[syzbot] [rds?] general protection fault in rds_tcp_accept_one

[syzbot] [rds?] general protection fault in rds_tcp_accept_one

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9845cf73f7db Add linux-next specific files for 20260205
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10ec4a5a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ac78ce3b6729749e
dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=122acb22580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=149fc7fa580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9f30334a2431/disk-9845cf73.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d58741a15a6/vmlinux-9845cf73.xz
kernel image: https://storage.googleapis.com/syzbot-assets/62204da1452c/bzImage-9845cf73.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+96046021045ffe6d7709@syzkaller.appspotmail.com

netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 3485 Comm: kworker/u8:8 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: krdsd rds_tcp_accept_worker
RIP: 0010:rds_tcp_accept_one+0xa5b/0xd70 net/rds/tcp_listen.c:319
Code: 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 a9 2f f7 48 8b 1b 48 83 c3 12 49 89 de 49 c1 ee 03 <43> 0f b6 04 2e 84 c0 0f 85 53 02 00 00 44 0f b6 2b bf 08 00 00 00
RSP: 0018:ffffc9000b64f9a0 EFLAGS: 00010202
RAX: 1ffff1100dacb173 RBX: 0000000000000012 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8e006fa9 RDI: 00000000ffffffff
RBP: ffffc9000b64fb18 R08: ffffffff903342b7 R09: 1ffffffff2066856
R10: dffffc0000000000 R11: fffffbfff2066857 R12: ffff88803286c000
R13: dffffc0000000000 R14: 0000000000000002 R15: 1ffff920016c9f3c
FS:  0000000000000000(0000) GS:ffff888125115000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f30359456b8 CR3: 00000000320ee000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 rds_tcp_accept_worker+0x1d/0x70 net/rds/tcp.c:524
 process_one_work+0x949/0x1650 kernel/workqueue.c:3279
 process_scheduled_works kernel/workqueue.c:3362 [inline]
 worker_thread+0xb46/0x1140 kernel/workqueue.c:3443
 kthread+0x388/0x470 kernel/kthread.c:467
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rds_tcp_accept_one+0xa5b/0xd70 net/rds/tcp_listen.c:319
Code: 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 a9 2f f7 48 8b 1b 48 83 c3 12 49 89 de 49 c1 ee 03 <43> 0f b6 04 2e 84 c0 0f 85 53 02 00 00 44 0f b6 2b bf 08 00 00 00
RSP: 0018:ffffc9000b64f9a0 EFLAGS: 00010202
RAX: 1ffff1100dacb173 RBX: 0000000000000012 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8e006fa9 RDI: 00000000ffffffff
RBP: ffffc9000b64fb18 R08: ffffffff903342b7 R09: 1ffffffff2066856
R10: dffffc0000000000 R11: fffffbfff2066857 R12: ffff88803286c000
R13: dffffc0000000000 R14: 0000000000000002 R15: 1ffff920016c9f3c
FS:  0000000000000000(0000) GS:ffff888125115000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f303594da08 CR3: 000000000e74c000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	48 83 c3 18          	add    $0x18,%rbx
   6:	48 89 d8             	mov    %rbx,%rax
   9:	48 c1 e8 03          	shr    $0x3,%rax
   d:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
  12:	74 08                	je     0x1c
  14:	48 89 df             	mov    %rbx,%rdi
  17:	e8 63 a9 2f f7       	call   0xf72fa97f
  1c:	48 8b 1b             	mov    (%rbx),%rbx
  1f:	48 83 c3 12          	add    $0x12,%rbx
  23:	49 89 de             	mov    %rbx,%r14
  26:	49 c1 ee 03          	shr    $0x3,%r14
* 2a:	43 0f b6 04 2e       	movzbl (%r14,%r13,1),%eax <-- trapping instruction
  2f:	84 c0                	test   %al,%al
  31:	0f 85 53 02 00 00    	jne    0x28a
  37:	44 0f b6 2b          	movzbl (%rbx),%r13d
  3b:	bf 08 00 00 00       	mov    $0x8,%edi


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [rds?] general protection fault in rds_tcp_accept_one

[syzbot]

