[syzbot] [rds?] general protection fault in rds_tcp_accept_one

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 9845cf73f7db Add linux-next specific files for 20260205
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10ec4a5a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ac78ce3b6729749e
dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=122acb22580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=149fc7fa580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9f30334a2431/disk-9845cf73.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d58741a15a6/vmlinux-9845cf73.xz
kernel image: https://storage.googleapis.com/syzbot-assets/62204da1452c/bzImage-9845cf73.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+960460...@syzkaller.appspotmail.com

netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 1 UID: 0 PID: 3485 Comm: kworker/u8:8 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: krdsd rds_tcp_accept_worker
RIP: 0010:rds_tcp_accept_one+0xa5b/0xd70 net/rds/tcp_listen.c:319
Code: 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 a9 2f f7 48 8b 1b 48 83 c3 12 49 89 de 49 c1 ee 03 <43> 0f b6 04 2e 84 c0 0f 85 53 02 00 00 44 0f b6 2b bf 08 00 00 00
RSP: 0018:ffffc9000b64f9a0 EFLAGS: 00010202
RAX: 1ffff1100dacb173 RBX: 0000000000000012 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8e006fa9 RDI: 00000000ffffffff
RBP: ffffc9000b64fb18 R08: ffffffff903342b7 R09: 1ffffffff2066856
R10: dffffc0000000000 R11: fffffbfff2066857 R12: ffff88803286c000
R13: dffffc0000000000 R14: 0000000000000002 R15: 1ffff920016c9f3c
FS: 0000000000000000(0000) GS:ffff888125115000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f30359456b8 CR3: 00000000320ee000 CR4: 00000000003526f0
Call Trace:
<TASK>
rds_tcp_accept_worker+0x1d/0x70 net/rds/tcp.c:524
process_one_work+0x949/0x1650 kernel/workqueue.c:3279
process_scheduled_works kernel/workqueue.c:3362 [inline]
worker_thread+0xb46/0x1140 kernel/workqueue.c:3443
kthread+0x388/0x470 kernel/kthread.c:467
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rds_tcp_accept_one+0xa5b/0xd70 net/rds/tcp_listen.c:319
Code: 00 00 48 83 c3 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 63 a9 2f f7 48 8b 1b 48 83 c3 12 49 89 de 49 c1 ee 03 <43> 0f b6 04 2e 84 c0 0f 85 53 02 00 00 44 0f b6 2b bf 08 00 00 00
RSP: 0018:ffffc9000b64f9a0 EFLAGS: 00010202
RAX: 1ffff1100dacb173 RBX: 0000000000000012 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8e006fa9 RDI: 00000000ffffffff
RBP: ffffc9000b64fb18 R08: ffffffff903342b7 R09: 1ffffffff2066856
R10: dffffc0000000000 R11: fffffbfff2066857 R12: ffff88803286c000
R13: dffffc0000000000 R14: 0000000000000002 R15: 1ffff920016c9f3c
FS: 0000000000000000(0000) GS:ffff888125115000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f303594da08 CR3: 000000000e74c000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 48 83 c3 18 add $0x18,%rbx
6: 48 89 d8 mov %rbx,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
12: 74 08 je 0x1c
14: 48 89 df mov %rbx,%rdi
17: e8 63 a9 2f f7 call 0xf72fa97f
1c: 48 8b 1b mov (%rbx),%rbx
1f: 48 83 c3 12 add $0x12,%rbx
23: 49 89 de mov %rbx,%r14
26: 49 c1 ee 03 shr $0x3,%r14
* 2a: 43 0f b6 04 2e movzbl (%r14,%r13,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 53 02 00 00 jne 0x28a
37: 44 0f b6 2b movzbl (%rbx),%r13d
3b: bf 08 00 00 00 mov $0x8,%edi


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

> #syz test: g...@github.com:allisonhenderson/rds_work.git syzbug_f9db6ff27b9bfdcfeca

unknown command "test:\u00a...@github.com:allisonhenderson/rds_work.git"

