Re: [BUG] KASAN: slab-use-after-free in xprt_put
From: Shuangpeng
Date: Wed Jun 24 2026 - 17:01:15 EST
On Jun 24, 2026, at 13:40, Anna Schumaker <anna@xxxxxxxxxx> wrote:
>
> Hi Shuangpeng,
>
> On Sat, Jun 6, 2026, at 10:16 PM, Shuangpeng wrote:
>> Hi Kernel Maintainers,
>>
>> I hit the following KASAN report while testing current upstream kernel:
>>
>> KASAN: slab-use-after-free in xprt_put
>>
>> on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)
>>
>> To help trigger the bug more reliably, we applied a minimal diagnostic patch
>> that only adds delays and print statements.
>>
>> The reproducer and .config files are here.
>> https://gist.github.com/shuangpengbai/98a27c1e3c0dc5489f117efa7c254593
>>
>> I’m happy to test debug patches or provide additional information.
>>
>> Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>
>
> There have been a handful of fixes in this area that were just merged
> upstream. Any chance you can check if the problem is still there with
> Linus's current tree (or with -rc1 when it releases after the weekend)?
>
Hi Anna,
I retested this on current Linus tree, f0e6f20cb52b ("Merge tag 'ntfs3_for_7.2'"),
and it still reproduces.
The stack trace is essentially unchanged from the original report, aside from
expected address and line-number shifts in the newer tree:
BUG: KASAN: slab-use-after-free in xprt_put+0x13/0x50
Write of size 4 at addr ffff8881046bd000 by task kworker/1:3/8075
Workqueue: events rpc_free_client_work
Call Trace:
xprt_put+0x13/0x50
rpc_free_client_work+0x152/0x250
process_scheduled_works+0x797/0xf10
worker_thread+0x804/0xbb0
kthread+0x2f2/0x3c0
ret_from_fork+0x27d/0x670
ret_from_fork_asm+0x1a/0x30
Freed by task 0 on cpu 1 at 249.878823s:
__rcu_free_sheaf_prepare
rcu_free_sheaf
rcu_core
handle_softirqs
__irq_exit_rcu
sysvec_apic_timer_interrupt
Thanks,
Shuangpeng
> Thanks,
> Anna
>
>>
>>
>> [ 170.638952][ T24]
>> ==================================================================
>> [ 170.641053][ T24] BUG: KASAN: slab-use-after-free in xprt_put
>> (./include/linux/instrumented.h:112
>> ./include/linux/atomic/atomic-instrumented.h:400
>> ./include/linux/refcount.h:389 ./include/linux/refcount.h:432
>> ./include/linux/refcount.h:450 ./include/linux/kref.h:64
>> net/sunrpc/xprt.c:2195)
>> [ 170.643027][ T24] Write of size 4 at addr ffff8881092e1000 by task
>> kworker/1:0/24
>> [ 170.645020][ T24]
>> [ 170.645344][ T24] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX +
>> PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
>> [ 170.645349][ T24] Workqueue: events rpc_free_client_work
>> [ 170.645375][ T24] Call Trace:
>> [ 170.645390][ T24] <TASK>
>> [ 170.645394][ T24] dump_stack_lvl (lib/dump_stack.c:94
>> lib/dump_stack.c:120)
>> [ 170.645451][ T24] print_report (mm/kasan/report.c:378
>> mm/kasan/report.c:482)
>> [ 170.645514][ T24] kasan_report (mm/kasan/report.c:595)
>> [ 170.645525][ T24] kasan_check_range (mm/kasan/generic.c:?
>> mm/kasan/generic.c:200)
>> [ 170.645530][ T24] xprt_put (./include/linux/instrumented.h:112
>> ./include/linux/atomic/atomic-instrumented.h:400
>> ./include/linux/refcount.h:389 ./include/linux/refcount.h:432
>> ./include/linux/refcount.h:450 ./include/linux/kref.h:64
>> net/sunrpc/xprt.c:2195)
>> [ 170.645535][ T24] rpc_free_client_work (net/sunrpc/clnt.c:991)
>> [ 170.645541][ T24] process_scheduled_works
>> (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
>> [ 170.645557][ T24] worker_thread (kernel/workqueue.c:3478)
>> [ 170.645577][ T24] kthread (kernel/kthread.c:436)
>> [ 170.645590][ T24] ret_from_fork (arch/x86/kernel/process.c:158)
>> [ 170.645624][ T24] ret_from_fork_asm
>> (arch/x86/entry/entry_64.S:245)
>> [ 170.645631][ T24] </TASK>
>> [ 170.645633][ T24]
>> [ 170.657540][ T24] Freed by task 0 on cpu 1 at 165.626544s:
>> [ 170.657945][ T24] kasan_save_track (mm/kasan/common.c:57
>> mm/kasan/common.c:78)
>> [ 170.658274][ T24] kasan_save_free_info (mm/kasan/generic.c:584)
>> [ 170.658632][ T24] __kasan_slab_free (mm/kasan/common.c:253
>> mm/kasan/common.c:285)
>> [ 170.658965][ T24] __rcu_free_sheaf_prepare
>> (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:2940)
>> [ 170.659363][ T24] rcu_free_sheaf (mm/slub.c:5850)
>> [ 170.659693][ T24] rcu_core (kernel/rcu/tree.c:2617
>> kernel/rcu/tree.c:2869)
>> [ 170.659997][ T24] handle_softirqs (kernel/softirq.c:622)
>> [ 170.660335][ T24] __irq_exit_rcu (kernel/softirq.c:656
>> kernel/softirq.c:496 kernel/softirq.c:735)
>> [ 170.660657][ T24] sysvec_apic_timer_interrupt
>> (arch/x86/kernel/apic/apic.c:1061 arch/x86/kernel/apic/apic.c:1061)
>> [ 170.661058][ T24] asm_sysvec_apic_timer_interrupt
>> (./arch/x86/include/asm/idtentry.h:697)
>> [ 170.661480][ T24]
>> [ 170.661645][ T24] The buggy address belongs to the object at
>> ffff8881092e1000
>> [ 170.661645][ T24] which belongs to the cache kmalloc-2k of size
>> 2048
>> [ 170.662610][ T24] The buggy address is located 0 bytes inside of
>> [ 170.662610][ T24] freed 2048-byte region [ffff8881092e1000,
>> ffff8881092e1800)
>>
>> Best,
>> Shuangpeng