================================================================== BUG: KFENCE: use-after-free read in __ethtool_get_link_ksettings+0x64/0x170 net/ethtool/ioctl.c:-1 Use-after-free read at 0xffff88823bfc02f0 (in kfence-#223): __ethtool_get_link_ksettings+0x64/0x170 net/ethtool/ioctl.c:-1 ib_get_eth_speed+0x180/0x7f0 drivers/infiniband/core/verbs.c:2054 rxe_query_port+0x93/0x3d0 drivers/infiniband/sw/rxe/rxe_verbs.c:62 __ib_query_port drivers/infiniband/core/device.c:2119 [inline] ib_query_port+0x170/0x830 drivers/infiniband/core/device.c:2151 smc_ib_remember_port_attr net/smc/smc_ib.c:364 [inline] smc_ib_port_event_work+0x15a/0x940 net/smc/smc_ib.c:388 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358 worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439 kthread+0x388/0x470 kernel/kthread.c:467 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 kfence-#223: 0xffff88823bfc0000-0xffff88823bfc0de7, size=3560, cache=kmalloc-cg-4k allocated by task 27814 on cpu 1 at 656.615312s (167.783978s ago): kfence_alloc include/linux/kfence.h:129 [inline] slab_alloc_node mm/slub.c:4811 [inline] __do_kmalloc_node mm/slub.c:5218 [inline] __kvmalloc_node_noprof+0x252/0x8a0 mm/slub.c:6711 alloc_netdev_mqs+0xa6/0x11b0 net/core/dev.c:12028 rtnl_create_link+0x31f/0xd70 net/core/rtnetlink.c:3648 rtnl_newlink_create+0x277/0xb70 net/core/rtnetlink.c:3830 __rtnl_newlink net/core/rtnetlink.c:3957 [inline] rtnl_newlink+0x1666/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] __sys_sendto+0x709/0x7a0 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f freed by task 2198 on cpu 0 at 824.287490s (0.186137s ago): device_release+0x9e/0x1d0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x228/0x560 lib/kobject.c:737 netdev_run_todo+0xc75/0xde0 net/core/dev.c:11729 rtnl_unlock net/core/rtnetlink.c:157 [inline] rtnl_net_unlock include/linux/rtnetlink.h:135 [inline] rtnl_dellink+0x6a7/0x820 net/core/rtnetlink.c:3578 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 796 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: events smc_ib_port_event_work RIP: 0010:__ethtool_get_link_ksettings+0x64/0x170 net/ethtool/ioctl.c:443 Code: 00 00 00 fc ff df 4d 8d be f0 02 00 00 4c 89 fd 48 c1 ed 03 42 80 7c 2d 00 00 74 08 4c 89 ff e8 d2 25 70 f8 41 bc f8 01 00 00 <4d> 03 27 4c 89 e0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 e7 e8 b3 RSP: 0018:ffffc90003e37828 EFLAGS: 00010246 RAX: ffffffff89bf8b06 RBX: ffffc90003e378a0 RCX: ffff888025be1e40 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 1ffff110477f805e R08: ffffffff8fbcc867 R09: 1ffffffff1f7990c R10: dffffc0000000000 R11: fffffbfff1f7990d R12: 00000000000001f8 R13: dffffc0000000000 R14: ffff88823bfc0000 R15: ffff88823bfc02f0 FS: 0000000000000000(0000) GS:ffff888125464000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bfc02f0 CR3: 00000000b428e000 CR4: 00000000003526f0 Call Trace: ib_get_eth_speed+0x180/0x7f0 drivers/infiniband/core/verbs.c:2054 rxe_query_port+0x93/0x3d0 drivers/infiniband/sw/rxe/rxe_verbs.c:62 __ib_query_port drivers/infiniband/core/device.c:2119 [inline] ib_query_port+0x170/0x830 drivers/infiniband/core/device.c:2151 smc_ib_remember_port_attr net/smc/smc_ib.c:364 [inline] smc_ib_port_event_work+0x15a/0x940 net/smc/smc_ib.c:388 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358 worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439 kthread+0x388/0x470 kernel/kthread.c:467 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ================================================================== ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 fc add %bh,%ah 4: ff lcall (bad) 5: df 4d 8d fisttps -0x73(%rbp) 8: be f0 02 00 00 mov $0x2f0,%esi d: 4c 89 fd mov %r15,%rbp 10: 48 c1 ed 03 shr $0x3,%rbp 14: 42 80 7c 2d 00 00 cmpb $0x0,0x0(%rbp,%r13,1) 1a: 74 08 je 0x24 1c: 4c 89 ff mov %r15,%rdi 1f: e8 d2 25 70 f8 call 0xf87025f6 24: 41 bc f8 01 00 00 mov $0x1f8,%r12d * 2a: 4d 03 27 add (%r15),%r12 <-- trapping instruction 2d: 4c 89 e0 mov %r12,%rax 30: 48 c1 e8 03 shr $0x3,%rax 34: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) 39: 74 08 je 0x43 3b: 4c 89 e7 mov %r12,%rdi 3e: e8 .byte 0xe8 3f: b3 .byte 0xb3