>
> On Mon, 2026-02-09 at 07:41 -0800, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 9845cf73f7db Add linux-next specific files for 20260205
>> git tree: linux-next

>> console output: https://urldefense.com/v3/__https://syzkaller.appspot.com/x/log.txt?x=10ec4a5a580000__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4ONYVS2j$
>> kernel config: https://urldefense.com/v3/__https://syzkaller.appspot.com/x/.config?x=ac78ce3b6729749e__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4NL_GIpI$
>> dashboard link: https://urldefense.com/v3/__https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4MCjo-m3$

>> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

>> syz repro: https://urldefense.com/v3/__https://syzkaller.appspot.com/x/repro.syz?x=122acb22580000__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4GW8gg30$
>> C reproducer: https://urldefense.com/v3/__https://syzkaller.appspot.com/x/repro.c?x=149fc7fa580000__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4D5oQKmF$
>>
>> Downloadable assets:
>> disk image: https://urldefense.com/v3/__https://storage.googleapis.com/syzbot-assets/9f30334a2431/disk-9845cf73.raw.xz__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4OnpjEj3$
>> vmlinux: https://urldefense.com/v3/__https://storage.googleapis.com/syzbot-assets/0d58741a15a6/vmlinux-9845cf73.xz__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4MX_62da$
>> kernel image: https://urldefense.com/v3/__https://storage.googleapis.com/syzbot-assets/62204da1452c/bzImage-9845cf73.xz__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4OvQrNJd$

>> See https://urldefense.com/v3/__https://goo.gl/tpsmEJ__;!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4Ko4o2Xm$ for more information about syzbot.

>> syzbot engineers can be reached at syzk...@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:

>> https://urldefense.com/v3/__https://goo.gl/tpsmEJ*status__;Iw!!ACWV5N9M2RV99hQ!K_RGm2D82-xIWkLzauTj3sBwaawib22UgF_b8fgxnoaxBHyflpW7ZtPngueJO7Nq3URYRRJKnpBDOWMXYm8yacLC6gvYGl89kv9Z4AUXdFJu$ for how to communicate with syzbot.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [rds?] general protection fault in rds_tcp_accept_one
Author: allison....@oracle.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main

commit 86b003db7ed7f474c3f462643c2912ffdeb2f876
Author: Allison Henderson <ache...@kernel.org>
Date: Mon Feb 9 18:20:42 2026 -0700

net/rds: Fix NULL pointer dereference in rds_tcp_accept_one

Hold a local reference to new_sock->sk before installing callbacks
in rds_tcp_accept_one. After rds_tcp_set_callbacks() or
rds_tcp_reset_callbacks(), tc->t_sock is set to new_sock which
may race with the shutdown path. A concurrent
rds_tcp_conn_path_shutdown() may call sock_release(), which sets
new_sock->sk = NULL and frees sk.

Subsequent accesses to new_sock->sk->sk_state dereference NULL,
causing the null dereference. So a local sock reference with
sock_hold() before installing callbacks will prevent the race.

Fixes: 826c1004d4ae ("net/rds: rds_tcp_conn_path_shutdown must not discard messages")
Reported-by: syzbot+960460...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709
Signed-off-by: Allison Henderson <ache...@kernel.org>

diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 6fb5c928b8fd..cdc86473a1ba 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -177,6 +177,7 @@ int rds_tcp_accept_one(struct rds_tcp_net *rtn)
struct rds_tcp_connection *rs_tcp = NULL;
int conn_state;
struct rds_conn_path *cp;
+ struct sock *sk;
struct in6_addr *my_addr, *peer_addr;
#if !IS_ENABLED(CONFIG_IPV6)
struct in6_addr saddr, daddr;
@@ -298,6 +299,14 @@ int rds_tcp_accept_one(struct rds_tcp_net *rtn)
rds_conn_path_drop(cp, 0);
goto rst_nsk;
}
+ /* Hold a local reference to sk before setting callbacks. Once callbacks
+ * are set, it is possible for a concurrent rds_tcp_conn_path_shutdown
+ * call to release the new_sock->sk and set it to NULL. So we use
+ * a local sk here to avoid racing with callbacks
+ */
+ sk = new_sock->sk;
+ sock_hold(sk);
+
if (rs_tcp->t_sock) {
/* Duelling SYN has been handled in rds_tcp_accept_one() */
rds_tcp_reset_callbacks(new_sock, cp);
@@ -316,13 +325,15 @@ int rds_tcp_accept_one(struct rds_tcp_net *rtn)
* knowing that "rds_tcp_conn_path_shutdown" will
* dequeue pending messages.
*/
- if (new_sock->sk->sk_state == TCP_CLOSE_WAIT ||
- new_sock->sk->sk_state == TCP_LAST_ACK ||
- new_sock->sk->sk_state == TCP_CLOSE)
+ if (READ_ONCE(sk->sk_state) == TCP_CLOSE_WAIT ||
+ READ_ONCE(sk->sk_state) == TCP_LAST_ACK ||
+ READ_ONCE(sk->sk_state) == TCP_CLOSE)
rds_conn_path_drop(cp, 0);
else
queue_delayed_work(cp->cp_wq, &cp->cp_recv_w, 0);

+ sock_put(sk);
+
new_sock = NULL;
ret = 0;
if (conn->c_npaths == 0)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
inconsistent lock state in lock_sock_nested

================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
kworker/u8:5/1106 [HC0[0]:SC1[3]:HE1:SE0] takes:
ffff88801c708260 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88801c708260 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
lock_sock_nested+0x48/0x100 net/core/sock.c:3780
lock_sock include/net/sock.h:1709 [inline]
tcp_sock_set_nodelay+0x2a/0x180 net/ipv4/tcp.c:3718
rds_tcp_listen_init+0x168/0x410 net/rds/tcp_listen.c:415
rds_tcp_init_net+0x154/0x380 net/rds/tcp.c:568
ops_init+0x35c/0x5c0 net/core/net_namespace.c:137
__register_pernet_operations net/core/net_namespace.c:1320 [inline]
register_pernet_operations+0x343/0x830 net/core/net_namespace.c:1397
register_pernet_device+0x2a/0x80 net/core/net_namespace.c:1484
rds_tcp_init+0xcf/0x170 net/rds/tcp.c:749
do_one_initcall+0x250/0x840 init/main.c:1378
do_initcall_level+0x104/0x190 init/main.c:1440
do_initcalls+0x59/0xa0 init/main.c:1456
kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
kernel_init+0x1d/0x1d0 init/main.c:1578
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
irq event stamp: 522136
hardirqs last enabled at (522136): [<ffffffff8b98ca40>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (522136): [<ffffffff8b98ca40>] _raw_spin_unlock_irqrestore+0x30/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (522135): [<ffffffff8b98c89a>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (522135): [<ffffffff8b98c89a>] _raw_spin_lock_irqsave+0x1a/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (522108): [<ffffffff89678f94>] local_bh_disable include/linux/bottom_half.h:20 [inline]
softirqs last enabled at (522108): [<ffffffff89678f94>] rcu_read_lock_bh include/linux/rcupdate.h:918 [inline]
softirqs last enabled at (522108): [<ffffffff89678f94>] __dev_queue_xmit+0x274/0x3850 net/core/dev.c:4754
softirqs last disabled at (522109): [<ffffffff818712b6>] do_softirq+0x76/0xd0 kernel/softirq.c:523

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(k-sk_lock-AF_INET6);
<Interrupt>
lock(k-sk_lock-AF_INET6);

