==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
BUG: KASAN: null-ptr-deref in atomic_inc_return include/linux/atomic/atomic-instrumented.h:188 [inline]
BUG: KASAN: null-ptr-deref in mac802154_header_create+0x13b/0xa30 net/mac802154/iface.c:446
Write of size 4 at addr 000000000000004c by task kworker/u4:4/1455
CPU: 0 PID: 1455 Comm: kworker/u4:4 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: netns cleanup_net
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report+0x161/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
atomic_inc_return include/linux/atomic/atomic-instrumented.h:188 [inline]
mac802154_header_create+0x13b/0xa30 net/mac802154/iface.c:446
dev_hard_header include/linux/netdevice.h:3296 [inline]
neigh_connected_output+0x24e/0x3b0 net/core/neighbour.c:1528
neigh_output include/net/neighbour.h:509 [inline]
ip6_finish_output2+0xee8/0x15a0 net/ipv6/ip6_output.c:130
dst_output include/net/dst.h:452 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
ndisc_send_skb+0xb98/0x1520 net/ipv6/ndisc.c:513
addrconf_rs_timer+0x357/0x610 net/ipv6/addrconf.c:3959
call_timer_fn+0x16d/0x560 kernel/time/timer.c:1451
expire_timers kernel/time/timer.c:1496 [inline]
__run_timers+0x67c/0x890 kernel/time/timer.c:1767
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
handle_softirqs+0x3a7/0x930 kernel/softirq.c:558
__do_softirq kernel/softirq.c:592 [inline]
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x157/0x240 kernel/softirq.c:641
irq_exit_rcu+0x5/0x20 kernel/softirq.c:653
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:unwind_next_frame+0x6f3/0x1fa0 arch/x86/kernel/unwind_orc.c:471
Code: 00 00 fc ff df 48 8b 1b 4d 8d 6e 01 4c 89 f0 48 c1 e8 03 0f b6 04 10 84 c0 0f 85 81 14 00 00 4c 89 e8 48 c1 e8 03 0f b6 04 10 <84> c0 0f 84 1c 03 00 00 44 89 e9 80 e1 07 38 c1 0f 8c 0e 03 00 00
RSP: 0018:ffffc900055f6f88 EFLAGS: 00000a06
RAX: 0000000000000000 RBX: ffffc900055f7858 RCX: ffffffff8e19c7a4
RDX: dffffc0000000000 RSI: ffffffff8e8314e2 RDI: ffffffff8e19c7a0
RBP: ffffffff8e8314e6 R08: 0000000000000009 R09: ffffc900055f7130
R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffffffff1d0629c
R13: ffffffff8e8314e3 R14: ffffffff8e8314e2 R15: ffffc900055f7040
arch_stack_walk+0x10d/0x140 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
kasan_save_stack+0x36/0x60 mm/kasan/common.c:38
kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:348
kvfree_call_rcu+0x118/0x8a0 kernel/rcu/tree.c:3596
drop_sysctl_table+0x317/0x460 fs/proc/proc_sysctl.c:1681
unregister_sysctl_table+0x88/0x130 fs/proc/proc_sysctl.c:1719
neigh_sysctl_unregister+0x74/0x90 net/core/neighbour.c:3736
addrconf_sysctl_unregister net/ipv6/addrconf.c:7150 [inline]
addrconf_ifdown+0x18f5/0x1be0 net/ipv6/addrconf.c:3931
addrconf_notify+0x452/0xf40
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
call_netdevice_notifiers_extack net/core/dev.c:2061 [inline]
call_netdevice_notifiers net/core/dev.c:2075 [inline]
unregister_netdevice_many+0xe98/0x1840 net/core/dev.c:11133
default_device_exit_batch+0x390/0x3f0 net/core/dev.c:11666
ops_exit_list net/core/net_namespace.c:177 [inline]
cleanup_net+0x886/0xc90 net/core/net_namespace.c:618
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
kthread+0x3f6/0x4f0 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
</TASK>
==================================================================
----------------
Code disassembly (best guess), 4 bytes skipped:
0: df 48 8b fisttps -0x75(%rax)
3: 1b 4d 8d sbb -0x73(%rbp),%ecx
6: 6e outsb %ds:(%rsi),(%dx)
7: 01 4c 89 f0 add %ecx,-0x10(%rcx,%rcx,4)
b: 48 c1 e8 03 shr $0x3,%rax
f: 0f b6 04 10 movzbl (%rax,%rdx,1),%eax
13: 84 c0 test %al,%al
15: 0f 85 81 14 00 00 jne 0x149c
1b: 4c 89 e8 mov %r13,%rax
1e: 48 c1 e8 03 shr $0x3,%rax
22: 0f b6 04 10 movzbl (%rax,%rdx,1),%eax
* 26: 84 c0 test %al,%al <-- trapping instruction
28: 0f 84 1c 03 00 00 je 0x34a
2e: 44 89 e9 mov %r13d,%ecx
31: 80 e1 07 and $0x7,%cl
34: 38 c1 cmp %al,%cl
36: 0f 8c 0e 03 00 00 jl 0x34a