CVE-2026-46265
Description
Linux kernel RDMA/hns subsystem has a workqueue memory reclaim warning that can be triggered during sunrpc resets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel RDMA/hns subsystem has a workqueue memory reclaim warning that can be triggered during sunrpc resets.
Vulnerability
The Linux kernel's RDMA/hns subsystem has a workqueue memory reclaim warning that can be triggered when the sunrpc module is used and a reset occurs. This warning, specifically WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker [rpcrdma] is flushing !WQ_MEM_RECLAIM hns_roce_irq_workq:flush_work_handle [hns_roce_hw_v2], indicates that a workqueue responsible for freeing memory during QP destruction was not properly marked with WQ_MEM_RECLAIM. This issue affects versions of the Linux kernel prior to the fix. [1]
Exploitation
An attacker would need to trigger a reset event within the sunrpc subsystem while it is using the RDMA/hns driver. This would cause the xprt_rdma_connect_worker to flush a workqueue that is not marked for memory reclaim, leading to the observed warning. The exact conditions and sequence to reliably trigger such a reset are not detailed in the available references. [1]
Impact
The primary impact described is a WQ_MEM_RECLAIM warning within the kernel, indicating a potential issue with memory management during the destruction of Queue Pairs (QPs). While the warning itself does not directly grant an attacker privileges, it points to a flaw in how memory is handled during critical operations, which could potentially lead to instability or be a precursor to more severe memory-related vulnerabilities if exploited under specific conditions. [1]
Mitigation
A fix for this vulnerability has been committed to the Linux kernel. The specific fixed version is not detailed in the provided references, but the commit hash c0a26bbd3f99b7b03f072e3409aff4e6ec8af6f6 addresses this issue. Users are advised to update their Linux kernel to a version containing this fix. [1]
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
12c0a26bbd3f99RDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 2d6ae89e525b8..f95442798ddb3 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6956,7 +6956,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
12761bd0ae16RDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 5fdab366fb32d..c9aa4c8e05371 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6743,7 +6743,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
70a5eb757aceRDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index f1d4494c7d008..2d4b751fc709d 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6604,7 +6604,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
562c96b1393dRDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index f9356cb89497b..82895859c90db 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6899,7 +6899,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
0cbec8b49270RDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 63052c0e76133..cb0bbc4167b0d 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6878,7 +6878,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
c5ef9a1bcf5bRDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 2d6ae89e525b8..f95442798ddb3 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6956,7 +6956,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
0cbec8b49270RDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 63052c0e76133..cb0bbc4167b0d 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6878,7 +6878,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
12761bd0ae16RDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 5fdab366fb32d..c9aa4c8e05371 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6743,7 +6743,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
562c96b1393dRDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index f9356cb89497b..82895859c90db 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6899,7 +6899,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
70a5eb757aceRDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index f1d4494c7d008..2d4b751fc709d 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6604,7 +6604,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
c0a26bbd3f99RDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 2d6ae89e525b8..f95442798ddb3 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6956,7 +6956,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
c5ef9a1bcf5bRDMA/hns: Fix WQ_MEM_RECLAIM warning
1 file changed · +2 −2
drivers/infiniband/hw/hns/hns_roce_hw_v2.c+2 −2 modifieddiff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c index 2d6ae89e525b8..f95442798ddb3 100644 --- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c @@ -6956,7 +6956,8 @@ static int hns_roce_v2_init_eq_table(struct hns_roce_dev *hr_dev) INIT_WORK(&hr_dev->ecc_work, fmea_ram_ecc_work); - hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", 0); + hr_dev->irq_workq = alloc_ordered_workqueue("hns_roce_irq_workq", + WQ_MEM_RECLAIM); if (!hr_dev->irq_workq) { dev_err(dev, "failed to create irq workqueue.\n"); ret = -ENOMEM; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The hns_roce_irq_workq was not initialized with the WQ_MEM_RECLAIM flag, causing a warning when QP destruction freed memory."
Attack vector
When the sunrpc module is used and a reset is triggered, the system may encounter a workqueue warning. This warning occurs because the `hns_roce_irq_workq` is flushing while not marked with `WQ_MEM_RECLAIM`, despite its associated work involving memory freeing during QP destruction. The trace indicates a dependency check failure within the workqueue system during this process.
Affected code
The vulnerability resides in the `hns_roce_v2_init_eq_table` function within `drivers/infiniband/hw/hns/hns_roce_hw_v2.c`. Specifically, the `alloc_ordered_workqueue` call for `hr_dev->irq_workq` was missing the `WQ_MEM_RECLAIM` flag.
What the fix does
The patch modifies the `hns_roce_v2_init_eq_table` function to initialize the `hns_roce_irq_workq` with the `WQ_MEM_RECLAIM` flag. This ensures that the workqueue is properly marked for memory reclamation during operations like Queue Pair (QP) destruction, which frees memory. By adding this flag, the system can correctly handle memory management during these operations, preventing the observed warning and potential instability.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/0cbec8b49270f3f0600b8e3ef5e8f0d233dcea27nvd
- git.kernel.org/stable/c/12761bd0ae16a80f237c2a65ab1b1064076cc74anvd
- git.kernel.org/stable/c/562c96b1393da2df3ea62173c84117b39da353b9nvd
- git.kernel.org/stable/c/70a5eb757ace5bd627a36f04d871eaf85def424dnvd
- git.kernel.org/stable/c/c0a26bbd3f99b7b03f072e3409aff4e6ec8af6f6nvd
- git.kernel.org/stable/c/c5ef9a1bcf5b597695d9c2e6ac452e9f89521862nvd
News mentions
2- Google Android and Linux Kernel: 50 Vulnerabilities Disclosed in Two BatchesVypr Intelligence · Jun 3, 2026
- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026Vypr Intelligence · Jun 3, 2026