HIGH
rdma/mlx4 SRQ Race
CVE-2026-46181
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI3.9LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized.
02KernelScan AI Analysis
Risk summary
Systems with Mellanox ConnectX InfiniBand adapters are vulnerable to a kernel crash through a race condition in SRQ event handling. The vulnerability requires local access with elevated privileges (root or equivalent RDMA device access) and causes a denial of service (kernel panic) when an asynchronous hardware event is delivered while the SRQ object is still being initialized.
Vulnerability analysis
The vulnerability stems from incorrect RCU usage in mlx4_srq_event(). The radix_tree lookup was performed under rcu_read_lock(), but the mlx4_srq object was never freed with RCU semantics, and the pointer was used outside the RCU critical section. This left a synchronization gap where an asynchronous event could look up and reference an SRQ that was either partially initialized (before refcount_set() completed) or being concurrently freed. The fix replaces RCU with a spinlock to atomically perform the lookup and reference acquisition, uses refcount_inc_not_zero() to safely ignore objects that have not finished initialization, and reorders initialization so that the refcount is published only after the object is fully constructed.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.30 | 1e2a44875b6a |
| 7.0 | 7.0.7 | 8b7833f3bce3 |
| mainline | 7.1-rc3 | c9341307ea16 |