CVE-2026-45922
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
The UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function allocates memory for the device path using kobject_get_path(). If the length of the device path exceeds the output buffer length, the function returns -ENOSPC but does not free the allocated memory, resulting in a memory leak.
Add a kfree() call to the error path to ensure the allocated memory is properly freed.
Compile tested only. Issue found using a prototype static analysis tool and code review.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's RDMA/mlx5 driver occurs when GET_DATA_DIRECT_SYSFS_PATH fails due to an oversized path, fixed by adding kfree().
Vulnerability
In the Linux kernel, the UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function in the RDMA/mlx5 driver allocates memory via kobject_get_path(). If the length of the device path exceeds the output buffer length, the function returns -ENOSPC without freeing the allocated memory, causing a memory leak. This affects the kernel tree as of the commit requiring the fix [1].
Exploitation
No specific exploitation sequence is described in the available references. The vulnerability is reachable through user-space RDMA operations that invoke the MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH method, which is part of the uverbs interface. An attacker with local access and permission to interact with the mlx5 uverbs device could trigger the path-length condition to cause repeated allocations and eventual memory exhaustion [1].
Impact
Successfully triggering this leak repeatedly leads to a gradual depletion of kernel memory, potentially resulting in a denial-of-service (DoS) condition. The CVSS score is 5.5 (Medium) with low attack complexity and local access required [1].
Mitigation
The fix was applied in kernel commit ee998cdbff6680891b0efd9d6ce53a388e5342c3 [1]. Users should update to a kernel version containing this commit. No workarounds are documented in the provided references [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
8b3a10eca24fcRDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index 2fcf553044e15e..1ee31611b4b3f1 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -195,7 +195,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -223,9 +223,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
ee998cdbff66RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index bdb568411091c8..d0137ab7c645cd 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -214,7 +214,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -242,9 +242,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
b2bc649c18fbRDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index 2fcf553044e15e..1ee31611b4b3f1 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -195,7 +195,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -223,9 +223,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
9b9d25390847RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index 2fcf553044e15e..1ee31611b4b3f1 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -195,7 +195,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -223,9 +223,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
ee998cdbff66RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index bdb568411091c8..d0137ab7c645cd 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -214,7 +214,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -242,9 +242,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
b3a10eca24fcRDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index 2fcf553044e15e..1ee31611b4b3f1 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -195,7 +195,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -223,9 +223,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
9b9d25390847RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index 2fcf553044e15e..1ee31611b4b3f1 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -195,7 +195,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -223,9 +223,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
b2bc649c18fbRDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler
1 file changed · +2 −3
drivers/infiniband/hw/mlx5/std_types.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/mlx5/std_types.c b/drivers/infiniband/hw/mlx5/std_types.c index 2fcf553044e15e..1ee31611b4b3f1 100644 --- a/drivers/infiniband/hw/mlx5/std_types.c +++ b/drivers/infiniband/hw/mlx5/std_types.c @@ -195,7 +195,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( int out_len = uverbs_attr_get_len(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH); u32 dev_path_len; - char *dev_path; + char *dev_path = NULL; int ret; c = to_mucontext(ib_uverbs_get_ucontext(attrs)); @@ -223,9 +223,9 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH)( ret = uverbs_copy_to(attrs, MLX5_IB_ATTR_GET_DATA_DIRECT_SYSFS_PATH, dev_path, dev_path_len); - kfree(dev_path); end: + kfree(dev_path); mutex_unlock(&dev->data_direct_lock); return ret; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing kfree() on the error path when the device path length exceeds the output buffer length, causing a memory leak of memory allocated by kobject_get_path()."
Attack vector
An attacker with access to the RDMA subsystem can invoke the MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH ioctl on a Mellanox ConnectX-5 device. The handler allocates a device path string via kobject_get_path() and then attempts to copy it to the user-supplied output buffer. If the path length exceeds the output buffer length, the function returns -ENOSPC without freeing the allocated memory. Repeated invocation causes progressive memory exhaustion in kernel memory.
Affected code
The vulnerable function is UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) in drivers/infiniband/hw/mlx5/std_types.c. The memory allocated by kobject_get_path() was only freed after a successful uverbs_copy_to() call; the error path returning -ENOSPC skipped the kfree().
What the fix does
The patch moves the kfree(dev_path) call from immediately after uverbs_copy_to() to the end label, ensuring the allocated memory is freed on all code paths including the error path that returns -ENOSPC. It also initializes dev_path to NULL so that kfree(NULL) is safe if the function returns before allocation. This closes the memory leak by guaranteeing that every allocation from kobject_get_path() is paired with a kfree().
Preconditions
- authAttacker must have access to the RDMA subsystem (access to /dev/infiniband/rdma_cm or similar) on a system with a Mellanox mlx5 device.
- inputThe attacker must be able to invoke the MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH ioctl with an output buffer smaller than the device sysfs path.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.