Re: [PATCH net] rds: Fix inet6_addr_lst NULL dereference when IPv6 is disabled
From: Ilia Gavrilov
Date: Thu Jul 09 2026 - 11:52:36 EST
On 7/9/26 6:41 PM, Allison Henderson wrote:
> On Wed, 2026-07-08 at 11:59 +0000, Ilia Gavrilov wrote:
>> When booting with the 'ipv6.disable=1' parameter, inet6_addr_lst
>> is never initialized because inet6_init() exits before addrconf_init()
>> is called to initialize it. An attempt to bind an RDS socket to
>> an ipv6 address results in a crash in __ipv6_chk_addr_and_flags()
>
> Hello Ilia,
>
> Thanks for the catch. Some comments below:
>
>>
>> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
>> RIP: 0010:__ipv6_chk_addr_and_flags+0x1df/0x7e0
>> Call Trace:
>> <TASK>
>> ipv6_chk_addr+0x3b/0x50
>> rds_tcp_laddr_check+0x155/0x3b0 [rds_tcp]
>> rds_trans_get_preferred+0x15d/0x2d0 [rds]
>> ? trace_hardirqs_on+0x2d/0x110
>> rds_bind+0x1433/0x1d60 [rds]
>> ? rds_remove_bound+0xd50/0xd50 [rds]
>> ? aa_af_perm+0x250/0x250
>> ? __might_fault+0xde/0x190
>> ? __sys_bind+0x1dc/0x210
>> __sys_bind+0x1dc/0x210
>> ? __ia32_sys_socketpair+0x100/0x100
>> ? restore_fpregs_from_fpstate+0x53/0x100
>> __x64_sys_bind+0x73/0xb0
>> ? syscall_enter_from_user_mode+0x1c/0x50
>> do_syscall_64+0x34/0x80
>> entry_SYSCALL_64_after_hwframe+0x6e/0xd8
>> RIP: 0033:0x7f47f8269ea9
>> </TASK>
>>
>> The following code reproduces the issue:
>>
>> struct sockaddr_in6 addr;
>> s = socket(PF_RDS, SOCK_SEQPACKET, 0);
>>
>> memset(&addr, 0, sizeof(addr));
>> inet_pton(AF_INET6, ADDRESS, &addr.sin6_addr);
>> addr.sin6_family = AF_INET6;
>> addr.sin6_port = htons(PORT);
>>
>> bind(s, &addr, sizeof(addr);
> nit: missing paren here
>
>>
>> Found by InfoTeCS on behalf of Linux Verification Center
>> (linuxtesting.org) with Syzkaller.
>>
>> Fixes: eee2fa6ab322 ("rds: Changing IP address internal representation to struct in6_addr")
>> Fixes: 1e2b44e78eea ("rds: Enable RDS IPv6 support")
>> Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@xxxxxxxxxxx>
>> ---
>> net/rds/ib.c | 4 ++++
>> net/rds/tcp.c | 8 +++++---
>> 2 files changed, 9 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/rds/ib.c b/net/rds/ib.c
>> index 39f87272e071..8f9cf491984f 100644
>> --- a/net/rds/ib.c
>> +++ b/net/rds/ib.c
>> @@ -429,6 +429,10 @@ static int rds_ib_laddr_check_cm(struct net *net, const struct in6_addr *addr,
>> sa = (struct sockaddr *)&sin;
>> } else {
>> #if IS_ENABLED(CONFIG_IPV6)
>> + if (!ipv6_mod_enabled()) {
>> + ret = -EADDRNOTAVAIL;
>> + goto out;
>> + }
>> memset(&sin6, 0, sizeof(sin6));
>> sin6.sin6_family = AF_INET6;
>> sin6.sin6_addr = *addr;
>> diff --git a/net/rds/tcp.c b/net/rds/tcp.c
>> index a1de114d5e2e..955d92277d5a 100644
>> --- a/net/rds/tcp.c
>> +++ b/net/rds/tcp.c
>> @@ -366,9 +366,11 @@ int rds_tcp_laddr_check(struct net *net, const struct in6_addr *addr,
>> rcu_read_unlock();
>> }
>> #if IS_ENABLED(CONFIG_IPV6)
>> - ret = ipv6_chk_addr(net, addr, dev, 0);
>> - if (ret)
>> - return 0;
>> + if (ipv6_mod_enabled()) {
>> + ret = ipv6_chk_addr(net, addr, dev, 0);
>> + if (ret)
>> + return 0;
>> + }
>
> There's another ipv6_chk_addr() in __rds_find_ifindex() with the same issue that affects inbound link-local IPv6
> connects. Can you add a similar guard there too? Then I think that should cover all the points of exposure. Thanks
> for working on this.
>
> Allison
>
Thanks for the review, I'll add the guard in the next patch version.
>> #endif
>> return -EADDRNOTAVAIL;
>> }
>