*** DEADLOCK ***

12 locks held by kworker/u8:5/1106:
#0: ffff88805f5cb148 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
#0: ffff88805f5cb148 ((wq_completion)krds_cp_wq#1/0){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0 kernel/workqueue.c:3340
#1: ffffc90003a5fbc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
#1: ffffc90003a5fbc0 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0 kernel/workqueue.c:3340
#2: ffff88801c70d1e0 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
#2: ffff88801c70d1e0 (k-sk_lock-AF_INET6){+.?.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
#3: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#3: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#3: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: inet6_csk_xmit+0x1ee/0x750 net/ipv6/inet6_connection_sock.c:108
#4: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#4: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#4: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: ip6_xmit+0x283/0x1980 net/ipv6/ip6_output.c:284
#5: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#5: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#5: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: ip6_output+0x126/0x550 net/ipv6/ip6_output.c:234
#6: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: local_lock_acquire include/linux/local_lock_internal.h:41 [inline]
#6: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x3eb/0x1950 net/core/dev.c:6610
#7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: netif_receive_skb_internal net/core/dev.c:6335 [inline]
#7: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: netif_receive_skb+0x102/0xbb0 net/core/dev.c:6407
#8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: nf_hook include/linux/netfilter.h:242 [inline]
#8: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: NF_HOOK+0x9e/0x3c0 include/linux/netfilter.h:316
#9: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#9: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#9: ffffffff8e75a360 (rcu_read_lock){....}-{1:3}, at: ip6_input+0x23/0x270 net/ipv6/ip6_input.c:499
#10: ffff88801c7081e0 (k-slock-AF_INET6/1){+.-.}-{3:3}, at: tcp_v6_rcv+0x2577/0x2f60 net/ipv6/tcp_ipv6.c:1875
#11: ffff88801c708408 (k-clock-AF_INET6){++.-}-{3:3}, at: rds_tcp_data_ready+0x113/0x950 net/rds/tcp_recv.c:320

