From: syzbot <syzbot+da8e060735ae02c8f3d1@syzkaller.appspotmail.com>
To: allison.henderson@oracle.com, davem@davemloft.net,
edumazet@google.com, horms@kernel.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com,
rds-devel@oss.oracle.com, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [rds?] KASAN: slab-use-after-free Read in rds_conn_path_drop
Date: Thu, 05 Mar 2026 03:58:31 -0800 [thread overview]
Message-ID: <69a96fe7.a70a0220.1ca35.0006.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: ecc64d2dc9ff Merge tag 'sysctl-7.00-fixes-rc3' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14eb98d6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=163cf0fb07ea84d3
dashboard link: https://syzkaller.appspot.com/bug?extid=da8e060735ae02c8f3d1
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ecc64d2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f7dbb1345713/vmlinux-ecc64d2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ff1cd3190933/bzImage-ecc64d2d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+da8e060735ae02c8f3d1@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:82 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:170 [inline]
BUG: KASAN: slab-use-after-free in __ns_ref_read include/linux/ns_common.h:65 [inline]
BUG: KASAN: slab-use-after-free in check_net include/net/net_namespace.h:309 [inline]
BUG: KASAN: slab-use-after-free in rds_destroy_pending net/rds/rds.h:984 [inline]
BUG: KASAN: slab-use-after-free in rds_conn_path_drop+0x11d/0x3c0 net/rds/connection.c:914
Read of size 4 at addr ffff88804ae88180 by task kworker/u32:0/23206
CPU: 2 UID: 0 PID: 23206 Comm: kworker/u32:0 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: ib_mad1 timeout_sends
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x156/0x4c9 mm/kasan/report.c:482
kasan_report+0xdf/0x1e0 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:186 [inline]
kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200
instrument_atomic_read include/linux/instrumented.h:82 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
refcount_read include/linux/refcount.h:170 [inline]
__ns_ref_read include/linux/ns_common.h:65 [inline]
check_net include/net/net_namespace.h:309 [inline]
rds_destroy_pending net/rds/rds.h:984 [inline]
rds_conn_path_drop+0x11d/0x3c0 net/rds/connection.c:914
rds_rdma_cm_event_handler_cmn+0x47d/0x7c0 net/rds/rdma_transport.c:146
cma_cm_event_handler+0x99/0x330 drivers/infiniband/core/cma.c:2181
cma_ib_handler+0x29d/0x700 drivers/infiniband/core/cma.c:2259
cm_process_send_error drivers/infiniband/core/cm.c:3801 [inline]
cm_send_handler+0x533/0x9d0 drivers/infiniband/core/cm.c:3834
clear_mad_error_list+0x18f/0x260 drivers/infiniband/core/mad.c:2646
timeout_sends+0x720/0xb20 drivers/infiniband/core/mad.c:2918
process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x5da/0xe40 kernel/workqueue.c:3439
kthread+0x370/0x450 kernel/kthread.c:467
ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 26019:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4515 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
kmem_cache_alloc_noprof+0x241/0x6e0 mm/slub.c:4851
net_alloc net/core/net_namespace.c:490 [inline]
copy_net_ns+0xe8/0x7c0 net/core/net_namespace.c:565
create_new_namespaces+0x3ea/0xac0 kernel/nsproxy.c:130
unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x473/0xad0 kernel/fork.c:3174
__do_sys_unshare kernel/fork.c:3245 [inline]
__se_sys_unshare kernel/fork.c:3243 [inline]
__ia32_sys_unshare+0x30/0x40 kernel/fork.c:3243
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xe3/0x8c0 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x32/0x70 arch/x86/entry/syscall_32.c:332
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Freed by task 14441:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_save_track+0x14/0x30 mm/kasan/common.c:78
kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2692 [inline]
slab_free mm/slub.c:6143 [inline]
kmem_cache_free+0x124/0x6a0 mm/slub.c:6273
net_complete_free net/core/net_namespace.c:526 [inline]
cleanup_net+0x51a/0x920 net/core/net_namespace.c:713
process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275
process_scheduled_works kernel/workqueue.c:3358 [inline]
worker_thread+0x5da/0xe40 kernel/workqueue.c:3439
kthread+0x370/0x450 kernel/kthread.c:467
ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Last potentially related work creation:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:556
insert_work+0x36/0x230 kernel/workqueue.c:2199
