From nobody Sun Feb 8 13:13:21 2026 Received: from mail-oa1-f98.google.com (mail-oa1-f98.google.com [209.85.160.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5EA127A122 for ; Thu, 8 Jan 2026 06:54:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.98 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767855243; cv=none; b=AE/oDEV+NKpbjw4cwffENzZc+NhGeXSbw3My74GDOlNfi7zCy+crjYgjTi1Bk0TEbUwOo40CH540FeQJJjHG0NjmMtHX34hx4BrenWTE/ecH47/icVNXN3XVm19JlJikjEzdVkkJO3kqwCCQklp8/VakkVLeBeCxtEoiDkGe3cE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767855243; c=relaxed/simple; bh=QTCHsVNO16iQZrixVaQuQTrLrmA3Roxcubh4/31nZXk=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=UH2PwX9HqKpETFXaKCBs+b2jd8/ZS++riKNTFJ46PVwLI26KeIlWdwR4MOciGZOM2K3BaWRLCsw4z4+Jlnkm6wd9du/GqfVbHgwDfRXjqKdMK4VxtzVM9sFL86vSJ/O8fg/IndVuZ7GhLnslnQz3r7KNOViqhusae/zxB/Pvp2A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=AcNgBLns; arc=none smtp.client-ip=209.85.160.98 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="AcNgBLns" Received: by mail-oa1-f98.google.com with SMTP id 586e51a60fabf-3e89d226c3aso2719682fac.2 for ; Wed, 07 Jan 2026 22:54:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767855241; x=1768460041; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yzc6jMotlPlOBqmj2BzruiYM6jJIxp4NUV9AgKZ5VJ8=; b=Dj0ubriK46GiWVmIPJv+EQsPddMnLf5NTkxz+ulryc5Fhp7qWcvRHbIDK08w5jZmAW Lh3m2RRAEontwO0bUPiSprXmAXv9qoH7F3t3p/ey7zspOcWixYqclznkIX+8WddGk7Ep PGqwPNfXmszHWCAmHI3XhfVJVWonEzr4WAI6yhqZ9tm1LDTL62jEWJPot/k7IU/7CNqS s2TaTBfr2/BXewMYnuChXBreKI+E2o3aie52xEqL0W5rlRnVST7AgoDiCwBMJgGY97eY QqXZIeMN6w5CdM+9mM76haJtclbB1saKm/5PRHZD2ktcXsQJePFJZNUMioNVQYmqEDao w0Hw== X-Forwarded-Encrypted: i=1; AJvYcCXKDkvumtGUFeFAKuullC9lnx/IhkXlJRBGKjISiuS0QIEpk7zajehv8LS+1ImXFCs1wR/8gh81uVbmzYE=@vger.kernel.org X-Gm-Message-State: AOJu0Yxr2p1Np8r954YHy5E8/dokj9g0it3/KEw8nklHAebKGPYMGZr+ 8xbeKjA7E+2UojC58ch1eIvI4FE+TPghGDGuWbJkf8F/WmBlqLM4j2S6EBDFVZsZZhWrGur+2Yq nOb/WfsR1Q3y1SKrsjFJIuy+Pxm8GSdakLmS5AI6OsjcFmiqQoMEyfDLn77dy6Usx0tWUpoBtQE Q7bsdHFcyOlxkGWlx6/3zl5igmfOanSdN6YP/R/HXSEK0dsYglUiFVBwnzXLrxHkZrmFtIHJHaA bBK0BR05g2mN6a+XKSyop0s7g== X-Gm-Gg: AY/fxX6k0nIAxFJQDAgDdsweTKFZBfnYBbgR0P/owzGjPK1AOsPlePVi1j8iP4FGKYq IwwG2qim03b/yG3DIF5U5gDjWAsiYLyg00xXCKFBT+U9wu3sVNBV9m828aQeccaCg8OMomVUxPT FhQkhdioZ3TqWXX8+nOud7jmUYsuM+3pkzbCsJu0hX2lNwNAAfWMokZNDwDLHv36MCDE2h0C7w2 JE9V1Q1QxQlxRkKad7syTbOBk1CsFcyS2EwfmamO7L4nwuAq9uKjhUwW560LgCJ21BWEdjH3m+u HwOk++u3RhkXsNkLKAq91M40uWtu7BQzLTYoLjKkgiLwlWukIqfi1m/mGuOFpRSYpmf1b5fupsH WuPLx/c94upX4DTUoozLXDkz7GBBAP/V+IvDjKS3LFTbTEYYszUWvLzhQuOhHXZo5S3Ntb0mAoz 7SptTIW1oq++k8NOIQmjshsUEtl0ILIjSgu5Lh6+3SESosgQcbyIE= X-Google-Smtp-Source: AGHT+IEKzfbiWG0qzCqHRZiAmomMPItBdVVEzh+sF5SEsuM/+AGNybGoRfptwPXi/CkDrdicUpO7AFV15H1W X-Received: by 2002:a05:6870:8885:b0:3e8:8e57:a7a3 with SMTP id 586e51a60fabf-3ffc0c305c2mr2409656fac.54.1767855240585; Wed, 07 Jan 2026 22:54:00 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-120.dlp.protect.broadcom.com. [144.49.247.120]) by smtp-relay.gmail.com with ESMTPS id 586e51a60fabf-3ffa50f6a30sm802611fac.19.2026.01.07.22.53.59 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Jan 2026 22:54:00 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-dl1-f70.google.com with SMTP id a92af1059eb24-1219f27037fso10711872c88.1 for ; Wed, 07 Jan 2026 22:53:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1767855239; x=1768460039; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=yzc6jMotlPlOBqmj2BzruiYM6jJIxp4NUV9AgKZ5VJ8=; b=AcNgBLnsXF8blkFI+S3hVadeuJ4TOCpqx71LQuYX4o9n/O/l15uwb3GYdRDfVic1o9 7Y27q6BpYx9+T2RfDh+MLn15g1/z56sVk1SX0nQEF2yf7vYaxQ2sMJ4TJYnJILS1AVAE DIJnIBwsAvLtcBqskeMKY9NLMiQDd4wWLI48c= X-Forwarded-Encrypted: i=1; AJvYcCU/rI+/GsnMJ5bgSqD+FWQQtoZD1h7qUk5O8CMZE8KeWXmg1Wq6povMVjfkAE5pM5UnPzUcrpX4+VbeoKE=@vger.kernel.org X-Received: by 2002:a05:7022:79b:b0:11d:f44c:afbc with SMTP id a92af1059eb24-121f8b5fb5cmr4806081c88.37.1767855238716; Wed, 07 Jan 2026 22:53:58 -0800 (PST) X-Received: by 2002:a05:7022:79b:b0:11d:f44c:afbc with SMTP id a92af1059eb24-121f8b5fb5cmr4806050c88.37.1767855238207; Wed, 07 Jan 2026 22:53:58 -0800 (PST) Received: from shivania.lvn.broadcom.net ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-121f248bb6esm12592287c88.12.2026.01.07.22.53.