsim9 netdevsim1: set [1, 0] type
2 family 0 port 6081 - 0
[ 89.202146][ T9629] netdevsim netdevsim9 netdevsim2: set [1, 0] type
2 family 0 port 6081 - 0
[ 89.203812][ T9629] netdevsim netdevsim9 netdevsim3: set [1, 0] type
2 family 0 port 6081 - 0
2025/04/06 02:23:08 executed programs: 0
[ 89.301312][ T87] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 89.303336][ T87] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 89.304722][ T87] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 89.306642][ T87] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 89.310004][ T87] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 89.409170][T11015] chnl_net:caif_netlink_parms(): no params data found
[ 89.483073][T11015] bridge0: port 1(bridge_slave_0) entered blocking state
[ 89.484753][T11015] bridge0: port 1(bridge_slave_0) entered disabled state
[ 89.486427][T11015] bridge_slave_0: entered allmulticast mode
[ 89.489542][T11015] bridge_slave_0: entered promiscuous mode
[ 89.494571][T11015] bridge0: port 2(bridge_slave_1) entered blocking state
[ 89.496212][T11015] bridge0: port 2(bridge_slave_1) entered disabled state
[ 89.497273][T11015] bridge_slave_1: entered allmulticast mode
[ 89.500140][T11015] bridge_slave_1: entered promiscuous mode
[ 89.538296][T11015] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 89.541739][T11015] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 89.580396][T11015] team0: Port device team_slave_0 added
[ 89.584584][T11015] team0: Port device team_slave_1 added
[ 89.625746][T11015] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 89.626548][T11015] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this interface will be
fragmented .
[ 89.629609][T11015] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 89.631614][T11015] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 89.632399][T11015] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this interface will be
fragmented .
[ 89.635213][T11015] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 89.668575][T11015] hsr_slave_0: entered promiscuous mode
[ 89.669594][T11015] hsr_slave_1: entered promiscuous mode
[ 89.670548][T11015] debugfs: Directory 'hsr0' with parent 'hsr'
already present!
[ 89.671508][T11015] Cannot create hsr debugfs directory
[ 89.780189][T11015] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 89.783028][T11015] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 89.785272][T11015] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 89.788202][T11015] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 89.803525][T11015] bridge0: port 2(bridge_slave_1) entered blocking state
[ 89.804338][T11015] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 89.805684][T11015] bridge0: port 1(bridge_slave_0) entered blocking state
[ 89.806484][T11015] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 89.848614][T11015] 8021q: adding VLAN 0 to HW filter on device bond0
[ 89.860220][ T5240] Bluetooth: hci0: command tx timeout
[ 89.863306][T10046] bridge0: port 1(bridge_slave_0) entered disabled state
[ 89.864964][T10046] bridge0: port 2(bridge_slave_1) entered disabled state
[ 89.875376][T11015] 8021q: adding VLAN 0 to HW filter on device team0
[ 89.884670][T10046] bridge0: port 1(bridge_slave_0) entered blocking state
[ 89.886327][T10046] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 89.892937][ T1155] bridge0: port 2(bridge_slave_1) entered blocking state
[ 89.894576][ T1155] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 90.024333][T11015] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 90.055011][T11015] veth0_vlan: entered promiscuous mode
[ 90.058720][T11015] veth1_vlan: entered promiscuous mode
[ 90.075111][T11015] veth0_macvtap: entered promiscuous mode
[ 90.077489][T11015] veth1_macvtap: entered promiscuous mode
[ 90.083799][T11015] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[ 90.085087][T11015] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 90.086999][T11015] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 90.094388][T11015] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[ 90.095512][T11015] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 90.097413][T11015] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 90.100436][T11015] netdevsim netdevsim0 netdevsim0: set [1, 0] type
2 family 0 port 6081 - 0
[ 90.101419][T11015] netdevsim netdevsim0 netdevsim1: set [1, 0] type
2 family 0 port 6081 - 0
[ 90.102363][T11015] netdevsim netdevsim0 netdevsim2: set [1, 0] type
2 family 0 port 6081 - 0
[ 90.103306][T11015] netdevsim netdevsim0 netdevsim3: set [1, 0] type
2 family 0 port 6081 - 0
[ 90.136521][ T12] wlan0: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 90.137631][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 90.150925][ T98] wlan1: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 90.152068][ T98] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 90.201985][T12032] Oops: general protection fault, probably for
non-canonical address 0xdffffc0000000198: 0000 [#1] SMP KASAN NOPTI
[ 90.204525][T12032] KASAN: null-ptr-deref in range
[0x0000000000000cc0-0x0000000000000cc7]
[ 90.206275][T12032] CPU: 3 UID: 0 PID: 12032 Comm: syz.0.15 Not
tainted 6.14.0-13408-g9f867ba24d36 #1 PREEMPT(full)
[ 90.208522][T12032] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[90.210452][T12032] RIP: 0010:addrconf_add_ifaddr
(/data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:30
/data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:41
/data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/addrconf.c:3157)
[ 90.211725][T12032] Code: 8b b4 24 94 00 00 00 4c 89 ef e8 7e 4c 2f
ff 4c 8d b0 c5 0c 00 00 48 89 c3 48 b8 00 00 00 00 00 fc ff df 4c 89
f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 80
All code
========
0: 8b b4 24 94 00 00 00 mov 0x94(%rsp),%esi
7: 4c 89 ef mov %r13,%rdi
a: e8 7e 4c 2f ff call 0xffffffffff2f4c8d
f: 4c 8d b0 c5 0c 00 00 lea 0xcc5(%rax),%r14
16: 48 89 c3 mov %rax,%rbx
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 f2 mov %r14,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 4c 89 f2 mov %r14,%rdx
31: 83 e2 07 and $0x7,%edx
34: 38 d0 cmp %dl,%al
36: 7f 08 jg 0x40
38: 80 .byte 0x80

