================================================================== BUG: KFENCE: use-after-free read in list_empty include/linux/list.h:381 [inline] BUG: KFENCE: use-after-free read in waitqueue_active include/linux/wait.h:127 [inline] BUG: KFENCE: use-after-free read in wq_has_sleeper include/linux/wait.h:161 [inline] BUG: KFENCE: use-after-free read in skwq_has_sleeper include/net/sock.h:2407 [inline] BUG: KFENCE: use-after-free read in sock_def_readable+0x1cb/0x550 net/core/sock.c:3613 Use-after-free read at 0xffff88823bf20b40 (in kfence-#143): list_empty include/linux/list.h:381 [inline] waitqueue_active include/linux/wait.h:127 [inline] wq_has_sleeper include/linux/wait.h:161 [inline] skwq_has_sleeper include/net/sock.h:2407 [inline] sock_def_readable+0x1cb/0x550 net/core/sock.c:3613 send_to_lecd+0x3e7/0x830 net/atm/lec.c:559 lec_arp_resolve net/atm/lec.c:1813 [inline] lec_start_xmit+0xe52/0x2890 net/atm/lec.c:294 __netdev_start_xmit include/linux/netdevice.h:5343 [inline] netdev_start_xmit include/linux/netdevice.h:5352 [inline] xmit_one net/core/dev.c:3888 [inline] dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3904 sch_direct_xmit+0x251/0x4c0 net/sched/sch_generic.c:372 __dev_xmit_skb net/core/dev.c:4209 [inline] __dev_queue_xmit+0x180f/0x3950 net/core/dev.c:4831 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246 dst_output include/net/dst.h:470 [inline] NF_HOOK+0x177/0x4f0 include/linux/netfilter.h:318 mld_sendpack+0x8b4/0xe40 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x835/0xe70 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3288 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3371 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3452 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 kfence-#143: 0xffff88823bf20a80-0xffff88823bf20fff, size=1408, cache=sock_inode_cache allocated by task 12186 on cpu 1 at 228.374315s (2.092352s ago): sock_alloc_inode+0x2c/0x190 net/socket.c:328 alloc_inode+0x6a/0x1b0 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3014 [inline] sock_alloc net/socket.c:697 [inline] __sock_create+0x12d/0x9d0 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0xd6/0x1b0 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f freed by task 12226 on cpu 1 at 228.975015s (1.535048s ago): rcu_do_batch kernel/rcu/tree.c:2617 [inline] rcu_core+0x7cd/0x1070 kernel/rcu/tree.c:2869 handle_softirqs+0x22a/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 lock_release+0x9/0x3c0 kernel/locking/lockdep.c:5876 rcu_lock_release include/linux/rcupdate.h:310 [inline] rcu_read_unlock include/linux/rcupdate.h:869 [inline] page_table_check_clear+0x4b8/0x5f0 mm/page_table_check.c:89 ptep_get_and_clear_full arch/x86/include/asm/jump_label.h:-1 [inline] get_and_clear_full_ptes include/linux/pgtable.h:846 [inline] zap_present_folio_ptes mm/memory.c:1643 [inline] zap_present_ptes mm/memory.c:1725 [inline] do_zap_pte_range mm/memory.c:1827 [inline] zap_pte_range mm/memory.c:1929 [inline] zap_pmd_range mm/memory.c:2021 [inline] zap_pud_range mm/memory.c:2049 [inline] zap_p4d_range mm/memory.c:2070 [inline] unmap_page_range+0x33b3/0x48f0 mm/memory.c:2091 unmap_single_vma mm/memory.c:2133 [inline] unmap_vmas+0x48f/0x6a0 mm/memory.c:2171 exit_mmap+0x280/0x9e0 mm/mmap.c:1302 __mmput+0x118/0x430 kernel/fork.c:1177 exit_mm+0x18e/0x250 kernel/exit.c:581 do_exit+0x6a2/0x23c0 kernel/exit.c:965 do_group_exit+0x21b/0x2d0 kernel/exit.c:1119 get_signal+0x1284/0x1330 kernel/signal.c:3039 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline] do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 5891 Comm: kworker/0:6 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Workqueue: mld mld_ifc_work RIP: 0010:list_empty include/linux/list.h:381 [inline] RIP: 0010:waitqueue_active include/linux/wait.h:127 [inline] RIP: 0010:wq_has_sleeper include/linux/wait.h:161 [inline] RIP: 0010:skwq_has_sleeper include/net/sock.h:2407 [inline] RIP: 0010:sock_def_readable+0x1cb/0x550 net/core/sock.c:3613 Code: 85 e4 74 48 f0 83 44 24 fc 00 4c 89 e9 4d 8d 6c 24 40 4c 89 e8 48 c1 e8 03 48 89 cd 80 3c 08 00 74 08 4c 89 ef e8 85 ea ba f8 <49> 8b 45 00 4c 39 e8 74 4c e8 47 1d 4f f8 ba c3 00 00 00 4c 89 e7 RSP: 0018:ffffc90004fd71a8 EFLAGS: 00010046 RAX: 1ffff110477e4168 RBX: ffff8880342f9000 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff89763f7e R09: ffffffff8e95d020 R10: dffffc0000000000 R11: fffffbfff20642b7 R12: ffff88823bf20b00 R13: ffff88823bf20b40 R14: ffff8880342f9180 R15: 1ffff1100685f230 FS: 0000000000000000(0000) GS:ffff888125245000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bf20b40 CR3: 000000006e99c000 CR4: 00000000003526f0 Call Trace: send_to_lecd+0x3e7/0x830 net/atm/lec.c:559 lec_arp_resolve net/atm/lec.c:1813 [inline] lec_start_xmit+0xe52/0x2890 net/atm/lec.c:294 __netdev_start_xmit include/linux/netdevice.h:5343 [inline] netdev_start_xmit include/linux/netdevice.h:5352 [inline] xmit_one net/core/dev.c:3888 [inline] dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3904 sch_direct_xmit+0x251/0x4c0 net/sched/sch_generic.c:372 __dev_xmit_skb net/core/dev.c:4209 [inline] __dev_queue_xmit+0x180f/0x3950 net/core/dev.c:4831 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246 dst_output include/net/dst.h:470 [inline] NF_HOOK+0x177/0x4f0 include/linux/netfilter.h:318 mld_sendpack+0x8b4/0xe40 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x835/0xe70 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3288 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3371 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3452 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 ================================================================== ---------------- Code disassembly (best guess): 0: 85 e4 test %esp,%esp 2: 74 48 je 0x4c 4: f0 83 44 24 fc 00 lock addl $0x0,-0x4(%rsp) a: 4c 89 e9 mov %r13,%rcx d: 4d 8d 6c 24 40 lea 0x40(%r12),%r13 12: 4c 89 e8 mov %r13,%rax 15: 48 c1 e8 03 shr $0x3,%rax 19: 48 89 cd mov %rcx,%rbp 1c: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) 20: 74 08 je 0x2a 22: 4c 89 ef mov %r13,%rdi 25: e8 85 ea ba f8 call 0xf8baeaaf * 2a: 49 8b 45 00 mov 0x0(%r13),%rax <-- trapping instruction 2e: 4c 39 e8 cmp %r13,%rax 31: 74 4c je 0x7f 33: e8 47 1d 4f f8 call 0xf84f1d7f 38: ba c3 00 00 00 mov $0xc3,%edx 3d: 4c 89 e7 mov %r12,%rdi