[BUG] KASAN: slab-use-after-free in xprt_put

[Shuangpeng]

Hi Kernel Maintainers,

I hit the following KASAN report while testing current upstream kernel:

KASAN: slab-use-after-free in xprt_put

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

To help trigger the bug more reliably, we applied a minimal diagnostic patch
that only adds delays and print statements.

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/98a27c1e3c0dc5489f117efa7c254593

I’m happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>


[  170.638952][   T24] ==================================================================
[  170.641053][   T24] BUG: KASAN: slab-use-after-free in xprt_put (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/sunrpc/xprt.c:2195)
[  170.643027][   T24] Write of size 4 at addr ffff8881092e1000 by task kworker/1:0/24
[  170.645020][   T24]
[  170.645344][   T24] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  170.645349][   T24] Workqueue: events rpc_free_client_work
[  170.645375][   T24] Call Trace:
[  170.645390][   T24]  <TASK>
[  170.645394][   T24]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  170.645451][   T24]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  170.645514][   T24]  kasan_report (mm/kasan/report.c:595)
[  170.645525][   T24]  kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[  170.645530][   T24]  xprt_put (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/linux/kref.h:64 net/sunrpc/xprt.c:2195)
[  170.645535][   T24]  rpc_free_client_work (net/sunrpc/clnt.c:991)
[  170.645541][   T24]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[  170.645557][   T24]  worker_thread (kernel/workqueue.c:3478)
[  170.645577][   T24]  kthread (kernel/kthread.c:436)
[  170.645590][   T24]  ret_from_fork (arch/x86/kernel/process.c:158)
[  170.645624][   T24]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  170.645631][   T24]  </TASK>
[  170.645633][   T24]
[  170.657540][   T24] Freed by task 0 on cpu 1 at 165.626544s:
[  170.657945][   T24]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[  170.658274][   T24]  kasan_save_free_info (mm/kasan/generic.c:584)
[  170.658632][   T24]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[  170.658965][   T24]  __rcu_free_sheaf_prepare (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:2940)
[  170.659363][   T24]  rcu_free_sheaf (mm/slub.c:5850)
[  170.659693][   T24]  rcu_core (kernel/rcu/tree.c:2617 kernel/rcu/tree.c:2869)
[  170.659997][   T24]  handle_softirqs (kernel/softirq.c:622)
[  170.660335][   T24]  __irq_exit_rcu (kernel/softirq.c:656 kernel/softirq.c:496 kernel/softirq.c:735)
[  170.660657][   T24]  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1061 arch/x86/kernel/apic/apic.c:1061)
[  170.661058][   T24]  asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:697)
[  170.661480][   T24]
[  170.661645][   T24] The buggy address belongs to the object at ffff8881092e1000
[  170.661645][   T24]  which belongs to the cache kmalloc-2k of size 2048
[  170.662610][   T24] The buggy address is located 0 bytes inside of
[  170.662610][   T24]  freed 2048-byte region [ffff8881092e1000, ffff8881092e1800)

Best,
Shuangpeng