> #syz test: git@github.com:allisonhenderson/rds_work.git syzbug_f9db6ff27b9bfdcfeca

unknown command "test:\u00a0git@github.com:allisonhenderson/rds_work.git"

>
> On Mon, 2026-02-09 at 07:41 -0800, syzbot wrote:
>> Hello,
>> 
>> syzbot found the following issue on:
>> 
>> HEAD commit:    9845cf73f7db Add linux-next specific files for 20260205
>> git tree:       linux-next
>> console output: https://urldefense.com/v3/__https://syzkaller.appspot.com/x/log.txt?x=10ec4a5a580000__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4ONYVS2j$ 
>> kernel config:  https://urldefense.com/v3/__https://syzkaller.appspot.com/x/.config?x=ac78ce3b6729749e__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4NL_GIpI$ 
>> dashboard link: https://urldefense.com/v3/__https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4MCjo-m3$ 
>> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
>> syz repro:      https://urldefense.com/v3/__https://syzkaller.appspot.com/x/repro.syz?x=122acb22580000__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4GW8gg30$ 
>> C reproducer:   https://urldefense.com/v3/__https://syzkaller.appspot.com/x/repro.c?x=149fc7fa580000__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4D5oQKmF$ 
>> 
>> Downloadable assets:
>> disk image: https://urldefense.com/v3/__https://storage.googleapis.com/syzbot-assets/9f30334a2431/disk-9845cf73.raw.xz__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4OnpjEj3$ 
>> vmlinux: https://urldefense.com/v3/__https://storage.googleapis.com/syzbot-assets/0d58741a15a6/vmlinux-9845cf73.xz__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4MX_62da$ 
>> kernel image: https://urldefense.com/v3/__https://storage.googleapis.com/syzbot-assets/62204da1452c/bzImage-9845cf73.xz__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4OvQrNJd$ 
>> 
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+96046021045ffe6d7709@syzkaller.appspotmail.com
>> 
>> netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
>> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
>> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
>> CPU: 1 UID: 0 PID: 3485 Comm: kworker/u8:8 Not tainted syzkaller #0 PREEMPT(full) 
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
>> Workqueue: krdsd rds_tcp_accept_worker
>> RIP: 0010:rds_tcp_accept_one+0xa5b/0xd70 net/rds/tcp_listen.c:319
>> Code: 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 a9 2f f7 48 8b 1b 48 83 c3 12 49 89 de 49 c1 ee 03 <43> 0f b6 04 2e 84 c0 0f 85 53 02 00 00 44 0f b6 2b bf 08 00 00 00
>> RSP: 0018:ffffc9000b64f9a0 EFLAGS: 00010202
>> RAX: 1ffff1100dacb173 RBX: 0000000000000012 RCX: 0000000000000000
>> RDX: 0000000000000006 RSI: ffffffff8e006fa9 RDI: 00000000ffffffff
>> RBP: ffffc9000b64fb18 R08: ffffffff903342b7 R09: 1ffffffff2066856
>> R10: dffffc0000000000 R11: fffffbfff2066857 R12: ffff88803286c000
>> R13: dffffc0000000000 R14: 0000000000000002 R15: 1ffff920016c9f3c
>> FS:  0000000000000000(0000) GS:ffff888125115000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f30359456b8 CR3: 00000000320ee000 CR4: 00000000003526f0
>> Call Trace:
>>  <TASK>
>>  rds_tcp_accept_worker+0x1d/0x70 net/rds/tcp.c:524
>>  process_one_work+0x949/0x1650 kernel/workqueue.c:3279
>>  process_scheduled_works kernel/workqueue.c:3362 [inline]
>>  worker_thread+0xb46/0x1140 kernel/workqueue.c:3443
>>  kthread+0x388/0x470 kernel/kthread.c:467
>>  ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
>>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>>  </TASK>
>> Modules linked in:
>> ---[ end trace 0000000000000000 ]---
>> RIP: 0010:rds_tcp_accept_one+0xa5b/0xd70 net/rds/tcp_listen.c:319
>> Code: 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 a9 2f f7 48 8b 1b 48 83 c3 12 49 89 de 49 c1 ee 03 <43> 0f b6 04 2e 84 c0 0f 85 53 02 00 00 44 0f b6 2b bf 08 00 00 00
>> RSP: 0018:ffffc9000b64f9a0 EFLAGS: 00010202
>> RAX: 1ffff1100dacb173 RBX: 0000000000000012 RCX: 0000000000000000
>> RDX: 0000000000000006 RSI: ffffffff8e006fa9 RDI: 00000000ffffffff
>> RBP: ffffc9000b64fb18 R08: ffffffff903342b7 R09: 1ffffffff2066856
>> R10: dffffc0000000000 R11: fffffbfff2066857 R12: ffff88803286c000
>> R13: dffffc0000000000 R14: 0000000000000002 R15: 1ffff920016c9f3c
>> FS:  0000000000000000(0000) GS:ffff888125115000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007f303594da08 CR3: 000000000e74c000 CR4: 00000000003526f0
>> ----------------
>> Code disassembly (best guess):
>>    0:	00 00                	add    %al,(%rax)
>>    2:	48 83 c3 18          	add    $0x18,%rbx
>>    6:	48 89 d8             	mov    %rbx,%rax
>>    9:	48 c1 e8 03          	shr    $0x3,%rax
>>    d:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
>>   12:	74 08                	je     0x1c
>>   14:	48 89 df             	mov    %rbx,%rdi
>>   17:	e8 63 a9 2f f7       	call   0xf72fa97f
>>   1c:	48 8b 1b             	mov    (%rbx),%rbx
>>   1f:	48 83 c3 12          	add    $0x12,%rbx
>>   23:	49 89 de             	mov    %rbx,%r14
>>   26:	49 c1 ee 03          	shr    $0x3,%r14
>> * 2a:	43 0f b6 04 2e       	movzbl (%r14,%r13,1),%eax <-- trapping instruction
>>   2f:	84 c0                	test   %al,%al
>>   31:	0f 85 53 02 00 00    	jne    0x28a
>>   37:	44 0f b6 2b          	movzbl (%rbx),%r13d
>>   3b:	bf 08 00 00 00       	mov    $0x8,%edi
>> 
>> 
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://urldefense.com/v3/__https://goo.gl/tpsmEJ__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4Ko4o2Xm$  for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>> 
>> syzbot will keep track of this issue. See:
>> https://urldefense.com/v3/__https://goo.gl/tpsmEJ*status__;Iw!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4AUXdFJu$  for how to communicate with syzbot.
>> 
>> If the report is already addressed, let syzbot know by replying with:
>> #syz fix: exact-commit-title
>> 
>> If you want syzbot to run the reproducer, reply with:
>> #syz test: git://repo/address.git branch-or-commit-hash
>> If you attach or paste a git patch, syzbot will apply it before testing.
>> 
>> If you want to overwrite report's subsystems, reply with:
>> #syz set subsystems: new-subsystem
>> (See the list of subsystem names on the web dashboard)
>> 
>> If the report is a duplicate of another one, reply with:
>> #syz dup: exact-subject-of-another-report
>> 
>> If you want to undo deduplication, reply with:
>> #syz undup
>

