CVE-2026-46176
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1.
This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown.
Fix by adding the same goto unlock in the s1 failure path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing goto in mlx5_ib_dev_res_srq_init() causes use-after-free and error pointer dereference in the RDMA mlx5 driver, leading to potential crashes or memory corruption.
Vulnerability
In the Linux kernel, the RDMA/mlx5 driver function mlx5_ib_dev_res_srq_init() (present in versions before the fix) allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch correctly destroys s0, but due to a missing goto unlock, execution falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to both a use-after-free and an ERR_PTR dereference in subsequent operations [1]. The vulnerability affects kernel versions prior to the inclusion of commit 6fd93142dd1d09000c3750af08270f5792523fe9 [1].
Exploitation
An attacker needs no special privileges beyond the ability to trigger the RDMA/mlx5 device initialization path that calls mlx5_ib_dev_res_srq_init(). This is typically performed during driver probe or when creating certain resources. The error condition leading to ib_create_srq() failure for s1 can be induced by exhausting system resources or providing invalid parameters, making the attack feasible from a local user with access to RDMA devices [1]. No user interaction beyond the initial resource creation is required.
Impact
On successful exploitation, an attacker can trigger a use-after-free on the s0 SRQ and dereference an ERR_PTR stored in devr->s1. The lock-free fast path checks if (devr->s1) return 0; and treats the ERR_PTR as already initialized, leading to potential crashes. Furthermore, code in mlx5_ib_create_qp() dereferences the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn, and cleanup functions double-free s0 and dereference the ERR_PTR, resulting in system instability, denial of service, or potential memory corruption [1]. The attacker does not gain code execution or data disclosure directly from this flaw, but can cause a system crash or hang.
Mitigation
The vulnerability is fixed in the Linux kernel by commit 6fd93142dd1d09000c3750af08270f5792523fe9 [1]. Users should update to a kernel version containing this fix. No workaround is available beyond avoiding the error condition, which is not practical. The fix adds a proper goto unlock in the s1 failure path to prevent the fall-through and invalid assignments.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10c488df06bd55RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 109661c2ac12b0..8115ae869ef209 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3392,6 +3392,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 109661c2ac12b0..8115ae869ef209 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3392,6 +3392,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
a13c2ac4d480RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 0adb98b8dacc87..5408ee2b33ec3c 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -2924,6 +2924,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 0adb98b8dacc87..5408ee2b33ec3c 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -2924,6 +2924,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
bc2cf5935b46RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 8b2e13f1a2159a..b0a0e11ef721f9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3127,6 +3127,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 8b2e13f1a2159a..b0a0e11ef721f9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3127,6 +3127,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
b087913ae882RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 5899bd5cb16230..984c258ab0a89e 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3181,6 +3181,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 5899bd5cb16230..984c258ab0a89e 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3181,6 +3181,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
6fd93142dd1dRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 635002e684a55f..356a7c7856e7b9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3380,6 +3380,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 635002e684a55f..356a7c7856e7b9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3380,6 +3380,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
6fd93142dd1dRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 635002e684a55f..356a7c7856e7b9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3380,6 +3380,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 635002e684a55f..356a7c7856e7b9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3380,6 +3380,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
a13c2ac4d480RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 0adb98b8dacc87..5408ee2b33ec3c 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -2924,6 +2924,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 0adb98b8dacc87..5408ee2b33ec3c 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -2924,6 +2924,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
b087913ae882RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 5899bd5cb16230..984c258ab0a89e 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3181,6 +3181,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 5899bd5cb16230..984c258ab0a89e 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3181,6 +3181,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
bc2cf5935b46RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 8b2e13f1a2159a..b0a0e11ef721f9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3127,6 +3127,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 8b2e13f1a2159a..b0a0e11ef721f9 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3127,6 +3127,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) ret = PTR_ERR(s1); mlx5_ib_err(dev, "Couldn't create SRQ 1 for res init, err=%d\n", ret); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
c488df06bd55RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
2 files changed · +2 −2
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 109661c2ac12b0..8115ae869ef209 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3392,6 +3392,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
drivers/infiniband/hw/mlx5/main.c+1 −1 modifieddiff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 109661c2ac12b0..8115ae869ef209 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -3392,6 +3392,7 @@ int mlx5_ib_dev_res_srq_init(struct mlx5_ib_dev *dev) "Couldn't create SRQ 1 for res init, err=%pe\n", s1); ib_destroy_srq(s0); + goto unlock; } devr->s0 = s0; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing `goto unlock` after `ib_destroy_srq(s0)` in the `s1` failure branch causes fall-through to unconditional assignments of freed/ERR_PTR pointers."
Attack vector
An attacker triggers the bug by causing `ib_create_srq()` to fail for the second SRQ (`s1`) during `mlx5_ib_dev_res_srq_init()`. This can happen, for example, by exhausting kernel memory or hitting a resource limit on the RDMA device. After the failure, the freed `s0` pointer and the `ERR_PTR` value of `s1` are stored into `devr->s0` and `devr->s1`. The lock-free fast path checks `if (devr->s1) return 0;` and treats the `ERR_PTR` as already initialized, while callers like `mlx5_ib_create_qp()` dereference the freed SRQ or `ERR_PTR` via `to_msrq(devr->s0)->msrq.srqn`, and `mlx5_ib_dev_res_cleanup()` dereferences the `ERR_PTR` and double-frees `s0` on teardown [patch_id=2898035].
Affected code
The bug is in `mlx5_ib_dev_res_srq_init()` in `drivers/infiniband/hw/mlx5/main.c` [patch_id=2898035]. The function allocates two SRQs (`s0` and `s1`) and, when `ib_create_srq()` fails for `s1`, the error branch destroys `s0` but then falls through to the unconditional assignments `devr->s0 = s0` and `devr->s1 = s1` that follow the `if` block.
What the fix does
The patch adds a single line — `goto unlock;` — after `ib_destroy_srq(s0)` inside the `if (IS_ERR(s1))` error branch [patch_id=2898035]. This causes the function to jump to the `unlock` label and return the error code, skipping the unconditional assignments `devr->s0 = s0` and `devr->s1 = s1` that would otherwise store the already-destroyed `s0` and the `ERR_PTR` `s1` into the device structure. The same pattern was already used in the analogous error path for `s0`; the fix applies it to the `s1` failure path as well.
Preconditions
- inputThe attacker must be able to cause ib_create_srq() to fail for the second SRQ (s1) during mlx5_ib_dev_res_srq_init(). This typically requires local access to the RDMA device and the ability to exhaust kernel memory or RDMA resources.
- authThe attacker must have the capability to trigger the initialization path that calls mlx5_ib_dev_res_srq_init().
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/6fd93142dd1d09000c3750af08270f5792523fe9nvd
- git.kernel.org/stable/c/a13c2ac4d480b734342c6fbf8249fc48afd675f3nvd
- git.kernel.org/stable/c/b087913ae88256df66620f7ba0a9776716aeef7envd
- git.kernel.org/stable/c/bc2cf5935b4665172235341163315905197ae91dnvd
- git.kernel.org/stable/c/c488df06bd552bb8b6e14fa0cfd5ad986c6e9525nvd
News mentions
0No linked articles in our index yet.