CVE-2026-45852

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix double free in rxe srq from init

In rxe srq from init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy to user() fails, the function calls rxe queue cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'.

The caller of rxe srq from init() (rxe create srq) eventually calls rxe srq cleanup() upon receiving the error, which triggers a second rxe queue cleanup() on the same memory, leading to a double free.

The call trace looks like this: kmem cache free+0x.../0x... rxe queue cleanup+0x1a/0x30 [rdma rxe] rxe srq cleanup+0x42/0x60 [rdma rxe] rxe elem release+0x31/0x70 [rdma rxe] rxe create srq+0x12b/0x1a0 [rdma rxe] ib create srq user+0x9a/0x150 [ib core]

Fix this by moving 'srq->rq.queue = q' after copy to user.