CVE-2026-31425

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rds: ib: reject FRMR registration before IB connection is established<br /> <br /> rds_ib_get_mr() extracts the rds_ib_connection from conn-&gt;c_transport_data<br /> and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a<br /> fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with<br /> i_cm_id = NULL because the connection worker has not yet called<br /> rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with<br /> RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses<br /> the control message before any connection establishment, allowing<br /> rds_ib_post_reg_frmr() to dereference ic-&gt;i_cm_id-&gt;qp and crash the<br /> kernel.<br /> <br /> The existing guard in rds_ib_reg_frmr() only checks for !ic (added in<br /> commit 9e630bcb7701), which does not catch this case since ic is allocated<br /> early and is always non-NULL once the connection object exists.<br /> <br /> KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]<br /> RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920<br /> Call Trace:<br /> rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)<br /> rds_ib_map_frmr (net/rds/ib_frmr.c:252)<br /> rds_ib_reg_frmr (net/rds/ib_frmr.c:430)<br /> rds_ib_get_mr (net/rds/ib_rdma.c:615)<br /> __rds_rdma_map (net/rds/rdma.c:295)<br /> rds_cmsg_rdma_map (net/rds/rdma.c:860)<br /> rds_sendmsg (net/rds/send.c:1363)<br /> ____sys_sendmsg<br /> do_syscall_64<br /> <br /> Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all<br /> non-NULL before proceeding with FRMR registration, mirroring the guard<br /> already present in rds_ib_post_inv(). Return -ENODEV when the connection<br /> is not ready, which the existing error handling in rds_cmsg_send() converts<br /> to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to<br /> start the connection worker.