Re: [PATCH net v2] ipv6: addrconf: skip autoconf on unregistering devices

From: Xu Rao

Date: Thu May 14 2026 - 05:47:18 EST

Hi Ido,

> > The leaked reference is held by an IPv6 local route created from
> > addrconf. A late NETDEV_CHANGE notification can still reach
> > addrconf_notify() after the device has entered NETREG_UNREGISTERING.
> > The handler can then run automatic address configuration, add a
> > link-local address and install its host route after unregister teardown
> > has already started. The route nexthop takes a netdev reference in
> > fib6_nh_init(), and there might not be a later ifdown pass to remove
> > the newly created address and route.
>
> Do you have a reproducer?

The reproducer is the syz repro from the syzbot report:

https://syzkaller.appspot.com/x/repro.syz?x=103f3dba580000

I don't have a standalone C reproducer. I asked syzbot to test the patch
against the original report tree:

git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

The reproducer did not trigger the issue with this patch applied:

Reported-by: syzbot+e2af46126e0644cbebdd@xxxxxxxxxxxxxxxxxxxxxxxxx
Tested-by: syzbot+e2af46126e0644cbebdd@xxxxxxxxxxxxxxxxxxxxxxxxx

Tested on:

commit: 5cbb61bf arm64/fpsimd: ptrace: zero target's fpsimd_st..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=147a20ec580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a834c6344141a58b
dashboard link: https://syzkaller.appspot.com/bug?extid=e2af46126e0644cbebdd
patch: https://syzkaller.appspot.com/x/patch.diff?x=12255636580000

> The kernel repeatedly sends NETDEV_UNREGISTER notifications when it's
> waiting for the reference count to drop.

Yes, and this patch intentionally keeps NETDEV_DOWN and NETDEV_UNREGISTER
handling unchanged so addrconf_ifdown() can still remove existing IPv6
state during teardown.

The guard only affects the MTU / UP / CHANGE paths. The problem I was
trying to avoid is creating new IPv6 state once the device is already in
NETREG_UNREGISTERING. In the syzbot trace, addrconf_notify() is reached
from a NETDEV_CHANGE path and then creates a link-local address and its
route while unregister is already in progress. The route then holds a
netdev reference via fib6_nh_init().

So the patch does not rely on suppressing unregister processing; it only
prevents late autoconf from adding new state during unregister.

Thanks,
Xu Rao