CVE-2026-46127
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in the Linux kernel's RDMA/ocrdma driver occurs on error paths in ocrdma_copy_pd_uresp() because pd->uctx is used before initialization.
Vulnerability
In the Linux kernel's RDMA/ocrdma driver, the function ocrdma_copy_pd_uresp() contains a NULL pointer dereference vulnerability. The code references pd->uctx on error paths before that field is initialized. This affects the kernel versions prior to the stable commit ec44c00a4fe1327efa35083f98b39c01cb535a51 [1]. The bug is reachable when an error occurs during the early part of the function, before pd->uctx is set.
Exploitation
An attacker would need to trigger a failure in the early execution of ocrdma_copy_pd_uresp(), which could be achieved through specific operations on an RDMA device using the ocrdma driver. The error must occur before pd->uctx is assigned. No special privileges beyond local access to the RDMA subsystem are mentioned; user interaction may be required to initiate the offending operation.
Impact
A successful exploit would cause a NULL pointer dereference, leading to a kernel crash (denial of service). The impact is limited to system availability; no privilege escalation or data disclosure is described in the available references.
Mitigation
A fix was committed to the Linux kernel stable tree in commit ec44c00a4fe1327efa35083f98b39c01cb535a51 [1]. Users should update to a kernel version containing this commit. No workarounds are mentioned in the references. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10ec44c00a4fe1RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index e89be2fbd5eb27..ea04b8cace99a3 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index e89be2fbd5eb27..ea04b8cace99a3 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
34fbf48cf3b4RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 463c9a5703fc4e..a88cc5d84af828 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 463c9a5703fc4e..a88cc5d84af828 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
e01a957561f6RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index c849fdbd4c994d..c47ecb1c08bfb9 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index c849fdbd4c994d..c47ecb1c08bfb9 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
75fc130664aeRDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 979de8f8df1480..bbdf4619218deb 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 979de8f8df1480..bbdf4619218deb 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
8832626a4834RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 46d911fd38dee1..954a50d5c34d7b 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 46d911fd38dee1..954a50d5c34d7b 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
ec44c00a4fe1RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index e89be2fbd5eb27..ea04b8cace99a3 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index e89be2fbd5eb27..ea04b8cace99a3 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
75fc130664aeRDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 979de8f8df1480..bbdf4619218deb 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 979de8f8df1480..bbdf4619218deb 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
8832626a4834RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 46d911fd38dee1..954a50d5c34d7b 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 46d911fd38dee1..954a50d5c34d7b 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
34fbf48cf3b4RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 463c9a5703fc4e..a88cc5d84af828 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index 463c9a5703fc4e..a88cc5d84af828 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
e01a957561f6RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
2 files changed · +4 −6
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index c849fdbd4c994d..c47ecb1c08bfb9 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
drivers/infiniband/hw/ocrdma/ocrdma_verbs.c+2 −3 modifieddiff --git a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c index c849fdbd4c994d..c47ecb1c08bfb9 100644 --- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c +++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c @@ -620,9 +620,9 @@ static int ocrdma_copy_pd_uresp(struct ocrdma_dev *dev, struct ocrdma_pd *pd, ucopy_err: if (pd->dpp_enabled) - ocrdma_del_mmap(pd->uctx, dpp_page_addr, PAGE_SIZE); + ocrdma_del_mmap(uctx, dpp_page_addr, PAGE_SIZE); dpp_map_err: - ocrdma_del_mmap(pd->uctx, db_page_addr, db_page_size); + ocrdma_del_mmap(uctx, db_page_addr, db_page_size); return status; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"NULL-pointer dereference in error paths of ocrdma_copy_pd_uresp() because pd->uctx is used before it is initialized."
Attack vector
An attacker triggers this bug by causing an error in the `ocrdma_copy_pd_uresp()` function, for example by making a copy-from-user (`ucopy`) operation fail. When the error path runs, the code calls `ocrdma_del_mmap()` with `pd->uctx`, which is still NULL because it is assigned later in the function. This results in a NULL-pointer dereference and a kernel crash. No special privileges beyond the ability to issue RDMA verbs are required.
Affected code
The vulnerability is in the function `ocrdma_copy_pd_uresp()` in `drivers/infiniband/hw/ocrdma/ocrdma_verbs.c` [patch_id=2898464]. The error-handling labels `ucopy_err` and `dpp_map_err` reference `pd->uctx`, but `pd->uctx` is not initialized until later in the function, so those references are NULL.
What the fix does
The patch replaces `pd->uctx` with `uctx` in both error paths (`ucopy_err` and `dpp_map_err`) [patch_id=2898464]. The variable `uctx` is a local function parameter that is already a valid pointer (it is passed into the function), whereas `pd->uctx` is a struct member that is not assigned until after the error-prone operations. Using `uctx` avoids the NULL dereference because `uctx` is always non-NULL when the error paths are reached.
Preconditions
- inputThe attacker must be able to trigger an error in ocrdma_copy_pd_uresp(), e.g. by causing a copy_from_user() failure.
- configThe system must have the ocrdma (Emulex OneConnect IBoE RDMA) driver loaded and the attacker must be able to issue RDMA verbs that reach this function.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5banvd
- git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8nvd
- git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726envd
- git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcdnvd
- git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51nvd
News mentions
0No linked articles in our index yet.