Re: [BUG] rxrpc: Client connection leak and BUG() call during kernel IO thread exit
From: Anderson Nascimento
Date: Wed Apr 22 2026 - 12:38:23 EST
On Wed, Apr 22, 2026 at 1:25 PM Anderson Nascimento
<anderson@xxxxxxxxxxxxxxxxxx> wrote:
>
> Hi David,
>
> On Wed, Apr 22, 2026 at 1:08 PM David Howells <dhowells@xxxxxxxxxx> wrote:
> >
> > Do you by any chance have a reproducer program for this?
> >
>
> Sorry, I mixed things up and ended up sending a different reproducer.
> I do have it, I will test it now and send here in a few minutes.
You can find the reproducers below. I run them simultaneously in a
bash while loop on two different SSH shells. I can trigger running
only one server and one client, but when I discovered the bug I was
running 2 servers and 2 clients simultaneously. You can try both, and
here it doesn't take long to trigger it. My virtual machine is
configured to have 4 cores.
while true; do ./server; done
while true; do ./client; done
server.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <linux/rxrpc.h>
#include <pthread.h>
#define RXRPC_ADD_CHARGE_ACCEPT(control, ctrllen) \
do { \
struct cmsghdr *__cmsg; \
__cmsg = (void *)(control) + (ctrllen); \
__cmsg->cmsg_len = CMSG_LEN(0); \
__cmsg->cmsg_level = SOL_RXRPC; \
__cmsg->cmsg_type = RXRPC_CHARGE_ACCEPT; \
(ctrllen) += __cmsg->cmsg_len; \
\
} while (0)
int sk;
void *__close(void *a){
close(sk);
return NULL;
}
int main(void){
struct sockaddr_rxrpc sockaddr_rxrpc_server;
struct msghdr msg;
struct iovec iov;
char buffer_msg_control[4096];
size_t control_len = 0;
pthread_t th[2];
memset(&sockaddr_rxrpc_server,'\0',sizeof(sockaddr_rxrpc_server));
memset(&buffer_msg_control,'\0',sizeof(buffer_msg_control));
memset(&msg,'\0',sizeof(msg));
memset(&iov,'\0',sizeof(iov));
sk = socket(AF_RXRPC, SOCK_DGRAM, PF_INET);
sockaddr_rxrpc_server.srx_family = AF_RXRPC;
sockaddr_rxrpc_server.srx_service = 1234;
sockaddr_rxrpc_server.transport_type = SOCK_DGRAM;
sockaddr_rxrpc_server.transport_len =
sizeof(sockaddr_rxrpc_server.transport.sin);
sockaddr_rxrpc_server.transport.family = AF_INET;
sockaddr_rxrpc_server.transport.sin.sin_port = htons(7000);
bind(sk, (struct sockaddr *)&sockaddr_rxrpc_server,
sizeof(sockaddr_rxrpc_server));
listen(sk,10);
RXRPC_ADD_CHARGE_ACCEPT(buffer_msg_control, control_len);
msg.msg_control = buffer_msg_control;
msg.msg_controllen = control_len;
sendmsg(sk, &msg, 0);
pthread_create(&th[0],NULL,&__close,NULL);
pthread_join(th[0],NULL);
return 0;
}
client.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <linux/rxrpc.h>
static const unsigned char local_addr[4] = { 127, 0, 0, 1 };
#define RXRPC_ADD_CALLID(control, ctrllen, id) \
do { \
struct cmsghdr *__cmsg; \
__cmsg = (void *)(control) + (ctrllen); \
__cmsg->cmsg_len = CMSG_LEN(sizeof(unsigned long)); \
__cmsg->cmsg_level = SOL_RXRPC; \
__cmsg->cmsg_type = RXRPC_USER_CALL_ID; \
*(unsigned long *)CMSG_DATA(__cmsg) = (id); \
(ctrllen) += __cmsg->cmsg_len; \
\
} while (0)
int main(void){
struct msghdr msg;
struct sockaddr_rxrpc sockaddr_rxrpc_local;
struct sockaddr_rxrpc sockaddr_rxrpc_client;
char buffer_msg_control[4096];
size_t control_len;
int sk;
memset(&sockaddr_rxrpc_local,'\0',sizeof(sockaddr_rxrpc_local));
memset(&sockaddr_rxrpc_client,'\0',sizeof(sockaddr_rxrpc_client));
memset(&buffer_msg_control,'\0',sizeof(buffer_msg_control));
memset(&msg,'\0',sizeof(msg));
sk = socket(AF_RXRPC, SOCK_DGRAM, PF_INET);
sockaddr_rxrpc_local.srx_family = AF_RXRPC;
sockaddr_rxrpc_local.srx_service = 0;
sockaddr_rxrpc_local.transport_type = SOCK_DGRAM;
sockaddr_rxrpc_local.transport_len = sizeof(sockaddr_rxrpc_local.transport.sin);
sockaddr_rxrpc_local.transport.family = AF_INET;
sockaddr_rxrpc_local.transport.sin.sin_port = htons(7001);
memcpy(&sockaddr_rxrpc_local.transport.sin.sin_addr, &local_addr, 4);
bind(sk, (struct sockaddr *)&sockaddr_rxrpc_local,
sizeof(sockaddr_rxrpc_local));
sockaddr_rxrpc_client.srx_family = AF_RXRPC;
sockaddr_rxrpc_client.srx_service = 1234;
sockaddr_rxrpc_client.transport_type = SOCK_DGRAM;
sockaddr_rxrpc_client.transport_len =
sizeof(sockaddr_rxrpc_client.transport.sin);
sockaddr_rxrpc_client.transport.family = AF_INET;
sockaddr_rxrpc_client.transport.sin.sin_port = htons(7000);
memcpy(&sockaddr_rxrpc_client.transport.sin.sin_addr, &local_addr, 4);
connect(sk, (struct sockaddr *)&sockaddr_rxrpc_client,
sizeof(sockaddr_rxrpc_client));
control_len = 0;
RXRPC_ADD_CALLID(buffer_msg_control, control_len, 0x1234);
msg.msg_control = buffer_msg_control;
msg.msg_controllen = control_len;
sendmsg(sk, &msg, 0);
return 0;
}
The report I have just triggered.
