Description
In the Linux kernel, the following vulnerability has been resolved:

RDMA/mana_ib: Disable RX steering on RSS QP destroy

When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss()
destroys the RX WQ objects but does not disable vPort RX steering in
firmware. This leaves stale steering configuration that still points to
the destroyed RX objects.

If traffic continues to arrive (e.g. peer VM is still transmitting) and
the VF interface is subsequently brought up (mana_open), the firmware
may deliver completions using stale CQ IDs from the old RX objects.
These CQ IDs can be reused by the ethernet driver for new TX CQs,
causing RX completions to land on TX CQs:

WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false)
WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails)

Fix this by disabling vPort RX steering before destroying RX WQ objects.
Note that mana_fence_rqs() cannot be used here because the fence
completion is delivered on the CQ, which is polled by user-mode (e.g.
DPDK) and not visible to the kernel driver.

Refactor the disable logic into a shared mana_disable_vport_rx() in
mana_en, exported for use by mana_ib, replacing the duplicate code.
The ethernet driver's mana_dealloc_queues() is also updated to call
this common function.
Published: 2026-05-27
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s RDMA mana_ib driver creates a stale receive‑queue steering configuration when an RSS QP is destroyed. Firmware may then deliver completions that reference removed CQ identifiers. These identifiers can be reused by the Ethernet driver for new transmit queues, causing receive completions to be directed to transmit queues and producing kernel warnings. The mismatch can corrupt internal state and lead to system instability.

Affected Systems

Linux kernel builds that include the RDMA mana_ib driver and have not yet incorporated the fix are affected. The vulnerability applies to any Linux kernel version containing the unpatched mana_ib implementation and its associated firmware driver.

Risk and Exploitability

This vulnerability has a CVSS score of 7.0, indicating high severity. EPSS score is not available, and it is not listed in the CISA KEV catalog. Exploitation requires triggering the destruction of an RSS QP while traffic is still flowing or after a VF interface is reopened. This scenario is local to the affected system and does not rely on remote access. The flaw can destabilize kernel operation by causing receive completions to land on transmit queues, but without a known remote exploitation vector its broader risk is limited; mitigations should still be applied promptly.

Generated by OpenCVE AI on May 28, 2026 at 03:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the mana_ib RSS QP destroy fix
  • Reboot the system or reinitialize the RDMA device to clear any stale steering configuration
  • Ensure RDMA traffic is stopped and the virtual function interface is disabled before destroying RSS QPs or exiting DPDK applications

Generated by OpenCVE AI on May 28, 2026 at 03:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: RDMA/mana_ib: Disable RX steering on RSS QP destroy When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects. If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs: WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails) Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver. Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver's mana_dealloc_queues() is also updated to call this common function.
Title RDMA/mana_ib: Disable RX steering on RSS QP destroy
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:53:09.762Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46084

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:29.833

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46084

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46084 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:00:08Z

Weaknesses