Re: [syzbot] [rdma?] kernel BUG in ib_device_get_by_index

Next message: Tycho Andersen: "[PATCH 02/11] x86/snp: Keep the RMP table bookkeeping area mapped"
Previous message: Tycho Andersen: "[PATCH 01/11] x86/snp: drop support for SNP hotplug"
Next in thread: Tetsuo Handa: "Re: [syzbot] [rdma?] kernel BUG in ib_device_get_by_index"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Romanovsky

Date: Mon Mar 02 2026 - 14:18:12 EST

On Sat, Feb 28, 2026 at 02:07:46PM +0900, Tetsuo Handa wrote:
> Hmm, this assertion was wrong because ib_device_get_by_index()
> might be called before enable_device_and_get() is called.
>
> #syz invalid

I think this is a valid syzkaller report. As you correctly noted, the device
was inserted into the xarray database in assign_name(), but its refcount was
only set later in enable_device_and_get().

The proper fix can be something like that:

diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index c7b227e2e657..5fc2604ec482 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -321,7 +321,7 @@ struct ib_device *ib_device_get_by_index(const struct net *net, u32 index)

down_read(&devices_rwsem);
device = xa_load(&devices, index);
- if (device) {
+ if (device && xa_get_mark(&devices, index, DEVICE_REGISTERED)) {
if (!rdma_dev_access_netns(device, net)) {
device = NULL;
goto out;

Thanks