Code starting with the faulting instruction
===========================================
0: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax
4: 4c 89 f2 mov %r14,%rdx
7: 83 e2 07 and $0x7,%edx
a: 38 d0 cmp %dl,%al
c: 7f 08 jg 0x16
e: 80 .byte 0x80
[ 90.215834][T12032] RSP: 0018:ffffc90015b0faa0 EFLAGS: 00010213
[ 90.217134][T12032] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
0000000000000000
[ 90.218816][T12032] RDX: 0000000000000198 RSI: ffffffff893162f2 RDI:
ffff888078cb0338
[ 90.220520][T12032] RBP: ffffc90015b0fbb0 R08: 0000000000000000 R09:
fffffbfff20cbbe2
[ 90.222226][T12032] R10: ffffc90015b0faa0 R11: 0000000000000000 R12:
1ffff92002b61f54
[ 90.223921][T12032] R13: ffff888078cb0000 R14: 0000000000000cc5 R15:
ffff888078cb0000
[ 90.225617][T12032] FS: 00007f92559ed640(0000)
GS:ffff8882a8659000(0000) knlGS:0000000000000000
[ 90.227459][T12032] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 90.228725][T12032] CR2: 00007f92559ecfc8 CR3: 000000001c39e000 CR4:
00000000000006f0
[ 90.230303][T12032] Call Trace:
[ 90.230937][T12032] <TASK>
[90.231510][T12032] ? __pfx_addrconf_add_ifaddr
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/addrconf.c:3136)
[90.232367][T12032] ? __pfx_avc_has_extended_perms
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/selinux/avc.c:1022)
[90.233023][T12032] inet6_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/af_inet6.c:580)
[90.233514][T12032] ? __pfx_inet6_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/af_inet6.c:564)
[90.234061][T12032] ? tomoyo_path_number_perm
(/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/srcu.h:167
/data/ghui/docker_data/linux_kernel/upstream/linux/./include/linux/srcu.h:402
/data/ghui/docker_data/linux_kernel/upstream/linux/security/tomoyo/common.h:1120
/data/ghui/docker_data/linux_kernel/upstream/linux/security/tomoyo/file.c:738)
[90.234685][T12032] ? tomoyo_path_number_perm
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/tomoyo/file.c:710)
[90.235320][T12032] ? __pfx_tomoyo_path_number_perm
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/tomoyo/file.c:710)
[90.235977][T12032] ? __sanitizer_cov_trace_switch
(/data/ghui/docker_data/linux_kernel/upstream/linux/kernel/kcov.c:350
(discriminator 3))
[90.236626][T12032] sock_do_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/socket.c:1196)
[90.237134][T12032] ? __pfx_sock_do_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/socket.c:1182)
[90.237704][T12032] ? ioctl_has_perm.constprop.0.isra.0
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/selinux/hooks.c:3698)
[90.238428][T12032] ? ioctl_has_perm.constprop.0.isra.0
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/selinux/hooks.c:3667)
[90.239140][T12032] ? __pfx_ioctl_has_perm.constprop.0.isra.0
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/selinux/hooks.c:3667)
[90.239884][T12032] sock_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/socket.c:1314)
[90.240370][T12032] ? __pfx_sock_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/socket.c:1218)
[90.240903][T12032] ? hook_file_ioctl_common
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/landlock/fs.c:1757)
[90.241515][T12032] ? selinux_file_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/selinux/hooks.c:3746)
[90.242087][T12032] ? selinux_file_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/security/selinux/hooks.c:3749)
[90.242627][T12032] ? __pfx_sock_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/net/socket.c:1218)
[90.243148][T12032] __x64_sys_ioctl
(/data/ghui/docker_data/linux_kernel/upstream/linux/fs/ioctl.c:52
/data/ghui/docker_data/linux_kernel/upstream/linux/fs/ioctl.c:906
/data/ghui/docker_data/linux_kernel/upstream/linux/fs/ioctl.c:892
/data/ghui/docker_data/linux_kernel/upstream/linux/fs/ioctl.c:892)
[90.243660][T12032] do_syscall_64
(/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/syscall_64.c:63
/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/syscall_64.c:94)
[90.244146][T12032] entry_SYSCALL_64_after_hwframe
(/data/ghui/docker_data/linux_kernel/upstream/linux/arch/x86/entry/entry_64.S:130)
[ 90.244768][T12032] RIP: 0033:0x7f9254b9c62d
[ 90.245246][T12032] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3
0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b
4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff f8
All code
========
0: 02 b8 ff ff ff ff add -0x1(%rax),%bh
6: c3 ret
7: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
d: f3 0f 1e fa endbr64
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 rex.W
34: c7 .byte 0xc7
35: c1 .byte 0xc1
36: a8 ff test $0xff,%al
38: f8 clc

Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 rex.W
a: c7 .byte 0xc7
b: c1 .byte 0xc1
c: a8 ff test $0xff,%al
e: f8 clc
[ 90.247261][T12032] RSP: 002b:00007f92559ecf98 EFLAGS: 00000246
ORIG_RAX: 0000000000000010
[ 90.248137][T12032] RAX: ffffffffffffffda RBX: 00007f9254d65f80 RCX:
00007f9254b9c62d
[ 90.248957][T12032] RDX: 0000000020000040 RSI: 0000000000008916 RDI:
0000000000000003
[ 90.249802][T12032] RBP: 00007f9254c264d3 R08: 0000000000000000 R09:
0000000000000000
[ 90.250634][T12032] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 90.251467][T12032] R13: 0000000000000000 R14: 00007f9254d65f80 R15:
00007f92559cd000
[ 90.252306][T12032] </TASK>
[ 90.252630][T12032] Modules linked in:
[ 90.253206][T12032] ---[ end trace 0000000000000000 ]---
[90.254158][T12032] RIP: 0010:addrconf_add_ifaddr
(/data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:30
/data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:41
/data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/addrconf.c:3157)
[ 90.255906][T12032] Code: 8b b4 24 94 00 00 00 4c 89 ef e8 7e 4c 2f
ff 4c 8d b0 c5 0c 00 00 48 89 c3 48 b8 00 00 00 00 00 fc ff df 4c 89
f2 48 c1 ea 03 <0f> b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 80
All code
========
0: 8b b4 24 94 00 00 00 mov 0x94(%rsp),%esi
7: 4c 89 ef mov %r13,%rdi
a: e8 7e 4c 2f ff call 0xffffffffff2f4c8d
f: 4c 8d b0 c5 0c 00 00 lea 0xcc5(%rax),%r14
16: 48 89 c3 mov %rax,%rbx
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 f2 mov %r14,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 4c 89 f2 mov %r14,%rdx
31: 83 e2 07 and $0x7,%edx
34: 38 d0 cmp %dl,%al
36: 7f 08 jg 0x40
38: 80 .byte 0x80