stack backtrace:
CPU: 1 UID: 0 PID: 1106 Comm: kworker/u8:5 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_usage_bug+0x28b/0x2e0 kernel/locking/lockdep.c:4042
valid_state kernel/locking/lockdep.c:4056 [inline]
mark_lock_irq+0x410/0x420 kernel/locking/lockdep.c:-1
mark_lock+0x115/0x190 kernel/locking/lockdep.c:4753
mark_usage kernel/locking/lockdep.c:-1 [inline]
__lock_acquire+0x689/0x2cf0 kernel/locking/lockdep.c:5191
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
lock_sock_nested+0x48/0x100 net/core/sock.c:3780
lock_sock include/net/sock.h:1709 [inline]
inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
__tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
tcp_data_queue+0x1e2e/0x5e50 net/ipv4/tcp_input.c:5719
tcp_rcv_established+0x1270/0x2670 net/ipv4/tcp_input.c:6710
tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
tcp_v6_rcv+0x2653/0x2f60 net/ipv6/tcp_ipv6.c:1879
ip6_protocol_deliver_rcu+0xa73/0x1600 net/ipv6/ip6_input.c:438
ip6_input_finish+0x191/0x370 net/ipv6/ip6_input.c:489
NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318
ip6_input+0x16a/0x270 net/ipv6/ip6_input.c:500
ip_sabotage_in+0x1e1/0x270 net/bridge/br_netfilter_hooks.c:990
nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
nf_hook include/linux/netfilter.h:273 [inline]
NF_HOOK+0x21f/0x3c0 include/linux/netfilter.h:316
__netif_receive_skb_one_core net/core/dev.c:6149 [inline]
__netif_receive_skb net/core/dev.c:6262 [inline]
netif_receive_skb_internal net/core/dev.c:6348 [inline]
netif_receive_skb+0x278/0xbb0 net/core/dev.c:6407
NF_HOOK+0xa4/0x3a0 include/linux/netfilter.h:319
br_handle_frame_finish+0x14b2/0x1b40 net/bridge/br_input.c:-1
br_nf_hook_thresh+0x3dd/0x4c0 net/bridge/br_netfilter_hooks.c:-1
br_nf_pre_routing_finish_ipv6+0xa3a/0xd70 net/bridge/br_netfilter_ipv6.c:-1
NF_HOOK include/linux/netfilter.h:318 [inline]
br_nf_pre_routing_ipv6+0x374/0x6f0 net/bridge/br_netfilter_ipv6.c:184
nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
br_handle_frame+0x1277/0x1510 net/bridge/br_input.c:442
__netif_receive_skb_core+0x98f/0x3150 net/core/dev.c:6036
__netif_receive_skb_one_core net/core/dev.c:6147 [inline]
__netif_receive_skb net/core/dev.c:6262 [inline]
process_backlog+0x76d/0x1950 net/core/dev.c:6614
__napi_poll+0xae/0x340 net/core/dev.c:7678
napi_poll net/core/dev.c:7741 [inline]
net_rx_action+0x627/0xf70 net/core/dev.c:7893
handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
__dev_queue_xmit+0x1e6c/0x3850 net/core/dev.c:4856
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_xmit+0x1149/0x1980 net/ipv6/ip6_output.c:358
inet6_csk_xmit+0x4a5/0x750 net/ipv6/inet6_connection_sock.c:114
__tcp_transmit_skb+0x249b/0x43e0 net/ipv4/tcp_output.c:1693
tcp_transmit_skb net/ipv4/tcp_output.c:1711 [inline]
tcp_write_xmit+0x16e8/0x6980 net/ipv4/tcp_output.c:3064
__tcp_push_pending_frames+0x97/0x380 net/ipv4/tcp_output.c:3247
tcp_push_pending_frames include/net/tcp.h:2282 [inline]
__tcp_sock_set_cork net/ipv4/tcp.c:3688 [inline]
tcp_sock_set_cork+0x186/0x2e0 net/ipv4/tcp.c:3695
rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
kthread+0x726/0x8b0 kernel/kthread.c:463
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
BUG: sleeping function called from invalid context at net/core/sock.c:3782
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1106, name: kworker/u8:5
preempt_count: 303, expected: 0
RCU nest depth: 7, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<ffffffff89678fa1>] local_bh_disable include/linux/bottom_half.h:20 [inline]
[<ffffffff89678fa1>] rcu_read_lock_bh include/linux/rcupdate.h:918 [inline]
[<ffffffff89678fa1>] __dev_queue_xmit+0x281/0x3850 net/core/dev.c:4754
CPU: 1 UID: 0 PID: 1106 Comm: kworker/u8:5 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: krds_cp_wq#1/0 rds_send_worker
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
__might_resched+0x378/0x4d0 kernel/sched/core.c:8829
lock_sock_nested+0x5d/0x100 net/core/sock.c:3782
lock_sock include/net/sock.h:1709 [inline]
inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
__tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
tcp_data_queue+0x1e2e/0x5e50 net/ipv4/tcp_input.c:5719
tcp_rcv_established+0x1270/0x2670 net/ipv4/tcp_input.c:6710
tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
tcp_v6_rcv+0x2653/0x2f60 net/ipv6/tcp_ipv6.c:1879
ip6_protocol_deliver_rcu+0xa73/0x1600 net/ipv6/ip6_input.c:438
ip6_input_finish+0x191/0x370 net/ipv6/ip6_input.c:489
NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318
ip6_input+0x16a/0x270 net/ipv6/ip6_input.c:500
ip_sabotage_in+0x1e1/0x270 net/bridge/br_netfilter_hooks.c:990
nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
nf_hook_slow+0xc5/0x220 net/netfilter/core.c:623
nf_hook include/linux/netfilter.h:273 [inline]
NF_HOOK+0x21f/0x3c0 include/linux/netfilter.h:316
__netif_receive_skb_one_core net/core/dev.c:6149 [inline]
__netif_receive_skb net/core/dev.c:6262 [inline]
netif_receive_skb_internal net/core/dev.c:6348 [inline]
netif_receive_skb+0x278/0xbb0 net/core/dev.c:6407
NF_HOOK+0xa4/0x3a0 include/linux/netfilter.h:319
br_handle_frame_finish+0x14b2/0x1b40 net/bridge/br_input.c:-1
br_nf_hook_thresh+0x3dd/0x4c0 net/bridge/br_netfilter_hooks.c:-1
br_nf_pre_routing_finish_ipv6+0xa3a/0xd70 net/bridge/br_netfilter_ipv6.c:-1
NF_HOOK include/linux/netfilter.h:318 [inline]
br_nf_pre_routing_ipv6+0x374/0x6f0 net/bridge/br_netfilter_ipv6.c:184
nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline]
nf_hook_bridge_pre net/bridge/br_input.c:291 [inline]
br_handle_frame+0x1277/0x1510 net/bridge/br_input.c:442
__netif_receive_skb_core+0x98f/0x3150 net/core/dev.c:6036
__netif_receive_skb_one_core net/core/dev.c:6147 [inline]
__netif_receive_skb net/core/dev.c:6262 [inline]
process_backlog+0x76d/0x1950 net/core/dev.c:6614
__napi_poll+0xae/0x340 net/core/dev.c:7678
napi_poll net/core/dev.c:7741 [inline]
net_rx_action+0x627/0xf70 net/core/dev.c:7893
handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:936 [inline]
__dev_queue_xmit+0x1e6c/0x3850 net/core/dev.c:4856
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:246
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_xmit+0x1149/0x1980 net/ipv6/ip6_output.c:358
inet6_csk_xmit+0x4a5/0x750 net/ipv6/inet6_connection_sock.c:114
__tcp_transmit_skb+0x249b/0x43e0 net/ipv4/tcp_output.c:1693
tcp_transmit_skb net/ipv4/tcp_output.c:1711 [inline]
tcp_write_xmit+0x16e8/0x6980 net/ipv4/tcp_output.c:3064
__tcp_push_pending_frames+0x97/0x380 net/ipv4/tcp_output.c:3247
tcp_push_pending_frames include/net/tcp.h:2282 [inline]
__tcp_sock_set_cork net/ipv4/tcp.c:3688 [inline]
tcp_sock_set_cork+0x186/0x2e0 net/ipv4/tcp.c:3695
rds_send_xmit+0x207e/0x28d0 net/rds/send.c:480
rds_send_worker+0x7d/0x2e0 net/rds/threads.c:200
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
kthread+0x726/0x8b0 kernel/kthread.c:463
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>