Re: [syzbot] [rds?] general protection fault in rds_tcp_accept_one

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
inconsistent lock state in lock_sock_nested

================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
kworker/u8:5/1106 [HC0[0]:SC1[3]:HE1:SE0] takes:
ffff88801c708260 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88801c708260 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
{SOFTIRQ-ON-W} state was registered at:
  lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
  lock_sock_nested+0x48/0x100 net/core/sock.c:3780
  lock_sock include/net/sock.h:1709 [inline]
  tcp_sock_set_nodelay+0x2a/0x180 net/ipv4/tcp.c:3718
  rds_tcp_listen_init+0x168/0x410 net/rds/tcp_listen.c:415
  rds_tcp_init_net+0x154/0x380 net/rds/tcp.c:568
  ops_init+0x35c/0x5c0 net/core/net_namespace.c:137
  __register_pernet_operations net/core/net_namespace.c:1320 [inline]
  register_pernet_operations+0x343/0x830 net/core/net_namespace.c:1397
  register_pernet_device+0x2a/0x80 net/core/net_namespace.c:1484
  rds_tcp_init+0xcf/0x170 net/rds/tcp.c:749
  do_one_initcall+0x250/0x840 init/main.c:1378
  do_initcall_level+0x104/0x190 init/main.c:1440
  do_initcalls+0x59/0xa0 init/main.c:1456
  kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
  kernel_init+0x1d/0x1d0 init/main.c:1578
  ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
irq event stamp: 522136
hardirqs last  enabled at (522136): [<ffffffff8b98ca40>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (522136): [<ffffffff8b98ca40>] _raw_spin_unlock_irqrestore+0x30/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (522135): [<ffffffff8b98c89a>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (522135): [<ffffffff8b98c89a>] _raw_spin_lock_irqsave+0x1a/0x60 kernel/locking/spinlock.c:162
softirqs last  enabled at (522108): [<ffffffff89678f94>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last  enabled at (522108): [<ffffffff89678f94>] rcu_read_lock_bh include/linux/rcupdate.h:918 [inline]
softirqs last  enabled at (522108): [<ffffffff89678f94>] __dev_queue_xmit+0x274/0x3850 net/core/dev.c:4754
softirqs last disabled at (522109): [<ffffffff818712b6>] do_softirq+0x76/0xd0 kernel/softirq.c:523

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(k-sk_lock-AF_INET6);
  <Interrupt>
    lock(k-sk_lock-AF_INET6);

 *** DEADLOCK ***

12 locks held by kworker/u8:5/1106:
 #0: ffff88805f5cb148 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88805f5cb148 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0 kernel/workqueue.c:3340
 #1: ffffc90003a5fbc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc90003a5fbc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0 kernel/workqueue.c:3340
 #2: ffff88801c70d1e0 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
 #2: ffff88801c70d1e0 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
 #3: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #3: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #3: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: inet6_csk_xmit+0x1ee/0x750 net/ipv6/inet6_connection_sock.c:108
 #4: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #4: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #4: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: ip6_xmit+0x283/0x1980 net/ipv6/ip6_output.c:284
 #5: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #5: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #5: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: ip6_output+0x126/0x550 net/ipv6/ip6_output.c:234
 #6: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: local_lock_acquire include/linux/local_lock_internal.h:41 [inline]
 #6: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x3eb/0x1950 net/core/dev.c:6610
 #7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: netif_receive_skb_internal net/core/dev.c:6335 [inline]
 #7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: netif_receive_skb+0x102/0xbb0 net/core/dev.c:6407
 #8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: nf_hook include/linux/netfilter.h:242 [inline]
 #8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: NF_HOOK+0x9e/0x3c0 include/linux/netfilter.h:316
 #9: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #9: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #9: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: ip6_input+0x23/0x270 net/ipv6/ip6_input.c:499
 #10: ffff88801c7081e0 (k-slock-AF_INET6/1){+.-.}-{3:3}, at: tcp_v6_rcv+0x2577/0x2f60 net/ipv6/tcp_ipv6.c:1875
 #11: ffff88801c708408 (k-clock-AF_INET6){++.-}-{3:3}, at: rds_tcp_data_ready+0x113/0x950 net/rds/tcp_recv.c:320