Code starting with the faulting instruction
===========================================
0: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax
4: 4c 89 f2 mov %r14,%rdx
7: 83 e2 07 and $0x7,%edx
a: 38 d0 cmp %dl,%al
c: 7f 08 jg 0x16
e: 80 .byte 0x80
[ 90.261730][T12032] RSP: 0018:ffffc90015b0faa0 EFLAGS: 00010213
[ 90.263435][T12032] RAX: dffffc0000000000 RBX: 0000000000000000 RCX:
0000000000000000
[ 90.265534][T12032] RDX: 0000000000000198 RSI: ffffffff893162f2 RDI:
ffff888078cb0338
[ 90.267919][T12032] RBP: ffffc90015b0fbb0 R08: 0000000000000000 R09:
fffffbfff20cbbe2
[ 90.270260][T12032] R10: ffffc90015b0faa0 R11: 0000000000000000 R12:
1ffff92002b61f54
[ 90.271462][T12032] R13: ffff888078cb0000 R14: 0000000000000cc5 R15:
ffff888078cb0000
[ 90.272695][T12032] FS: 00007f92559ed640(0000)
GS:ffff888124f59000(0000) knlGS:0000000000000000
[ 90.274114][T12032] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 90.275136][T12032] CR2: 00007fb4e404b0b8 CR3: 000000001c39e000 CR4:
00000000000006f0
[ 90.276353][T12032] Kernel panic - not syncing: Fatal exception
[ 90.277599][T12032] Kernel Offset: disabled
[ 90.278172][T12032] Rebooting in 86400 seconds..

[Kuniyuki Iwashima]

From: Hui Guo <guohui...@gmail.com>
Date: Sun, 6 Apr 2025 10:31:00 +0800

> Hi Kernel Maintainers,
> we found a crash "general protection fault in addrconf_add_ifaddr" (it
> is a KASAN and makes the kernel reboot) in upstream, we also have
> successfully reproduced it manually:
>
> HEAD Commit: 9f867ba24d3665d9ac9d9ef1f51844eb4479b291
> kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/.config
>
> console output:
> https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.log
> repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.report
> syz reproducer:
> https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.prog
> c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.cprog
>
> Please let me know if there is anything I can help with.
> Best,
> Hui Guo
>
> This is the crash log I got by reproducing the bug based on the above
> environment，
> I have piped this log through decode_stacktrace.sh to better
> understand the cause of the bug.

[...]

