CVE-2026-46117
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel.
Just reject it outright and fail the QP creation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A user-triggerable WARN_ON() in the Linux kernel's mana_ib_create_qp_rss() function can be exploited to corrupt kernel memory.
Vulnerability
In the Linux kernel's RDMA/mana driver, the mana_ib_create_qp_rss() function contains a WARN_ON() that can be triggered by a user-provided uAPI request where multiple work queues (WQs) share the same completion queue (CQ). This condition is explicitly triggerable from userspace and leads to a critical kernel memory corruption issue. [1]
Exploitation
An attacker with local user access and the ability to submit RDMA uAPI calls can craft a QP creation request that specifies multiple WQs bound to the same CQ. This sequence triggers the WARN_ON() in mana_ib_create_qp_rss(), which proceeds to corrupt kernel data structures. No special privileges beyond standard userspace RDMA access are required. [1]
Impact
Successful exploitation results in kernel memory corruption, which can lead to a system crash (denial of service) or potentially arbitrary code execution in the kernel context, depending on the attacker's ability to control the corruption. The vulnerability undermines the integrity and availability of the system. [1]
Mitigation
The vulnerability is fixed in the Linux kernel commit 9cc0c6b1ba8cd5c55aef043e1384de0a8b4efa71, which rejects such invalid QP configurations outright instead of triggering the WARN_ON(). Users should apply the patch as soon as possible. As of the publication date (2026-05-28), the fix is available in the stable kernel tree. No workaround is provided beyond patching. [1]
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
89cc0c6b1ba8cRDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f04a679d287144..54cf3868b2977d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -120,8 +120,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; gdma_cq = kzalloc(sizeof(*gdma_cq), GFP_KERNEL); if (!gdma_cq) return -ENOMEM; -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f04a679d287144..54cf3868b2977d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -120,8 +120,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; gdma_cq = kzalloc(sizeof(*gdma_cq), GFP_KERNEL); if (!gdma_cq) return -ENOMEM; -- cgit 1.3-korg
9ef65af26b2aRDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index 7600412b0739ff..da93cbd57e5728 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -144,8 +144,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index 7600412b0739ff..da93cbd57e5728 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -144,8 +144,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
db991ba50087RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index b2749f971cd0af..25e5b904e7c81d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -142,8 +142,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index b2749f971cd0af..25e5b904e7c81d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -142,8 +142,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
159f2efabc89RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f4cbe21763bf11..2d682428ef202a 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -137,8 +137,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f4cbe21763bf11..2d682428ef202a 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -137,8 +137,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
9cc0c6b1ba8cRDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f04a679d287144..54cf3868b2977d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -120,8 +120,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; gdma_cq = kzalloc(sizeof(*gdma_cq), GFP_KERNEL); if (!gdma_cq) return -ENOMEM; -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f04a679d287144..54cf3868b2977d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -120,8 +120,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; gdma_cq = kzalloc(sizeof(*gdma_cq), GFP_KERNEL); if (!gdma_cq) return -ENOMEM; -- cgit 1.3-korg
9ef65af26b2aRDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index 7600412b0739ff..da93cbd57e5728 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -144,8 +144,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index 7600412b0739ff..da93cbd57e5728 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -144,8 +144,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
db991ba50087RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index b2749f971cd0af..25e5b904e7c81d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -142,8 +142,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index b2749f971cd0af..25e5b904e7c81d 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -142,8 +142,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
159f2efabc89RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
2 files changed · +6 −6
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f4cbe21763bf11..2d682428ef202a 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -137,8 +137,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
drivers/infiniband/hw/mana/cq.c+3 −3 modifieddiff --git a/drivers/infiniband/hw/mana/cq.c b/drivers/infiniband/hw/mana/cq.c index f4cbe21763bf11..2d682428ef202a 100644 --- a/drivers/infiniband/hw/mana/cq.c +++ b/drivers/infiniband/hw/mana/cq.c @@ -137,8 +137,9 @@ int mana_ib_install_cq_cb(struct mana_ib_dev *mdev, struct mana_ib_cq *cq) if (cq->queue.id >= gc->max_num_cqs) return -EINVAL; - /* Create CQ table entry */ - WARN_ON(gc->cq_table[cq->queue.id]); + /* Create CQ table entry, sharing a CQ between WQs is not supported */ + if (gc->cq_table[cq->queue.id]) + return -EINVAL; if (cq->queue.kmem) gdma_cq = cq->queue.kmem; else -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing input validation in mana_ib_install_cq_cb() allows a user to specify multiple WQs sharing the same CQ via uAPI, which triggers a WARN_ON() and then corrupts kernel memory."
Attack vector
An unprivileged user with access to the RDMA subsystem can call the mana_ib_create_qp_rss() uAPI and specify multiple work queues (WQs) that share the same completion queue (CQ) ID. When mana_ib_install_cq_cb() is called for the second WQ referencing the same CQ, the existing code only had a WARN_ON() assertion — which does not stop execution — so the function proceeds to overwrite the already-populated cq_table entry, corrupting kernel state [patch_id=2898558]. The attacker needs only local RDMA device access; no special privileges beyond that are required.
Affected code
The vulnerable function is mana_ib_install_cq_cb() in drivers/infiniband/hw/mana/cq.c. The defect was present in the original implementation of CQ interrupt support for RAW QP (commit c15d7802a424).
What the fix does
The patch replaces the WARN_ON(gc->cq_table[cq->queue.id]) assertion with an explicit if (gc->cq_table[cq->queue.id]) return -EINVAL; check in mana_ib_install_cq_cb() [patch_id=2898558]. This turns a non-fatal warning (which allowed corruption to continue) into a proper error return that rejects the QP creation outright. The comment is also updated to explain that sharing a CQ between WQs is not supported.
Preconditions
- authAttacker must have access to the RDMA subsystem (e.g., /dev/infiniband/uverbs*) on a system with the mana_ib driver loaded.
- inputAttacker must be able to invoke the mana_ib_create_qp_rss() uAPI and specify multiple WQs sharing the same CQ ID.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.