stack backtrace:
CPU: 1 UID: 0 PID: 1106 Comm: kworker/u8:5 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
 <IRQ>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_usage_bug+0x28b/0x2e0 kernel/locking/lockdep.c:4042
 valid_state kernel/locking/lockdep.c:4056 [inline]
 mark_lock_irq+0x410/0x420 kernel/locking/lockdep.c:-1
 mark_lock+0x115/0x190 kernel/locking/lockdep.c:4753
 mark_usage kernel/locking/lockdep.c:-1 [inline]
 __lock_acquire+0x689/0x2cf0 kernel/locking/lockdep.c:5191
 lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
 lock_sock_nested+0x48/0x100 net/core/sock.c:3780
 lock_sock include/net/sock.h:1709 [inline]
 inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
 rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
 rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
 rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
 rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
 rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
 __tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
 rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
 rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
 tcp_data_queue+0x1e2e/0x5e50 net/ipv4/tcp_input.c:5719
 tcp_rcv_established+0x1270/0x2670 net/ipv4/tcp_input.c:6710
 tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
 tcp_v6_rcv+0x2653/0x2f60 net/ipv6/tcp_ipv6.c:1879
 ip6_protocol_deliver_rcu+0xa73/0x1600 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x191/0x370 net/ipv6/ip6_input.c:489
 NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318
 ip6_input+0x16a/0x270 net/ipv6/ip6_input.c:500
 ip_sabotage_in+0x1e1/0x270 net/bridge/br_netfilter_hooks.c:990
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK+0x21f/0x3c0 include/linux/netfilter.h:316
 __netif_receive_skb_one_core net/core/dev.c:6149 [inline]
 __netif_receive_skb net/core/dev.c:6262 [inline]
 netif_receive_skb_internal net/core/dev.c:6348 [inline]
 netif_receive_skb+0x278/0xbb0 net/core/dev.c:6407
 NF_HOOK+0xa4/0x3a0 include/linux/netfilter.h:319
 br_handle_frame_finish+0x14b2/0x1b40 net/bridge/br_input.c:-1
 br_nf_hook_thresh+0x3dd/0x4c0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0xa3a/0xd70 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x374/0x6f0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0x1277/0x1510 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x98f/0x3150 net/core/dev.c:6036
 __netif_receive_skb_one_core net/core/dev.c:6147 [inline]
 __netif_receive_skb net/core/dev.c:6262 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6614
 __napi_poll+0xae/0x340 net/core/dev.c:7678
 napi_poll net/core/dev.c:7741 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7893
 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
 __dev_queue_xmit+0x1e6c/0x3850 net/core/dev.c:4856
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ip6_xmit+0x1149/0x1980 net/ipv6/ip6_output.c:358
 inet6_csk_xmit+0x4a5/0x750 net/ipv6/inet6_connection_sock.c:114
 __tcp_transmit_skb+0x249b/0x43e0 net/ipv4/tcp_output.c:1693
 tcp_transmit_skb net/ipv4/tcp_output.c:1711 [inline]
 tcp_write_xmit+0x16e8/0x6980 net/ipv4/tcp_output.c:3064
 __tcp_push_pending_frames+0x97/0x380 net/ipv4/tcp_output.c:3247
 tcp_push_pending_frames include/net/tcp.h:2282 [inline]
 __tcp_sock_set_cork net/ipv4/tcp.c:3688 [inline]
 tcp_sock_set_cork+0x186/0x2e0 net/ipv4/tcp.c:3695
 rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
 rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
 worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
 kthread+0x726/0x8b0 kernel/kthread.c:463
 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
BUG: sleeping function called from invalid context at net/core/sock.c:3782
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1106, name: kworker/u8:5
preempt_count: 303, expected: 0