__queue_work+0x3fd/0x1150 kernel/workqueue.c:2358
call_timer_fn+0x19a/0x670 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1794 [inline]
__run_timers+0x570/0xb30 kernel/time/timer.c:2373
__run_timer_base kernel/time/timer.c:2385 [inline]
__run_timer_base kernel/time/timer.c:2377 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2394
run_timer_softirq+0x24/0x50 kernel/time/timer.c:2405
handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xef/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
Second to last potentially related work creation:
kasan_save_stack+0x30/0x50 mm/kasan/common.c:57
kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:556
insert_work+0x36/0x230 kernel/workqueue.c:2199
__queue_work+0x9bc/0x1150 kernel/workqueue.c:2354
call_timer_fn+0x19a/0x670 kernel/time/timer.c:1748
expire_timers kernel/time/timer.c:1794 [inline]
__run_timers+0x570/0xb30 kernel/time/timer.c:2373
__run_timer_base kernel/time/timer.c:2385 [inline]
__run_timer_base kernel/time/timer.c:2377 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2394
run_timer_softirq+0x24/0x50 kernel/time/timer.c:2405
handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xef/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1056
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
The buggy address belongs to the object at ffff88804ae88000
which belongs to the cache net_namespace of size 9536
The buggy address is located 384 bytes inside of
freed 9536-byte region [ffff88804ae88000, ffff88804ae8a540)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88804ae88000 pfn:0x4ae88
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88804dfbda81
flags: 0x4fff00000000240(workingset|head|node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000240 ffff88801d2f2780 ffffea0001663410 ffffea0001c9fe10
raw: ffff88804ae88000 0000000800030001 00000000f5000000 ffff88804dfbda81
head: 04fff00000000240 ffff88801d2f2780 ffffea0001663410 ffffea0001c9fe10
head: ffff88804ae88000 0000000800030001 00000000f5000000 ffff88804dfbda81
head: 04fff00000000003 ffffea00012ba201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5930, tgid 5930 (syz-executor), ts 52026837212, free_ts 30286540261
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3269 [inline]
allocate_slab mm/slub.c:3458 [inline]
new_slab+0xa6/0x6d0 mm/slub.c:3516
refill_objects+0x26b/0x400 mm/slub.c:7153
refill_sheaf mm/slub.c:2818 [inline]
alloc_full_sheaf mm/slub.c:2839 [inline]
__pcs_replace_empty_main+0x19f/0x600 mm/slub.c:4602
alloc_from_pcs mm/slub.c:4695 [inline]
slab_alloc_node mm/slub.c:4829 [inline]
kmem_cache_alloc_noprof+0x480/0x6e0 mm/slub.c:4851
net_alloc net/core/net_namespace.c:490 [inline]
copy_net_ns+0xe8/0x7c0 net/core/net_namespace.c:565
create_new_namespaces+0x3ea/0xac0 kernel/nsproxy.c:130
unshare_nsproxy_namespaces+0xc3/0x1f0 kernel/nsproxy.c:226
ksys_unshare+0x473/0xad0 kernel/fork.c:3174
__do_sys_unshare kernel/fork.c:3245 [inline]
__se_sys_unshare kernel/fork.c:3243 [inline]
__ia32_sys_unshare+0x30/0x40 kernel/fork.c:3243
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xe3/0x8c0 arch/x86/entry/syscall_32.c:307
do_fast_syscall_32+0x32/0x70 arch/x86/entry/syscall_32.c:332
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
page last free pid 5644 tgid 5644 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4515 [inline]
slab_alloc_node mm/slub.c:4844 [inline]
kmem_cache_alloc_noprof+0x241/0x6e0 mm/slub.c:4851
alloc_filename fs/namei.c:142 [inline]
do_getname+0x35/0x390 fs/namei.c:182
getname include/linux/fs.h:2512 [inline]
getname_maybe_null include/linux/fs.h:2519 [inline]
class_filename_maybe_null_constructor include/linux/fs.h:2543 [inline]
vfs_fstatat+0xd0/0xe0 fs/stat.c:368
__do_sys_newfstatat+0x9d/0x120 fs/stat.c:538
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88804ae88080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804ae88100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88804ae88180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88804ae88200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88804ae88280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
reply other threads:[~2026-03-05 11:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69a96fe7.a70a0220.1ca35.0006.GAE@google.com \
--to=syzbot+da8e060735ae02c8f3d1@syzkaller.appspotmail.com \
--cc=allison.henderson@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rds-devel@oss.oracle.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.