Home

Description

In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel. The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64 Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-13 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before c506456ebf84c50ed9327473d4e9bd905def212b
affected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before 82e4a3b56b23b844802056c9e75a39d24169b0a4
affected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before 450ec93c0f172374acbf236f1f5f02d53650aa2d
affected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before 6b0a8de67ac0c74e1a7df92b73c862cb36780dfc
affected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before a5bfd14c9a299e6db4add4440430ee5e010b03ad
affected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before 23e07c340c445f0ebff7757ba15434cb447eb662
affected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before 47de5b73db3b88f45c107393f26aeba26e9e8fae
affected

1659185fb4d0025835eb2058a141f0746c5cab00 (git) before a54ecccfae62c5c85259ae5ea5d9c20009519049
affected

Default status
affected

4.6
affected

Any version before 4.6
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.168 (semver)
unaffected

6.6.134 (semver)
unaffected

6.12.81 (semver)
unaffected

6.18.22 (semver)
unaffected

6.19.12 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/c506456ebf84c50ed9327473d4e9bd905def212b

git.kernel.org/...c/82e4a3b56b23b844802056c9e75a39d24169b0a4

git.kernel.org/...c/450ec93c0f172374acbf236f1f5f02d53650aa2d

git.kernel.org/...c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc

git.kernel.org/...c/a5bfd14c9a299e6db4add4440430ee5e010b03ad

git.kernel.org/...c/23e07c340c445f0ebff7757ba15434cb447eb662

git.kernel.org/...c/47de5b73db3b88f45c107393f26aeba26e9e8fae

git.kernel.org/...c/a54ecccfae62c5c85259ae5ea5d9c20009519049

cve.org (CVE-2026-31425)

nvd.nist.gov (CVE-2026-31425)

Download JSON