Linux Kernel RDS/IB FRMR NPE before IB Conn Establishment
CVE-2026-31425 Published on April 13, 2026
rds: ib: reject FRMR registration before IB connection is established
In the Linux kernel, the following vulnerability has been resolved:
rds: ib: reject FRMR registration before IB connection is established
rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data
and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a
fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with
i_cm_id = NULL because the connection worker has not yet called
rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with
RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses
the control message before any connection establishment, allowing
rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the
kernel.
The existing guard in rds_ib_reg_frmr() only checks for !ic (added in
commit 9e630bcb7701), which does not catch this case since ic is allocated
early and is always non-NULL once the connection object exists.
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920
Call Trace:
rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)
rds_ib_map_frmr (net/rds/ib_frmr.c:252)
rds_ib_reg_frmr (net/rds/ib_frmr.c:430)
rds_ib_get_mr (net/rds/ib_rdma.c:615)
__rds_rdma_map (net/rds/rdma.c:295)
rds_cmsg_rdma_map (net/rds/rdma.c:860)
rds_sendmsg (net/rds/send.c:1363)
____sys_sendmsg
do_syscall_64
Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all
non-NULL before proceeding with FRMR registration, mirroring the guard
already present in rds_ib_post_inv(). Return -ENODEV when the connection
is not ready, which the existing error handling in rds_cmsg_send() converts
to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to
start the connection worker.
Products Associated with CVE-2026-31425
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 1659185fb4d0025835eb2058a141f0746c5cab00 and below 450ec93c0f172374acbf236f1f5f02d53650aa2d is affected.
- Version 1659185fb4d0025835eb2058a141f0746c5cab00 and below 6b0a8de67ac0c74e1a7df92b73c862cb36780dfc is affected.
- Version 1659185fb4d0025835eb2058a141f0746c5cab00 and below a5bfd14c9a299e6db4add4440430ee5e010b03ad is affected.
- Version 1659185fb4d0025835eb2058a141f0746c5cab00 and below 23e07c340c445f0ebff7757ba15434cb447eb662 is affected.
- Version 1659185fb4d0025835eb2058a141f0746c5cab00 and below 47de5b73db3b88f45c107393f26aeba26e9e8fae is affected.
- Version 1659185fb4d0025835eb2058a141f0746c5cab00 and below a54ecccfae62c5c85259ae5ea5d9c20009519049 is affected.
- Version 4.6 is affected.
- Before 4.6 is unaffected.
- Version 6.1.168, <= 6.1.* is unaffected.
- Version 6.6.134, <= 6.6.* is unaffected.
- Version 6.12.81, <= 6.12.* is unaffected.
- Version 6.18.22, <= 6.18.* is unaffected.
- Version 6.19.12, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.