rds: ib: reject FRMR registration before IB connection is established
Summary
| CVE | CVE-2026-31425 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-13 14:16:12 UTC |
| Updated | 2026-04-18 09:16:32 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: rds: ib: reject FRMR registration before IB connection is established rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel. The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists. KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64 Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker. |
Risk And Classification
EPSS: 0.000240000 probability, percentile 0.066100000 (date 2026-04-18)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 c506456ebf84c50ed9327473d4e9bd905def212b git | Not specified |
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 82e4a3b56b23b844802056c9e75a39d24169b0a4 git | Not specified |
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 450ec93c0f172374acbf236f1f5f02d53650aa2d git | Not specified |
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 6b0a8de67ac0c74e1a7df92b73c862cb36780dfc git | Not specified |
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 a5bfd14c9a299e6db4add4440430ee5e010b03ad git | Not specified |
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 23e07c340c445f0ebff7757ba15434cb447eb662 git | Not specified |
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 47de5b73db3b88f45c107393f26aeba26e9e8fae git | Not specified |
| CNA | Linux | Linux | affected 1659185fb4d0025835eb2058a141f0746c5cab00 a54ecccfae62c5c85259ae5ea5d9c20009519049 git | Not specified |
| CNA | Linux | Linux | affected 4.6 | Not specified |
| CNA | Linux | Linux | unaffected 4.6 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.253 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.203 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.168 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.134 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.81 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.22 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.12 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/c506456ebf84c50ed9327473d4e9bd905def212b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8fae | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03ad | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/82e4a3b56b23b844802056c9e75a39d24169b0a4 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.