RCU nest depth: 7, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffffff89678fa1>] local_bh_disable include/linux/bottom_half.h:20 [inline]
[<ffffffff89678fa1>] rcu_read_lock_bh include/linux/rcupdate.h:918 [inline]
[<ffffffff89678fa1>] __dev_queue_xmit+0x281/0x3850 net/core/dev.c:4754
CPU: 1 UID: 0 PID: 1106 Comm: kworker/u8:5 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
 <IRQ>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 __might_resched+0x378/0x4d0 kernel/sched/core.c:8829
 lock_sock_nested+0x5d/0x100 net/core/sock.c:3782
 lock_sock include/net/sock.h:1709 [inline]
 inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
 rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
 rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
 rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
 rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
 rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
 __tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
 rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
 rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
 tcp_data_queue+0x1e2e/0x5e50 net/ipv4/tcp_input.c:5719
 tcp_rcv_established+0x1270/0x2670 net/ipv4/tcp_input.c:6710
 tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
 tcp_v6_rcv+0x2653/0x2f60 net/ipv6/tcp_ipv6.c:1879
 ip6_protocol_deliver_rcu+0xa73/0x1600 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x191/0x370 net/ipv6/ip6_input.c:489
 NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318
 ip6_input+0x16a/0x270 net/ipv6/ip6_input.c:500
 ip_sabotage_in+0x1e1/0x270 net/bridge/br_netfilter_hooks.c:990
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
 nf_hook include/linux/netfilter.h:273 [inline]
 NF_HOOK+0x21f/0x3c0 include/linux/netfilter.h:316
 __netif_receive_skb_one_core net/core/dev.c:6149 [inline]
 __netif_receive_skb net/core/dev.c:6262 [inline]
 netif_receive_skb_internal net/core/dev.c:6348 [inline]
 netif_receive_skb+0x278/0xbb0 net/core/dev.c:6407
 NF_HOOK+0xa4/0x3a0 include/linux/netfilter.h:319
 br_handle_frame_finish+0x14b2/0x1b40 net/bridge/br_input.c:-1
 br_nf_hook_thresh+0x3dd/0x4c0 net/bridge/br_netfilter_hooks.c:-1
 br_nf_pre_routing_finish_ipv6+0xa3a/0xd70 net/bridge/br_netfilter_ipv6.c:-1
 NF_HOOK include/linux/netfilter.h:318 [inline]
 br_nf_pre_routing_ipv6+0x374/0x6f0 net/bridge/br_netfilter_ipv6.c:184
 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
 br_handle_frame+0x1277/0x1510 net/bridge/br_input.c:442
 __netif_receive_skb_core+0x98f/0x3150 net/core/dev.c:6036
 __netif_receive_skb_one_core net/core/dev.c:6147 [inline]
 __netif_receive_skb net/core/dev.c:6262 [inline]
 process_backlog+0x76d/0x1950 net/core/dev.c:6614
 __napi_poll+0xae/0x340 net/core/dev.c:7678
 napi_poll net/core/dev.c:7741 [inline]
 net_rx_action+0x627/0xf70 net/core/dev.c:7893
 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
 __dev_queue_xmit+0x1e6c/0x3850 net/core/dev.c:4856
 NF_HOOK_COND include/linux/netfilter.h:307 [inline]
 ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246
 NF_HOOK include/linux/netfilter.h:318 [inline]
 ip6_xmit+0x1149/0x1980 net/ipv6/ip6_output.c:358
 inet6_csk_xmit+0x4a5/0x750 net/ipv6/inet6_connection_sock.c:114
 __tcp_transmit_skb+0x249b/0x43e0 net/ipv4/tcp_output.c:1693
 tcp_transmit_skb net/ipv4/tcp_output.c:1711 [inline]
 tcp_write_xmit+0x16e8/0x6980 net/ipv4/tcp_output.c:3064
 __tcp_push_pending_frames+0x97/0x380 net/ipv4/tcp_output.c:3247
 tcp_push_pending_frames include/net/tcp.h:2282 [inline]
 __tcp_sock_set_cork net/ipv4/tcp.c:3688 [inline]
 tcp_sock_set_cork+0x186/0x2e0 net/ipv4/tcp.c:3695
 rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
 rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
 worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
 kthread+0x726/0x8b0 kernel/kthread.c:463
 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>


