CVE-2026-46144
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up.
Affected products
1Patches
10190e570cc0fcRDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 3f5d088ebe407a..d17073c0bfeabd 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -237,13 +237,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
726af85ea4afRDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 84b8666af606c1..e6375064f14d7a 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -236,13 +236,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
ab64c63b460bRDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 960878b53da851..d688395b44982c 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -236,13 +236,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
30e8a2f33815RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index c8a7129bbad558..8af29061febe20 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -235,13 +235,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
6aaa978c6b62RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 8e1f052d0ec976..0fbcf449c134b5 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -217,13 +217,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
190e570cc0fcRDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 3f5d088ebe407a..d17073c0bfeabd 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -237,13 +237,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
ab64c63b460bRDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 960878b53da851..d688395b44982c 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -236,13 +236,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
726af85ea4afRDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 84b8666af606c1..e6375064f14d7a 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -236,13 +236,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
30e8a2f33815RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index c8a7129bbad558..8af29061febe20 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -235,13 +235,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
6aaa978c6b62RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
1 file changed · +3 −2
drivers/infiniband/hw/mana/qp.c+3 −2 modifieddiff --git a/drivers/infiniband/hw/mana/qp.c b/drivers/infiniband/hw/mana/qp.c index 8e1f052d0ec976..0fbcf449c134b5 100644 --- a/drivers/infiniband/hw/mana/qp.c +++ b/drivers/infiniband/hw/mana/qp.c @@ -217,13 +217,15 @@ static int mana_ib_create_qp_rss(struct ib_qp *ibqp, struct ib_pd *pd, ibdev_dbg(&mdev->ib_dev, "Failed to copy to udata create rss-qp, %d\n", ret); - goto fail; + goto err_disable_vport_rx; } kfree(mana_ind_table); return 0; +err_disable_vport_rx: + mana_disable_vport_rx(mpc); fail: while (i-- > 0) { ibwq = ind_tbl->ind_tbl[i]; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing resource cleanup in the error-unwind path of mana_ib_create_qp_rss() leaks the vport steering configuration."
Attack vector
An attacker who can trigger an RSS QP creation on a MANA RDMA device and cause the `ib_copy_to_udata()` call to fail (e.g., by providing a small or invalid user-space buffer) will leave the vport steering resource leaked. The leak occurs because the error path jumps to `fail` without first calling `mana_disable_vport_rx(mpc)`. No special network access is required; the attacker only needs local access to the RDMA device and the ability to invoke `create_qp_rss` with crafted user-space data.
Affected code
The vulnerability is in the `mana_ib_create_qp_rss()` function in `drivers/infiniband/hw/mana/qp.c` [patch_id=2898314]. The error-unwind path after a failed `ib_copy_to_udata()` call jumps directly to the `fail` label, which tears down the QP work-queues but does not call `mana_disable_vport_rx()` to release the vport steering configuration that was previously set up by `mana_ib_cfg_vport_steering()`.
What the fix does
The patch adds a new error label `err_disable_vport_rx` before the existing `fail` label. When `ib_copy_to_udata()` fails, the code now jumps to `err_disable_vport_rx`, which calls `mana_disable_vport_rx(mpc)` to release the vport steering configuration that was set up earlier. After that it falls through to the `fail` label which continues to clean up the QP work-queues. This ensures the steering resource is always freed on error, matching the behavior of the normal destroy path [patch_id=2898314].
Preconditions
- authAttacker must have local access to a system with the MANA RDMA driver loaded and be able to create RSS QPs.
- inputAttacker must be able to cause ib_copy_to_udata() to fail, e.g. by providing a small or invalid user-space buffer.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/190e570cc0fc7f57eacf80d2b854ba54b4dfad6bnvd
- git.kernel.org/stable/c/30e8a2f33815d8f51b8f8b829c07af16c671cc27nvd
- git.kernel.org/stable/c/6aaa978c6b6218cfac15fe1dab17c76fe229ce3fnvd
- git.kernel.org/stable/c/726af85ea4af750b2f75095e24e3cd99797344cbnvd
- git.kernel.org/stable/c/ab64c63b460bbd0521480bf90d5695783f5e66bcnvd
News mentions
0No linked articles in our index yet.