bond0 (unregistering): (slave bond_slave_0): Releasing backup interface bond0 (unregistering): (slave bond_slave_1): Releasing backup interface bond0 (unregistering): Released all slaves ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: null-ptr-deref in atomic_add_negative_release include/linux/atomic/atomic-instrumented.h:1457 [inline] BUG: KASAN: null-ptr-deref in __rcuref_put include/linux/rcuref.h:87 [inline] BUG: KASAN: null-ptr-deref in rcuref_put include/linux/rcuref.h:150 [inline] BUG: KASAN: null-ptr-deref in dst_release+0x38/0x1d4 net/core/dst.c:164 Write of size 4 at addr 0000000000000060 by task kworker/u8:0/14486 CPU: 0 PID: 14486 Comm: kworker/u8:0 Not tainted 6.9.0-rc2-syzkaller-00080-gc85af715cac0 #0 Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net Call trace: dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:317 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:114 print_report mm/kasan/report.c:491 [inline] print_report+0x364/0x59c mm/kasan/report.c:477 kasan_report+0xc8/0x108 mm/kasan/report.c:601 check_region_inline mm/kasan/generic.c:175 [inline] kasan_check_range+0xe8/0x190 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x2c mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_add_negative_release include/linux/atomic/atomic-instrumented.h:1457 [inline] __rcuref_put include/linux/rcuref.h:87 [inline] rcuref_put include/linux/rcuref.h:150 [inline] dst_release+0x38/0x1d4 net/core/dst.c:164 dst_cache_destroy net/core/dst_cache.c:160 [inline] dst_cache_destroy+0xc8/0x1a0 net/core/dst_cache.c:152 ipip6_dev_free+0x14/0x20 net/ipv6/sit.c:1409 netdev_run_todo+0x52c/0xcb0 net/core/dev.c:10587 rtnl_unlock+0x10/0x1c net/core/rtnetlink.c:152 cleanup_net+0x410/0x8d0 net/core/net_namespace.c:633 process_one_work+0x78c/0x1898 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x764/0xc24 kernel/workqueue.c:3416 kthread+0x27c/0x300 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 ================================================================== Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000005567b000 [0000000000000060] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 14486 Comm: kworker/u8:0 Tainted: G B 6.9.0-rc2-syzkaller-00080-gc85af715cac0 #0 Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __ll_sc_atomic_add_return_release arch/arm64/include/asm/atomic_ll_sc.h:95 [inline] pc : arch_atomic_add_return_release arch/arm64/include/asm/atomic.h:52 [inline] pc : raw_atomic_add_return_release include/linux/atomic/atomic-arch-fallback.h:618 [inline] pc : raw_atomic_add_negative_release include/linux/atomic/atomic-arch-fallback.h:2380 [inline] pc : atomic_add_negative_release include/linux/atomic/atomic-instrumented.h:1458 [inline] pc : __rcuref_put include/linux/rcuref.h:87 [inline] pc : rcuref_put include/linux/rcuref.h:150 [inline] pc : dst_release+0x98/0x1d4 net/core/dst.c:164 lr : instrument_atomic_read_write include/linux/instrumented.h:96 [inline] lr : atomic_add_negative_release include/linux/atomic/atomic-instrumented.h:1457 [inline] lr : __rcuref_put include/linux/rcuref.h:87 [inline] lr : rcuref_put include/linux/rcuref.h:150 [inline] lr : dst_release+0x38/0x1d4 net/core/dst.c:164 sp : ffff80008e007840 x29: ffff80008e007840 x28: ffff800086359380 x27: ffff800086730708 x26: 0000000000000001 x25: dfff800000000000 x24: ffff700010c6b270 x23: 0000000000000001 x22: 1fffe00003e46d96 x21: ffff00001f236cb0 x20: 0000000000000060 x19: 0000000000000020 x18: ffff000010a82870 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 205d363834343154 x12: ffff700010fe82a5 x11: 1ffff00010fe82a4 x10: ffff700010fe82a4 x9 : dfff800000000000 x8 : 00008fffef017d5c x7 : ffff800087f41527 x6 : 0000000000000001 x5 : ffff800087f41520 x4 : ffff700010fe82a5 x3 : 0000000000000060 x2 : 0000000000000020 x1 : 00000000ffffffff x0 : 0000000000000000 Call trace: __ll_sc_atomic_add_return_release arch/arm64/include/asm/atomic_ll_sc.h:95 [inline] arch_atomic_add_return_release arch/arm64/include/asm/atomic.h:52 [inline] raw_atomic_add_return_release include/linux/atomic/atomic-arch-fallback.h:618 [inline] raw_atomic_add_negative_release include/linux/atomic/atomic-arch-fallback.h:2380 [inline] atomic_add_negative_release include/linux/atomic/atomic-instrumented.h:1458 [inline] __rcuref_put include/linux/rcuref.h:87 [inline] rcuref_put include/linux/rcuref.h:150 [inline] dst_release+0x98/0x1d4 net/core/dst.c:164 dst_cache_destroy net/core/dst_cache.c:160 [inline] dst_cache_destroy+0xc8/0x1a0 net/core/dst_cache.c:152 ipip6_dev_free+0x14/0x20 net/ipv6/sit.c:1409 netdev_run_todo+0x52c/0xcb0 net/core/dev.c:10587 rtnl_unlock+0x10/0x1c net/core/rtnetlink.c:152 cleanup_net+0x410/0x8d0 net/core/net_namespace.c:633 process_one_work+0x78c/0x1898 kernel/workqueue.c:3254 process_scheduled_works kernel/workqueue.c:3335 [inline] worker_thread+0x764/0xc24 kernel/workqueue.c:3416 kthread+0x27c/0x300 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: d65f03c0 91010263 12800001 f9800071 (885f7c60) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: d65f03c0 ret 4: 91010263 add x3, x19, #0x40 8: 12800001 mov w1, #0xffffffff // #-1 c: f9800071 prfm pstl1strm, [x3] * 10: 885f7c60 ldxr w0, [x3] <-- trapping instruction