Tested on:

commit:         57be33f8 nfc: nxp-nci: remove interrupt trigger type
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=16b8c65a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7eb827dd875ec07f
dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10f594aa580000

Re: [syzbot] [rds?] general protection fault in rds_tcp_accept_one

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo git@github.com:allisonhenderson/rds_work.git/rds_tcp_bug_fixes_v14: failed to run ["git" "fetch" "--force" "75c633a41ce4e3e077c06b68250156dd34977923" "rds_tcp_bug_fixes_v14"]: exit status 128


Tested on:

commit:         [unknown 
git tree:       git@github.com:allisonhenderson/rds_work.git rds_tcp_bug_fixes_v14
kernel config:  https://syzkaller.appspot.com/x/.config?x=ac78ce3b6729749e
dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1168ea52580000

Re: [syzbot] [rds?] general protection fault in rds_tcp_accept_one

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+96046021045ffe6d7709@syzkaller.appspotmail.com
Tested-by: syzbot+96046021045ffe6d7709@syzkaller.appspotmail.com

Tested on:

commit:         306ba34d net/rds: rds_sendmsg should not discard paylo..
git tree:       https://github.com/allisonhenderson/rds_work.git rds_tcp_bug_fixes_v15
console output: https://syzkaller.appspot.com/x/log.txt?x=13d49b22580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7eb827dd875ec07f
dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.