> [ 90.201985][T12032] Oops: general protection fault, probably for
> non-canonical address 0xdffffc0000000198: 0000 [#1] SMP KASAN NOPTI
> [ 90.204525][T12032] KASAN: null-ptr-deref in range
> [0x0000000000000cc0-0x0000000000000cc7]
> [ 90.206275][T12032] CPU: 3 UID: 0 PID: 12032 Comm: syz.0.15 Not
> tainted 6.14.0-13408-g9f867ba24d36 #1 PREEMPT(full)
> [ 90.208522][T12032] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.15.0-1 04/01/2014
> [90.210452][T12032] RIP: 0010:addrconf_add_ifaddr
> (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:30
> /data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:41
> /data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/addrconf.c:3157)

Thanks for the report.

netdev_lock_ops() needs to be moved:

---8<---
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index c3b908fccbc1..9c52ed23ff23 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3154,12 +3154,13 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg)

rtnl_net_lock(net);
dev = __dev_get_by_index(net, ireq.ifr6_ifindex);
- netdev_lock_ops(dev);
- if (dev)
+ if (dev) {
+ netdev_lock_ops(dev);
err = inet6_addr_add(net, dev, &cfg, 0, 0, NULL);
- else
+ netdev_unlock_ops(dev);
+ } else {
err = -ENODEV;
- netdev_unlock_ops(dev);
+ }
rtnl_net_unlock(net);
return err;
}
---8<---

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 8bc251e5d874 Merge tag 'nf-25-04-03' of git://git.kernel.o..
git tree: net
console+strace: https://syzkaller.appspot.com/x/log.txt?x=14981178580000
kernel config: https://syzkaller.appspot.com/x/.config?x=24f9c4330e7c0609
dashboard link: https://syzkaller.appspot.com/bug?extid=10d145ea96fc91185445
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=120f023f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e5c94c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a500d5daba83/disk-8bc251e5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2459c792199a/vmlinux-8bc251e5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/558655fb055e/bzImage-8bc251e5.xz

The issue was bisected to:

commit 8965c160b8f7333df895321c8aa6bad4a7175f2b
Author: Stanislav Fomichev <s...@fomichev.me>
Date: Tue Apr 1 16:34:44 2025 +0000

net: use netif_disable_lro in ipv6_add_dev

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1334423f980000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10b4423f980000
console output: https://syzkaller.appspot.com/x/log.txt?x=1734423f980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+10d145...@syzkaller.appspotmail.com
Fixes: 8965c160b8f7 ("net: use netif_disable_lro in ipv6_add_dev")

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000198: 0000 [#1] SMP KASAN PTI

KASAN: null-ptr-deref in range [0x0000000000000cc0-0x0000000000000cc7]

CPU: 1 UID: 0 PID: 5850 Comm: syz-executor155 Not tainted 6.14.0-syzkaller-12504-g8bc251e5d874 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
RIP: 0010:netdev_lock_ops include/net/netdev_lock.h:41 [inline]
RIP: 0010:addrconf_add_ifaddr+0x23e/0x590 net/ipv6/addrconf.c:3157
Code: 03 00 00 8b b4 24 c4 00 00 00 48 8b 7c 24 18 e8 18 a3 25 ff 49 89 c5 48 8d 98 c5 0c 00 00 48 89 d8 48 c1 e8 03 48 89 44 24 38 <42> 0f b6 04 20 84 c0 0f 85 03 03 00 00 48 89 5c 24 28 0f b6 1b 31
RSP: 0018:ffffc90003f3fa00 EFLAGS: 00010203
RAX: 0000000000000198 RBX: 0000000000000cc5 RCX: ffff88807bf51e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9ac50c80
RBP: ffffc90003f3fb50 R08: ffffffff905fc777 R09: 1ffffffff20bf8ee
R10: dffffc0000000000 R11: fffffbfff20bf8ef R12: dffffc0000000000
R13: 0000000000000000 R14: 00002000000000c0 R15: 1ffff920007e7f48
FS: 0000555559d6c380(0000) GS:ffff888125099000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00002000000000c2 CR3: 000000003508e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
inet6_ioctl+0x148/0x280 net/ipv6/af_inet6.c:580
sock_do_ioctl+0x15a/0x490 net/socket.c:1190
sock_ioctl+0x644/0x900 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl+0xf1/0x160 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff0337e62e9
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffdf3f7f118 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffdf3f7f2e8 RCX: 00007ff0337e62e9
RDX: 00002000000000c0 RSI: 0000000000008916 RDI: 0000000000000003
RBP: 00007ff033859610 R08: 0000000000000000 R09: 00007ffdf3f7f2e8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffdf3f7f2d8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:

