HIGH
rdma QueuePair Race
CVE-2026-46112
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.3MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks. The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory. Grab the same locks the other two callers use.
02KernelScan AI Analysis
Risk summary
A race condition in the HiSilicon HNS RDMA driver allows local users with RDMA permissions to corrupt kernel memory during queue pair creation failures. This can lead to system crashes or potential privilege escalation on systems with HNS RDMA hardware.
Vulnerability analysis
The vulnerability occurs in the error path of hns_roce_create_qp_common() where hns_roce_qp_remove() is called without proper locking. This function modifies shared data structures including queue pair lists and completion queues that require synchronization via hr_dev->qp_list_lock and CQ locks. The race window exists between queue pair allocation and cleanup, allowing concurrent operations to corrupt memory. The fix adds the same locking pattern used by other callers of hns_roce_qp_remove(), ensuring atomic access to shared structures during error cleanup.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.209 | 1f0a3aa8b569 |
| 6.1 | 6.1.175 | b6296ff2475f |
| 6.12 | 6.12.88 | fcf6a832c0d5 |
| 6.18 | 6.18.30 | 1912f7879850 |
| 6.6 | 6.6.140 | fb4ae739811d |
| 7.0 | 7.0.7 | 615d9d260c32 |
| mainline | 7.1-rc3 | 0c99acbc8b6c |