Re: [PATCH v2] RDMA/rxe: Fix double free in rxe_srq_from_init

Next message: Takashi Iwai: "Re: [PATCH] ALSA: hda/cirrus_scodec_test: Fix test suite name"
Previous message: Mathieu Desnoyers: "Re: [PATCH v13 2/3] mm: Fix OOM killer inaccuracy on large many-core systems"
In reply to: Zhu Yanjun: "Re: [PATCH v2] RDMA/rxe: Fix double free in rxe_srq_from_init"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Romanovsky

Date: Tue Jan 13 2026 - 08:52:56 EST

On Mon, 12 Jan 2026 01:54:12 +0000, Jiasheng Jiang wrote:
> In rxe_srq_from_init(), the queue pointer 'q' is assigned to
> 'srq->rq.queue' before copying the SRQ number to user space.
> If copy_to_user() fails, the function calls rxe_queue_cleanup()
> to free the queue, but leaves the now-invalid pointer in
> 'srq->rq.queue'.
>
> The caller of rxe_srq_from_init() (rxe_create_srq) eventually
> calls rxe_srq_cleanup() upon receiving the error, which triggers
> a second rxe_queue_cleanup() on the same memory, leading to a
> double free.
>
> [...]

Applied, thanks!

[1/1] RDMA/rxe: Fix double free in rxe_srq_from_init
https://git.kernel.org/rdma/rdma/c/c5ea4126b4fa1f

Best regards,
--
Leon Romanovsky <leon@xxxxxxxxxx>