[ 473.601077] rxrpc: AF_RXRPC: Leaked client conn 00000000bf02a6a7 {1}
[ 473.601115] ------------[ cut here ]------------
[ 473.601117] kernel BUG at net/rxrpc/conn_client.c:64!
[ 473.601169] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 473.601180] CPU: 0 UID: 0 PID: 1107239 Comm: krxrpcio/7001 Not
tainted 6.18.13-200.fc43.x86_64 #1 PREEMPT(lazy)
[ 473.601193] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 473.601205] RIP: 0010:rxrpc_purge_client_connections+0x58/0xa0 [rxrpc]
[ 473.601261] Code: 28 01 00 00 00 74 25 31 c0 48 8d 74 24 0c 48 89
cf 89 44 24 0c 48 89 0c 24 e8 d4 ec c2 c1 48 89 c6 48 85 c0 0f 85 49
dd 01 00 <0f> 0b 31 f6 48 89 cf 48 89 0c 24 e8 c8 aa c4 c1 48 8b 0c 24
85 c0
[ 473.601280] RSP: 0018:ffffc900159cfdd8 EFLAGS: 00010246
[ 473.601288] RAX: 0000000000000000 RBX: ffff88810a6b4800 RCX: 0000000000000000
[ 473.601297] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88810a6b4920
[ 473.601305] RBP: ffff888123398000 R08: ffffc900159cfdb8 R09: ffff88810a6b4928
[ 473.601313] R10: 0000000000000018 R11: 0000000040000000 R12: ffff88810a9cda00
[ 473.601322] R13: ffff88810a6b4800 R14: ffffc900159cfe70 R15: ffff88812d0c2800
[ 473.601330] FS: 0000000000000000(0000) GS:ffff8882af626000(0000)
knlGS:0000000000000000
[ 473.601339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 473.601347] CR2: 00007faf20630030 CR3: 000000000382e002 CR4: 00000000003706f0
[ 473.601380] Call Trace:
[ 473.601387] <TASK>
[ 473.601393] rxrpc_destroy_local+0xc9/0xe0 [rxrpc]
[ 473.601443] rxrpc_io_thread+0x65d/0x750 [rxrpc]
[ 473.601487] ? __pfx_rxrpc_io_thread+0x10/0x10 [rxrpc]
[ 473.601527] kthread+0xfc/0x240
[ 473.601536] ? __pfx_kthread+0x10/0x10
[ 473.601542] ret_from_fork+0xf4/0x110
[ 473.601550] ? __pfx_kthread+0x10/0x10
[ 473.601558] ret_from_fork_asm+0x1a/0x30
[ 473.601574] </TASK>
[ 473.601578] Modules linked in: vsock_diag fcrypt pcbc rxrpc
ip6_udp_tunnel krb5 udp_tunnel rfkill nft_fib_inet nft_fib_ipv4
nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 nf_tables intel_rapl_msr intel_rapl_common
intel_uncore_frequency_common intel_pmc_core pmt_telemetry
pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec rapl
vmw_balloon sunrpc qrtr vmxnet3 i2c_piix4 i2c_smbus binfmt_misc joydev
loop dm_multipath nfnetlink zram lz4hc_compress lz4_compress
vmw_vsock_vmci_transport vsock vmw_vmci xfs nvme nvme_core
nvme_keyring polyval_clmulni ghash_clmulni_intel nvme_auth vmwgfx hkdf
drm_ttm_helper ata_generic ttm pata_acpi serio_raw scsi_dh_rdac
scsi_dh_emc scsi_dh_alua i2c_dev fuse
[ 473.601690] ---[ end trace 0000000000000000 ]---
[ 473.601698] RIP: 0010:rxrpc_purge_client_connections+0x58/0xa0 [rxrpc]
[ 473.601794] Code: 28 01 00 00 00 74 25 31 c0 48 8d 74 24 0c 48 89
cf 89 44 24 0c 48 89 0c 24 e8 d4 ec c2 c1 48 89 c6 48 85 c0 0f 85 49
dd 01 00 <0f> 0b 31 f6 48 89 cf 48 89 0c 24 e8 c8 aa c4 c1 48 8b 0c 24
85 c0
[ 473.601813] RSP: 0018:ffffc900159cfdd8 EFLAGS: 00010246
[ 473.601820] RAX: 0000000000000000 RBX: ffff88810a6b4800 RCX: 0000000000000000
[ 473.601829] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88810a6b4920
[ 473.601837] RBP: ffff888123398000 R08: ffffc900159cfdb8 R09: ffff88810a6b4928
[ 473.601845] R10: 0000000000000018 R11: 0000000040000000 R12: ffff88810a9cda00
[ 473.602211] R13: ffff88810a6b4800 R14: ffffc900159cfe70 R15: ffff88812d0c2800
[ 473.602599] FS: 0000000000000000(0000) GS:ffff8882af626000(0000)
knlGS:0000000000000000
[ 473.603301] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 473.604869] CR2: 00007faf20630030 CR3: 000000000382e002 CR4: 00000000003706f0
Best regards,
--
Anderson Nascimento
Allele Security Intelligence
https://www.allelesecurity.com