+acme@redhat.com

Hi,

I've got the following error report while running the syzkaller fuzzer:

kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 3953 Comm: syz-executor Not tainted 4.9.0-rc1+ #228
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006aa2ac00 task.stack: ffff880068a90000
RIP: 0010:[<ffffffff834ed8f4>]  [<ffffffff834ed8f4>]
ipxrtr_route_packet+0x4e4/0xbe0 net/ipx/ipx_route.c
:213
RSP: 0018:ffff880068a97b08  EFLAGS: 00010246
RAX: ffff88006b648500 RBX: ffff880068a97e40 RCX: dffffc0000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88006b648960
RBP: ffff880068a97bc8 R08: dffffc0000000000 R09: 1ffff1000d4ddf97
R10: dffffc0000000000 R11: 0000000000000000 R12: ffff88006b410300
R13: 0000000000000000 R14: ffff88006444b68e R15: ffff88006a6efc80
FS:  00007f28cf665700(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000451f80 CR3: 0000000068a9a000 CR4: 00000000000006f0
Stack:
 ffff88006a6efd58 ffff880068a97dc0 ffff880068a97e44 1ffff1000d152f68
 000000000000001a 0000000000000000 ffff88006b648500 0000000041b58ab3
 ffffffff847fb90b ffffffff834ed410 ffffffff82b7cfea ffff8800ffffff97
Call Trace:
 [<ffffffff834e802e>] ipx_sendmsg+0x30e/0x550 net/ipx/af_ipx.c:1749
 [<     inline     >] sock_sendmsg_nosec net/socket.c:606
 [<ffffffff82b7075c>] sock_sendmsg+0xcc/0x110 net/socket.c:616
 [<ffffffff82b718a1>] SYSC_sendto+0x211/0x340 net/socket.c:1641
 [<ffffffff82b73e80>] SyS_sendto+0x40/0x50 net/socket.c:1609
 [<ffffffff83fc0141>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
Code: 41 80 7c 0d 00 00 0f 85 82 06 00 00 48 8b 85 70 ff ff ff 49 b8
00 00 00 00 00 fc ff df 4c 8b a8 60 04 00 00 4c 89 ee 48 c1 ee 03 <46>
0f b6 0c 06 45 84 c9 74 0a 41 80 f9 03 0f 8e e5 05 00 00 49
RIP  [<ffffffff834ed8f4>] ipxrtr_route_packet+0x4e4/0xbe0
net/ipx/ipx_route.c:213
 RSP <ffff880068a97b08>
---[ end trace f5bc9a28de6b2776 ]---
==================================================================

For some reason ipxs->intrfc ends up being NULL.

The reproducer is attached, you need to run a few instances simultaneously.

In case it's relevant, this is what I have in /etc/network/interfaces:

auto eth1
iface eth1 inet static
address 192.168.1.5
netmask 255.255.255.0
post-up arp -s 192.168.1.6 aa:aa:aa:aa:aa:aa
iface eth1 ipx static
frame EtherII
netnum 0x42424242

On commit 1a1891d762d6e64daf07b5be4817e3fbb29e3c59 (Oct 18).