lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <176831237357.425757.8303337207622192436.b4-ty@kernel.org>
Date: Tue, 13 Jan 2026 08:52:53 -0500
From: Leon Romanovsky <leon@...nel.org>
To: Zhu Yanjun <zyjzyj2000@...il.com>, Jason Gunthorpe <jgg@...pe.ca>, 
 linux-rdma@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Jiasheng Jiang <jiashengjiangcool@...il.com>
Subject: Re: [PATCH v2] RDMA/rxe: Fix double free in rxe_srq_from_init


On Mon, 12 Jan 2026 01:54:12 +0000, Jiasheng Jiang wrote:
> In rxe_srq_from_init(), the queue pointer 'q' is assigned to
> 'srq->rq.queue' before copying the SRQ number to user space.
> If copy_to_user() fails, the function calls rxe_queue_cleanup()
> to free the queue, but leaves the now-invalid pointer in
> 'srq->rq.queue'.
> 
> The caller of rxe_srq_from_init() (rxe_create_srq) eventually
> calls rxe_srq_cleanup() upon receiving the error, which triggers
> a second rxe_queue_cleanup() on the same memory, leading to a
> double free.
> 
> [...]

Applied, thanks!

[1/1] RDMA/rxe: Fix double free in rxe_srq_from_init
      https://git.kernel.org/rdma/rdma/c/c5ea4126b4fa1f

Best regards,
-- 
Leon Romanovsky <leon@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