syzbot

IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
device syz_tun entered promiscuous mode
device batadv_slave_0 entered promiscuous mode
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 8209 Comm: syz-executor406 Not tainted 4.14.300-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
task: ffff8880afe58240 task.stack: ffff8880afc28000
RIP: 0010:hsr_check_carrier_and_operstate+0x3f/0x710 net/hsr/hsr_device.c:116
RSP: 0018:ffff8880afc2f0d0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8880a1b585c0 RCX: 0000000000000001
RDX: 0000000000000002 RSI: 0000000000000004 RDI: ffff88809d672ca0
RBP: ffff888094b66cc0 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8880afe58240 R12: 0000000000000001
R13: ffff888094b66cc0 R14: 0000000000000000 R15: 0000000000000004
FS:  00007ff27a37d700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff27a37d718 CR3: 00000000abafe000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 hsr_netdev_notify+0x201/0x8b0 net/hsr/hsr_main.c:51
 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93
 call_netdevice_notifiers_info net/core/dev.c:1667 [inline]
 netdev_state_change net/core/dev.c:1314 [inline]
 netdev_state_change+0xca/0xf0 net/core/dev.c:1308
 do_setlink+0x2508/0x2bf0 net/core/rtnetlink.c:2280
 rtnl_group_changelink net/core/rtnetlink.c:2512 [inline]
 rtnl_newlink+0xc9d/0x1830 net/core/rtnetlink.c:2668
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454
 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322
 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
Code: 59 fa be 04 00 00 00 48 89 ef e8 0d b0 ff ff 49 89 c6 48 83 c0 10 48 89 c2 48 89 04 24 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 67 06 00 00 48 b8 00 00 00 00 00 fc ff df 49 
RIP: hsr_check_carrier_and_operstate+0x3f/0x710 net/hsr/hsr_device.c:116 RSP: ffff8880afc2f0d0
---[ end trace a73c399d470ba580 ]---
----------------
Code disassembly (best guess):
   0:	59                   	pop    %rcx
   1:	fa                   	cli
   2:	be 04 00 00 00       	mov    $0x4,%esi
   7:	48 89 ef             	mov    %rbp,%rdi
   a:	e8 0d b0 ff ff       	callq  0xffffb01c
   f:	49 89 c6             	mov    %rax,%r14
  12:	48 83 c0 10          	add    $0x10,%rax
  16:	48 89 c2             	mov    %rax,%rdx
  19:	48 89 04 24          	mov    %rax,(%rsp)
  1d:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  24:	fc ff df
  27:	48 c1 ea 03          	shr    $0x3,%rdx
* 2b:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2f:	0f 85 67 06 00 00    	jne    0x69c
  35:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  3c:	fc ff df
  3f:	49                   	rex.WB