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 22:53:57 -0800 (PST) From: Shivani Agarwal To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: jgg@ziepe.ca, leon@kernel.org, mbloch@nvidia.com, parav@nvidia.com, roman.gushchin@linux.dev, markzhang@nvidia.com, zhao.xichao@vivo.com, wangliang74@huawei.com, yanjun.zhu@linux.dev, marco.crivellari@suse.com, jackm@dev.mellanox.co.il, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, syzbot+e2ce9e275ecc70a30b72@syzkaller.appspotmail.com, Jason Gunthorpe , Sasha Levin , Shivani Agarwal Subject: [PATCH v5.10-v6.6] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Date: Wed, 7 Jan 2026 22:33:00 -0800 Message-Id: <20260108063300.670981-1-shivani.agarwal@broadcom.com> X-Mailer: git-send-email 2.25.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Zhu Yanjun [ Upstream commit d0706bfd3ee40923c001c6827b786a309e2a8713 ] Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 strlen+0x93/0xa0 lib/string.c:420 __fortify_strlen include/linux/fortify-string.h:268 [inline] get_kobj_path_length lib/kobject.c:118 [inline] kobject_get_path+0x3f/0x2a0 lib/kobject.c:158 kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545 ib_register_device drivers/infiniband/core/device.c:1472 [inline] ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393 rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552 rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225 nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796 rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmsg+0x16d/0x220 net/socket.c:2652 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This problem is similar to the problem that the commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name= ") fixes. The root cause is: the function ib_device_rename() renames the name with lock. But in the function kobject_uevent(), this name is accessed without lock protection at the same time. The solution is to add the lock protection when this name is accessed in the function kobject_uevent(). Fixes: 779e0bf47632 ("RDMA/core: Do not indicate device ready when device e= nablement fails") Link: https://patch.msgid.link/r/20250506151008.75701-1-yanjun.zhu@linux.dev Reported-by: syzbot+e2ce9e275ecc70a30b72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3De2ce9e275ecc70a30b72 Signed-off-by: Zhu Yanjun Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin [ Ajay: Modified to apply on v5.10.y-v6.6.y ib_device_notify_register() not present in v5.10.y-v6.6.y, so directly added lock for kobject_uevent() ] Signed-off-by: Ajay Kaher Signed-off-by: Shivani Agarwal --- drivers/infiniband/core/device.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/dev= ice.c index 26f1d2f29..ea9b48108 100644 --- a/drivers/infiniband/core/device.c +++ b/drivers/infiniband/core/device.c @@ -1396,8 +1396,13 @@ int ib_register_device(struct ib_device *device, con= st char *name, return ret; } dev_set_uevent_suppress(&device->dev, false); + + down_read(&devices_rwsem); + /* Mark for userspace that device is ready */ kobject_uevent(&device->dev.kobj, KOBJ_ADD); + + up_read(&devices_rwsem); ib_device_put(device); =20 return 0; --=20 2.40.4