CVE-2026-31425

Summary

In the Linux kernel, the following vulnerability has been resolved:

rds: ib: reject FRMR registration before IB connection is established

rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel.

The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists.

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64

Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < c506456ebf84c50ed9327473d4e9bd905def212baffected
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < 82e4a3b56b23b844802056c9e75a39d24169b0a4affected
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < 450ec93c0f172374acbf236f1f5f02d53650aa2daffected
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < 6b0a8de67ac0c74e1a7df92b73c862cb36780dfcaffected
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < a5bfd14c9a299e6db4add4440430ee5e010b03adaffected
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < 23e07c340c445f0ebff7757ba15434cb447eb662affected
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < 47de5b73db3b88f45c107393f26aeba26e9e8faeaffected
LinuxLinux1659185fb4d0025835eb2058a141f0746c5cab00 < a54ecccfae62c5c85259ae5ea5d9c20009519049affected
LinuxLinux4.6affected
LinuxLinux0 < 4.6unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.134 <= 6.6.*unaffected
LinuxLinux6.12.81 <= 6.12.*unaffected
LinuxLinux6.18.22 <= 6.18.*unaffected
LinuxLinux6.19.12 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References