Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026
CVE-2026-45852
CVE-2026-45852
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix double free in rxe_srq_from_init
In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'.
The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free.
The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core]
Fix this by moving 'srq->rq.queue = q' after copy_to_user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double free vulnerability in the Linux kernel's RDMA/rxe driver (rxe_srq_from_init) can be triggered by a local user, potentially leading to memory corruption.
Vulnerability
In the Linux kernel's RDMA/rxe driver, the function rxe_srq_from_init assigns the queue pointer q to srq->rq.queue before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue but leaves the now-invalid pointer in srq->rq.queue. The caller rxe_create_srq then calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, resulting in a double free [1]. This affects kernel versions prior to the inclusion of the fix commit.
Exploitation
An attacker must have local access and the ability to create a Shared Receive Queue (SRQ) via the RDMA subsystem. The exploit requires causing copy_to_user() to fail, for example by providing an invalid user-space address or triggering a page fault. The sequence involves creating an SRQ, inducing the copy failure, and then relying on the error path to execute the double free.
Impact
A double free can lead to memory corruption, use-after-free, or other undefined behavior. This may be exploitable for privilege escalation or denial of service, depending on the system state and memory allocator behavior.
Mitigation
The fix is provided in commit [1] which moves srq->rq.queue = q after the copy_to_user() call, preventing the dangling pointer. Users should apply the latest stable kernel updates that include this patch. No workaround is available.
References
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
165c07aef09a12RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 6.18.14via kernel-cna
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
26a9cfe12f4fRDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 6.19.4via kernel-cna
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
0beefd0e15d9RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 7.0via kernel-cna
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
22b8c23a3b92RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 5.10.252via kernel-cna
2 files changed · +6 −2
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 41b0d1e11bafdb..9d9baca2694999 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -116,6 +116,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 41b0d1e11bafdb..9d9baca2694999 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -116,6 +116,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
af5956243018RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 5.15.202via kernel-cna
2 files changed · +6 −2
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index eb1c4c3b3a7865..05ae3d183b21d1 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -118,6 +118,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index eb1c4c3b3a7865..05ae3d183b21d1 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -118,6 +118,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
d286f0d4e3adRDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 6.1.165via kernel-cna
2 files changed · +6 −2
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 02b39498c370d2..115ff5428f6cfb 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -87,6 +87,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 02b39498c370d2..115ff5428f6cfb 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -87,6 +87,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
26793db60925RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 6.6.128via kernel-cna
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
ce6f8e007682RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiasheng JiangJan 12, 2026Fixed in 6.12.75via kernel-cna
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
ce6f8e007682RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
af5956243018RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −2
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index eb1c4c3b3a7865..05ae3d183b21d1 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -118,6 +118,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index eb1c4c3b3a7865..05ae3d183b21d1 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -118,6 +118,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
d286f0d4e3adRDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −2
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 02b39498c370d2..115ff5428f6cfb 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -87,6 +87,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 02b39498c370d2..115ff5428f6cfb 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -87,6 +87,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
0beefd0e15d9RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
22b8c23a3b92RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −2
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 41b0d1e11bafdb..9d9baca2694999 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -116,6 +116,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −1 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 41b0d1e11bafdb..9d9baca2694999 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -116,6 +116,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; } -- cgit 1.3-korg
26a9cfe12f4fRDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
5c07aef09a12RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
26793db60925RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiasheng JiangJan 12, 2026via nvd-ref
2 files changed · +6 −8
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
drivers/infiniband/sw/rxe/rxe_srq.c+3 −4 modifieddiff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c index 2a234f26ac1044..c9a7cd38953d31 100644 --- a/drivers/infiniband/sw/rxe/rxe_srq.c +++ b/drivers/infiniband/sw/rxe/rxe_srq.c @@ -77,9 +77,6 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, goto err_free; } - srq->rq.queue = q; - init->attr.max_wr = srq->rq.max_wr; - if (uresp) { if (copy_to_user(&uresp->srq_num, &srq->srq_num, sizeof(uresp->srq_num))) { @@ -88,6 +85,9 @@ int rxe_srq_from_init(struct rxe_dev *rxe, struct rxe_srq *srq, } } + srq->rq.queue = q; + init->attr.max_wr = srq->rq.max_wr; + return 0; err_free: -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Use-after-free / double-free due to assigning the queue pointer to srq->rq.queue before the copy_to_user() call, so a failure leaves a dangling pointer that gets freed again by the caller."
Attack vector
An attacker with local access can trigger the bug by creating a shared receive queue (SRQ) via the RDMA subsystem and causing the copy_to_user() call in rxe_srq_from_init() to fail (e.g., by providing a bad user-space pointer in the uresp parameter). When copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue but leaves the freed pointer in srq->rq.queue. The caller rxe_create_srq then calls rxe_srq_cleanup() on the error path, which calls rxe_queue_cleanup() a second time on the same memory, resulting in a double-free [patch_id=2662095].
Affected code
The vulnerable function is rxe_srq_from_init() in drivers/infiniband/sw/rxe/rxe_srq.c [patch_id=2662095]. The queue pointer 'q' was assigned to srq->rq.queue before the copy_to_user() call, creating a window where a failed copy_to_user() leads to a double-free.
What the fix does
The patch moves the assignments 'srq->rq.queue = q' and 'init->attr.max_wr = srq->rq.max_wr' to after the copy_to_user() block, just before the successful return [patch_id=2662095]. This ensures that if copy_to_user() fails, the queue pointer is never stored in srq->rq.queue, so the subsequent rxe_queue_cleanup() call in the error path frees the queue only once, and the caller's rxe_srq_cleanup() will see a NULL or stale pointer and not attempt a second free.
Preconditions
- authAttacker must be able to create an SRQ via the RDMA/rxe interface (requires local access to the RDMA subsystem).
- inputAttacker must supply a user-space pointer (uresp) that causes copy_to_user() to fail.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/0beefd0e15d962f497aad750b2d5e9c3570b66d1nvd
- git.kernel.org/stable/c/22b8c23a3b92d023614bb00896fe364b2c1a31d3nvd
- git.kernel.org/stable/c/26793db60925df1e88a29466813d586cbc190b8cnvd
- git.kernel.org/stable/c/26a9cfe12f4ffdeaa136f252478986fa5f397ddcnvd
- git.kernel.org/stable/c/5c07aef09a121a4cd622a71eb0753a9e135c84a8nvd
- git.kernel.org/stable/c/af5956243018918130d52c9f671efdb40bab3366nvd
- git.kernel.org/stable/c/ce6f8e007682f378279d4cf83b240f12d52c723bnvd
- git.kernel.org/stable/c/d286f0d4e3ad3caf5f0e673cdad7bf89bf37d947nvd
News mentions
0No linked articles in our index yet.