-

CVE-2026-31425

rds: ib: reject FRMR registration before IB connection is established

In the Linux kernel, the following vulnerability has been resolved:

rds: ib: reject FRMR registration before IB connection is established

rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data
and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a
fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with
i_cm_id = NULL because the connection worker has not yet called
rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with
RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses
the control message before any connection establishment, allowing
rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the
kernel.

The existing guard in rds_ib_reg_frmr() only checks for !ic (added in
commit 9e630bcb7701), which does not catch this case since ic is allocated
early and is always non-NULL once the connection object exists.

 KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
 RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920
 Call Trace:
  rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)
  rds_ib_map_frmr (net/rds/ib_frmr.c:252)
  rds_ib_reg_frmr (net/rds/ib_frmr.c:430)
  rds_ib_get_mr (net/rds/ib_rdma.c:615)
  __rds_rdma_map (net/rds/rdma.c:295)
  rds_cmsg_rdma_map (net/rds/rdma.c:860)
  rds_sendmsg (net/rds/send.c:1363)
  ____sys_sendmsg
  do_syscall_64

Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all
non-NULL before proceeding with FRMR registration, mirroring the guard
already present in rds_ib_post_inv(). Return -ENODEV when the connection
is not ready, which the existing error handling in rds_cmsg_send() converts
to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to
start the connection worker.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < c506456ebf84c50ed9327473d4e9bd905def212b
Status affected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < 82e4a3b56b23b844802056c9e75a39d24169b0a4
Status affected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < 450ec93c0f172374acbf236f1f5f02d53650aa2d
Status affected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < 6b0a8de67ac0c74e1a7df92b73c862cb36780dfc
Status affected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < a5bfd14c9a299e6db4add4440430ee5e010b03ad
Status affected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < 23e07c340c445f0ebff7757ba15434cb447eb662
Status affected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < 47de5b73db3b88f45c107393f26aeba26e9e8fae
Status affected
Version 1659185fb4d0025835eb2058a141f0746c5cab00
Version < a54ecccfae62c5c85259ae5ea5d9c20009519049
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 4.6
Status affected
Version 0
Version < 4.6
Status unaffected
Version <= 5.10.*
Version 5.10.253
Status unaffected
Version <= 5.15.*
Version 5.15.203
Status unaffected
Version <= 6.1.*
Version 6.1.168
Status unaffected
Version <= 6.6.*
Version 6.6.134
Status unaffected
Version <= 6.12.*
Version 6.12.81
Status unaffected
Version <= 6.18.*
Version 6.18.22
Status unaffected
Version <= 6.19.*
Version 6.19.12
Status unaffected
Version <= *
Version 7.0
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.104
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.