CVE-2026-31425
Description
In the Linux kernel, the following vulnerability has been resolved:
rds: ib: reject FRMR registration before IB connection is established
rds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data and passes it to rds_ib_reg_frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with i_cm_id = NULL because the connection worker has not yet called rds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with RDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the kernel.
The existing guard in rds_ib_reg_frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists.
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920 Call Trace: rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167) rds_ib_map_frmr (net/rds/ib_frmr.c:252) rds_ib_reg_frmr (net/rds/ib_frmr.c:430) rds_ib_get_mr (net/rds/ib_rdma.c:615) __rds_rdma_map (net/rds/rdma.c:295) rds_cmsg_rdma_map (net/rds/rdma.c:860) rds_sendmsg (net/rds/send.c:1363) ____sys_sendmsg do_syscall_64
Add a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds_ib_post_inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null-pointer dereference in the Linux kernel's RDS IB driver can crash the system when FRMR registration is attempted before the IB connection is fully established.
Vulnerability
Overview
CVE-2026-31425 is a null-pointer dereference vulnerability in the Linux kernel's RDS (Reliable Datagram Sockets) InfiniBand (IB) driver. The root cause lies in the rds_ib_get_mr() function, which extracts an rds_ib_connection object from the connection's transport data and passes it to rds_ib_reg_frmr() for Fast Memory Registration (FRWR). On a fresh outgoing connection, the ic structure is allocated early in rds_ib_conn_alloc(), but the i_cm_id field is set to NULL because the connection worker has not yet invoked rds_ib_conn_path_connect() to create the rdma_cm_id. When a user calls sendmsg() with the RDS_CMSG_RDMA_MAP control message before connection establishment, the sendmsg path parses the control message, eventually leading rds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp, which crashes the kernel [1].
Exploitation
The attack vector is local, requiring no special privileges beyond the ability to use RDS sockets and the RDS_CMSG_RDMA_MAP control message. An attacker must create an RDS socket, initiate an outgoing connection, and immediately send a message with an RDMA map request before the connection is fully established. The existing guard in rds_ib_reg_frmr() only checks for a NULL ic pointer, which is insufficient because ic is always non-NULL once the connection object exists. The check does not verify that i_cm_id or qp are valid, allowing the null-pointer dereference to occur [1].
Impact
Successful exploitation results in a kernel panic (null-ptr-deref), leading to a denial of service (DoS) on the affected system. The crash signature, as shown in the kernel fault report, occurs in rds_ib_post_reg_frmr() at line 167 of ib_frmr.c. Local users with access to RDS sockets can trigger this condition, causing system instability or complete system crash [1].
Mitigation
Patches have been committed to the Linux kernel stable trees. The fix adds a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all non-NULL before proceeding with FRMR registration, mirroring an existing guard in rds_ib_post_inv(). If the connection is not ready, the function now returns -ENODEV, which the existing error handling in rds_cmsg_send() converts to -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to start the connection worker [1]. Affected users should apply the kernel update containing the commit 23e07c340c445 (or its backports) as soon as possible.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662nvdPatch
- git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2dnvdPatch
- git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8faenvdPatch
- git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfcnvdPatch
- git.kernel.org/stable/c/82e4a3b56b23b844802056c9e75a39d24169b0a4nvdPatch
- git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049nvdPatch
- git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03adnvdPatch
- git.kernel.org/stable/c/c506456ebf84c50ed9327473d4e9bd905def212bnvdPatch
News mentions
0No linked articles in our index yet.