Bug 2482594 (CVE-2026-46176) - CVE-2026-46176 kernel: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
Summary: CVE-2026-46176 kernel: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_...
Keywords:
Status: NEW
Alias: CVE-2026-46176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-28 11:04 UTC by OSIDB Bzimport
Modified: 2026-05-28 14:51 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-28 11:04:56 UTC 
In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When
ib_create_srq() fails for s1, the error branch destroys s0 but falls
through and unconditionally assigns the freed s0 and the ERR_PTR s1 to
devr->s0 and devr->s1.

This leads to several problems: the lock-free fast path checks
"if (devr->s1) return 0;" and treats the ERR_PTR as already initialised;
users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via
to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences
the ERR_PTR and double-frees s0 on teardown.

Fix by adding the same `goto unlock` in the s1 failure path.
Comment 1 Keith Grant 2026-05-28 14:48:07 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052828-CVE-2026-46176-a4db@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.