---[ end trace 0000000000000000 ]---

RIP: 0010:netdev_need_ops_lock include/net/netdev_lock.h:30 [inline]
RIP: 0010:netdev_lock_ops include/net/netdev_lock.h:41 [inline]
RIP: 0010:addrconf_add_ifaddr+0x23e/0x590 net/ipv6/addrconf.c:3157
Code: 03 00 00 8b b4 24 c4 00 00 00 48 8b 7c 24 18 e8 18 a3 25 ff 49 89 c5 48 8d 98 c5 0c 00 00 48 89 d8 48 c1 e8 03 48 89 44 24 38 <42> 0f b6 04 20 84 c0 0f 85 03 03 00 00 48 89 5c 24 28 0f b6 1b 31
RSP: 0018:ffffc90003f3fa00 EFLAGS: 00010203
RAX: 0000000000000198 RBX: 0000000000000cc5 RCX: ffff88807bf51e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff9ac50c80
RBP: ffffc90003f3fb50 R08: ffffffff905fc777 R09: 1ffffffff20bf8ee
R10: dffffc0000000000 R11: fffffbfff20bf8ef R12: dffffc0000000000
R13: 0000000000000000 R14: 00002000000000c0 R15: 1ffff920007e7f48
FS: 0000555559d6c380(0000) GS:ffff888124f99000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00000000004585c0 CR3: 000000003508e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 03 00 add (%rax),%eax
2: 00 8b b4 24 c4 00 add %cl,0xc424b4(%rbx)
8: 00 00 add %al,(%rax)
a: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
f: e8 18 a3 25 ff call 0xff25a32c
14: 49 89 c5 mov %rax,%r13
17: 48 8d 98 c5 0c 00 00 lea 0xcc5(%rax),%rbx
1e: 48 89 d8 mov %rbx,%rax
21: 48 c1 e8 03 shr $0x3,%rax
25: 48 89 44 24 38 mov %rax,0x38(%rsp)
* 2a: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 03 03 00 00 jne 0x33a
37: 48 89 5c 24 28 mov %rbx,0x28(%rsp)
3c: 0f b6 1b movzbl (%rbx),%ebx
3f: 31 .byte 0x31


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

Make sure that dev is not NULL before locking ops.

Fixes: 8965c160b8f7 ("net: use netif_disable_lro in ipv6_add_dev")

Reported-by: syzbot+10d145...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
net/ipv6/addrconf.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 2cffb8f4a2bc..5d9fd01e6265 100644

--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3154,12 +3154,13 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg)

rtnl_net_lock(net);
dev = __dev_get_by_index(net, ireq.ifr6_ifindex);
- netdev_lock_ops(dev);
- if (dev)
+ if (dev) {
+ netdev_lock_ops(dev);
err = inet6_addr_add(net, dev, &cfg, 0, 0, NULL);

+ netdev_unlock_ops(dev);
+ }
else
err = -ENODEV;
- netdev_unlock_ops(dev);

rtnl_net_unlock(net);
return err;
}
--
2.43.0

[Stanislav Fomichev]

On 04/07, Edward Adam Davis wrote:
> Make sure that dev is not NULL before locking ops.
>
> Fixes: 8965c160b8f7 ("net: use netif_disable_lro in ipv6_add_dev")
> Reported-by: syzbot+10d145...@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <ead...@qq.com>

I think this happened first?
https://lore.kernel.org/netdev/Z_Pb9dku3R1wdTEp@mini-arch/T/#m733abfc2e974bf96cfdebc8a47aa58f39bf76b82

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.