Tested on:

commit: 57be33f8 nfc: nxp-nci: remove interrupt trigger type
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main
console output: https://syzkaller.appspot.com/x/log.txt?x=16b8c65a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7eb827dd875ec07f
dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709

compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=10f594aa580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [rds?] general protection fault in rds_tcp_accept_one
Author: allison....@oracle.com

#syz test: g...@github.com:allisonhenderson/rds_work.git rds_tcp_bug_fixes_v14

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo g...@github.com:allisonhenderson/rds_work.git/rds_tcp_bug_fixes_v14: failed to run ["git" "fetch" "--force" "75c633a41ce4e3e077c06b68250156dd34977923" "rds_tcp_bug_fixes_v14"]: exit status 128


Tested on:

commit: [unknown
git tree: g...@github.com:allisonhenderson/rds_work.git rds_tcp_bug_fixes_v14
kernel config: https://syzkaller.appspot.com/x/.config?x=ac78ce3b6729749e

dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=1168ea52580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [rds?] general protection fault in rds_tcp_accept_one
Author: allison....@oracle.com

#syz test: https://github.com/allisonhenderson/rds_work.git rds_tcp_bug_fixes_v15

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+960460...@syzkaller.appspotmail.com
Tested-by: syzbot+960460...@syzkaller.appspotmail.com

Tested on:

commit: 306ba34d net/rds: rds_sendmsg should not discard paylo..
git tree: https://github.com/allisonhenderson/rds_work.git rds_tcp_bug_fixes_v15
console output: https://syzkaller.appspot.com/x/log.txt?x=13d49b22580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7eb827dd875ec07f
dashboard link: https://syzkaller.appspot.com/bug?extid=96046021045ffe6d7709

compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.