================================================================== BUG: KFENCE: use-after-free read in __ethtool_get_link_ksettings+0x74/0x190 net/ethtool/ioctl.c:-1 Use-after-free read at 0xffff88823bfc82e8 (in kfence-#227): __ethtool_get_link_ksettings+0x74/0x190 net/ethtool/ioctl.c:-1 ib_get_eth_speed+0x15e/0x7b0 drivers/infiniband/core/verbs.c:1996 rxe_query_port+0x93/0x3b0 drivers/infiniband/sw/rxe/rxe_verbs.c:62 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x16d/0x830 drivers/infiniband/core/device.c:2143 smc_ib_remember_port_attr net/smc/smc_ib.c:364 [inline] smc_ib_port_event_work+0x15a/0x940 net/smc/smc_ib.c:388 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 kfence-#227: 0xffff88823bfc8000-0xffff88823bfc8da7, size=3496, cache=kmalloc-cg-4k allocated by task 17142 on cpu 0 at 368.300564s (135.257532s ago): kfence_alloc include/linux/kfence.h:129 [inline] slab_alloc_node mm/slub.c:4181 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kvmalloc_node_noprof+0x547/0x5f0 mm/slub.c:5015 alloc_netdev_mqs+0xa6/0x11e0 net/core/dev.c:11711 rtnl_create_link+0x31f/0xd10 net/core/rtnetlink.c:3631 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3813 __rtnl_newlink net/core/rtnetlink.c:3940 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055 rtnetlink_rcv_msg+0x7cc/0xb70 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x758/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 __sys_sendto+0x3bd/0x520 net/socket.c:2180 __do_sys_sendto net/socket.c:2187 [inline] __se_sys_sendto net/socket.c:2183 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2183 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f freed by task 7064 on cpu 1 at 503.431242s (0.205973s ago): device_release+0x99/0x1c0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x22b/0x480 lib/kobject.c:737 netdev_run_todo+0xd2e/0xea0 net/core/dev.c:11412 default_device_exit_batch+0x81e/0x890 net/core/dev.c:12645 ops_exit_list net/core/net_namespace.c:206 [inline] ops_undo_list+0x522/0x990 net/core/net_namespace.c:253 cleanup_net+0x4c5/0x800 net/core/net_namespace.c:686 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 CPU: 0 UID: 0 PID: 977 Comm: kworker/0:2 Not tainted 6.16.0-rc3-syzkaller-00122-g60f7f4afaf6d #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: events smc_ib_port_event_work RIP: 0010:__ethtool_get_link_ksettings+0x74/0x190 net/ethtool/ioctl.c:443 Code: 00 00 00 fc ff df 4d 8d be e8 02 00 00 4c 89 fd 48 c1 ed 03 42 80 7c 2d 00 00 74 08 4c 89 ff e8 32 dc 94 f8 41 bc e0 01 00 00 <4d> 03 27 4c 89 e0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 e7 e8 13 RSP: 0018:ffffc90003aff7a8 EFLAGS: 00010246 RAX: ffffffff898ef5c2 RBX: ffffc90003aff820 RCX: ffff8880256d3c00 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 1ffff110477f905d R08: ffffffff8f50fee7 R09: 1ffffffff1ea1fdc R10: dffffc0000000000 R11: fffffbfff1ea1fdd R12: 00000000000001e0 R13: dffffc0000000000 R14: ffff88823bfc8000 R15: ffff88823bfc82e8 FS: 0000000000000000(0000) GS:ffff888125c50000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bfc82e8 CR3: 0000000075d8c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ib_get_eth_speed+0x15e/0x7b0 drivers/infiniband/core/verbs.c:1996 rxe_query_port+0x93/0x3b0 drivers/infiniband/sw/rxe/rxe_verbs.c:62 __ib_query_port drivers/infiniband/core/device.c:2111 [inline] ib_query_port+0x16d/0x830 drivers/infiniband/core/device.c:2143 smc_ib_remember_port_attr net/smc/smc_ib.c:364 [inline] smc_ib_port_event_work+0x15a/0x940 net/smc/smc_ib.c:388 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ================================================================== ---------------- Code disassembly (best guess), 5 bytes skipped: 0: df 4d 8d fisttps -0x73(%rbp) 3: be e8 02 00 00 mov $0x2e8,%esi 8: 4c 89 fd mov %r15,%rbp b: 48 c1 ed 03 shr $0x3,%rbp f: 42 80 7c 2d 00 00 cmpb $0x0,0x0(%rbp,%r13,1) 15: 74 08 je 0x1f 17: 4c 89 ff mov %r15,%rdi 1a: e8 32 dc 94 f8 call 0xf894dc51 1f: 41 bc e0 01 00 00 mov $0x1e0,%r12d * 25: 4d 03 27 add (%r15),%r12 <-- trapping instruction 28: 4c 89 e0 mov %r12,%rax 2b: 48 c1 e8 03 shr $0x3,%rax 2f: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) 34: 74 08 je 0x3e 36: 4c 89 e7 mov %r12,%rdi 39: e8 .byte 0xe8 3a: 13 .byte 0x13