Home

Description

In the Linux kernel, the following vulnerability has been resolved: net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion rds_ib_xmit_atomic() always programs a masked atomic opcode (IB_WR_MASKED_ATOMIC_CMP_AND_SWP or IB_WR_MASKED_ATOMIC_FETCH_AND_ADD) for every RDS atomic cmsg. But the completion-side switch in rds_ib_send_unmap_op() only handles the non-masked opcodes, so a masked atomic completion falls through to default and returns rm == NULL while send->s_op is left set. rds_ib_send_cqe_handler() then dereferences the NULL rm via rm->m_final_op, oopsing in softirq context. An unprivileged AF_RDS sendmsg() of an atomic cmsg over an active RDS/IB connection triggers it; on hardware that natively accepts masked atomics (mlx4, mlx5) no extra setup is needed. RDS/IB: rds_ib_send_unmap_op: unexpected opcode 0xd in WR! Oops: general protection fault [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000190-0x0000000000000197] RIP: rds_ib_send_cqe_handler+0x25c/0xb10 (net/rds/ib_send.c:282) Call Trace: <IRQ> rds_ib_send_cqe_handler (net/rds/ib_send.c:282) poll_scq (net/rds/ib_cm.c:274) rds_ib_tasklet_fn_send (net/rds/ib_cm.c:294) tasklet_action_common (kernel/softirq.c:943) handle_softirqs (kernel/softirq.c:573) run_ksoftirqd (kernel/softirq.c:479) </IRQ> Kernel panic - not syncing: Fatal exception in interrupt Handle the masked atomic opcodes in the same case as the non-masked ones: they map to the same struct rds_message.atomic union member, so the existing container_of()/rds_ib_send_unmap_atomic() body is correct for them.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-24 | Updated 2026-06-24 | Assigner Linux

Product status

Default status
unaffected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before a0148342badd8c9b2e46551766a27cb76c82e715
affected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before 4dd262f875e87653df50b138de1390ab0628e6b7
affected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before 6e4615164d185a26badb2f376a2449f4d174a5f0
affected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before 0f22412a2f4fbbe0251c132abee045d15a90e5b6
affected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before 0f7baa82a24813cdad0b06a6f8f07e4824af5ed5
affected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before dcf458120add64c96a6ef5cf719340453f6e6abf
affected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before 4fd34669558085bcb589aa2078a13b0ca79e360d
affected

20c72bd5f5f902e5a8745d51573699605bf8d21c (git) before 34080db3e70ddf94c38512ad2331e3c3afca6cc1
affected

Default status
affected

2.6.37
affected

Any version before 2.6.37
unaffected

5.10.259 (semver)
unaffected

5.15.210 (semver)
unaffected

6.1.176 (semver)
unaffected

6.6.143 (semver)
unaffected

6.12.94 (semver)
unaffected

6.18.36 (semver)
unaffected

7.0.13 (semver)
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/a0148342badd8c9b2e46551766a27cb76c82e715

git.kernel.org/...c/4dd262f875e87653df50b138de1390ab0628e6b7

git.kernel.org/...c/6e4615164d185a26badb2f376a2449f4d174a5f0

git.kernel.org/...c/0f22412a2f4fbbe0251c132abee045d15a90e5b6

git.kernel.org/...c/0f7baa82a24813cdad0b06a6f8f07e4824af5ed5

git.kernel.org/...c/dcf458120add64c96a6ef5cf719340453f6e6abf

git.kernel.org/...c/4fd34669558085bcb589aa2078a13b0ca79e360d

git.kernel.org/...c/34080db3e70ddf94c38512ad2331e3c3afca6cc1

cve.org (CVE-2026-52939)

nvd.nist.gov (CVE-2026-52939)

Download JSON