HIGH
rds MR Double-Free
CVE-2026-46053
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path.
02KernelScan AI Analysis
Risk summary
Local users with low privileges can trigger a double-free condition in the RDS RDMA subsystem. The duplicate cleanup of memory region resources corrupts kernel heap metadata and typically results in a kernel panic, leading to denial of service.
Vulnerability analysis
The vulnerability occurs in __rds_rdma_map() where memory region (MR) cleanup is performed twice on the same resources. After get_mr() succeeds, ownership of sg/pages is transferred to the transport layer. However, if put_user() fails when copying the generated cookie back to userspace, the error path incorrectly calls unpin_user_pages() and kfree() on resources already owned by the transport. This creates a double-free and use-after-free condition when the MR reference is later dropped through the normal cleanup path, corrupting heap metadata and causing system instability. The fix removes the duplicate cleanup from the put_user() failure branch so that teardown is handled only through the existing final cleanup path.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 91a44b406bc1 |
| 5.15 | 5.15.209 | 106dc6892066 |
| 6.1 | 6.1.175 | ec55a86f7fba |
| 6.12 | 6.12.86 | d95cea9298be |
| 6.18 | 6.18.27 | 033370ffb3c9 |
| 6.6 | 6.6.140 | 8fdbb6262a4a |
| 7.0 | 7.0.4 | b3cb8cae530b |
| mainline | 7.1-rc1 | 8141a2dc7008 |