CVE-2026-46265 Overview
CVE-2026-46265 is a Linux kernel vulnerability in the HiSilicon Network Subsystem (HNS) RoCE InfiniBand driver. The flaw involves a workqueue flush dependency violation in the hns_roce_irq_workq workqueue used by the hns_roce_hw_v2 module. When sunrpc triggers a reset, a memory-reclaim workqueue (WQ_MEM_RECLAIM xprtiod) flushes a non-WQ_MEM_RECLAIM workqueue, producing a kernel warning at kernel/workqueue.c:2644 in check_flush_dependency. The condition arises in the RDMA destruction path through hns_roce_v2_destroy_qp and rpcrdma_xprt_disconnect. The Linux kernel maintainers have resolved the issue.
Critical Impact
The defect produces a kernel warning during RDMA queue pair destruction under sunrpc reset conditions, indicating a workqueue flush dependency violation that can affect memory reclaim guarantees on systems using HiSilicon RoCE hardware with NFS-over-RDMA.
Affected Products
- Linux kernel hns_roce_hw_v2 driver (RDMA/hns) prior to the fix commits
- Systems using HiSilicon RoCE InfiniBand hardware with sunrpc/NFS-over-RDMA
- Kernel branches referenced by the six stable backport commits published by kernel.org
Discovery Timeline
- 2026-06-03 - CVE-2026-46265 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46265
Vulnerability Analysis
The vulnerability resides in the RDMA/hns driver workqueue (hns_roce_irq_workq) within the hns_roce_hw_v2 module. When the sunrpc layer initiates a reset, the xprt_rdma_connect_worker running on the xprtiod memory-reclaim workqueue calls into rpcrdma_xprt_disconnect, which eventually invokes hns_roce_v2_destroy_qp. That destroy path calls flush_work against a worker queued on hns_roce_irq_workq, which was not created with the WQ_MEM_RECLAIM flag.
The Linux workqueue framework enforces that any workqueue flushed from a memory-reclaim context must itself carry the WQ_MEM_RECLAIM flag. Flushing a non-reclaim workqueue from a reclaim worker can deadlock the system under memory pressure because the flushed work may require memory allocations that block on reclaim progress. The kernel detects this in check_flush_dependency and emits the warning shown in the trace.
Root Cause
The hns_roce_irq_workq workqueue is allocated without the WQ_MEM_RECLAIM flag. Because queue pair (QP) destruction frees memory and may be invoked from a memory-reclaim path (such as xprtiod during an RPC reconnect), this workqueue must declare reclaim safety. The upstream fix adds WQ_MEM_RECLAIM to the workqueue allocation so that a rescuer thread is guaranteed.
Attack Vector
This is a kernel correctness and stability defect rather than a remote attack primitive. Triggering the warning requires HiSilicon RoCE hardware, an active NFS-over-RDMA mount using rpcrdma, and a transport reset event. The condition can lead to forward-progress hazards (warning, potential deadlock) under memory pressure but is not described as a remote code execution or privilege escalation issue. No public exploit is associated with this CVE.
The vulnerability mechanism is documented in the kernel commit messages. See the kernel stable commit for the source-level change adding WQ_MEM_RECLAIM to the affected workqueue.
Detection Methods for CVE-2026-46265
Indicators of Compromise
- Kernel log entries containing WARNING: CPU: ... at kernel/workqueue.c with check_flush_dependency in the stack trace.
- Stack traces referencing hns_roce_v2_destroy_qp, flush_work_handle, and xprt_rdma_connect_worker [rpcrdma].
- Workqueue message WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker [rpcrdma] is flushing !WQ_MEM_RECLAIM hns_roce_irq_workq:flush_work_handle.
Detection Strategies
- Audit running kernel versions on hosts with HiSilicon RoCE adapters against the patched commit hashes published on kernel.org.
- Monitor dmesg and journald for the check_flush_dependency warning signature on systems mounting NFS over RDMA.
- Correlate RDMA disconnect events with sunrpc reconnect workers to identify nodes susceptible to the dependency violation.
Monitoring Recommendations
- Centralize kernel logs from RDMA-capable hosts into a SIEM and alert on workqueue dependency warnings.
- Track hns_roce_hw_v2 module load and version metadata across the fleet to confirm patch coverage.
- Watch for repeated rpcrdma_xprt_disconnect events that may indicate transport instability and trigger the defect.
How to Mitigate CVE-2026-46265
Immediate Actions Required
- Update affected Linux kernels to a stable release containing the upstream fix that adds WQ_MEM_RECLAIM to hns_roce_irq_workq.
- Inventory all hosts running the hns_roce_hw_v2 driver and prioritize those serving or consuming NFS over RDMA.
- Validate vendor kernel builds for HiSilicon-based platforms include the backported patch.
Patch Information
The issue is resolved upstream across multiple stable branches. Refer to the kernel.org commits: commit 0cbec8b4, commit 12761bd0, commit 562c96b1, commit 70a5eb75, commit c0a26bbd, and commit c5ef9a1b. The fix adds the WQ_MEM_RECLAIM flag to the workqueue allocation so the destroy path is safe to invoke from memory-reclaim contexts.
Workarounds
- Where patching is not immediately possible, avoid NFS-over-RDMA configurations on hosts using hns_roce_hw_v2 until the kernel is updated.
- Reduce conditions that trigger sunrpc transport resets by stabilizing RDMA fabric connectivity and validating adapter firmware.
- Maintain adequate free memory headroom to minimize the likelihood of reclaim-context worker invocation on unpatched hosts.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
