Race condition with mlx5_ib_invalidate_range() during create and destroy

Solution Verified - Updated -


  • IB Infiniband RDMA mlx5_ib is freeing a kmalloc-512 cache that it does not own causing memory corruption
  • There is a possible use-after-free in dereg_mr() function that can lead to memory corruption by wrongly releasing an MR that was already released.


  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In