RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be re-evaluated to ensure it is properly pinned as RW. Since the umem is hidden inside each driver's mr struct add a ib_umem_check_rereg() function that each driver has to call before processing IB_MR_REREG_ACCESS.
mlx4 has to retain its duplicate ib_access_writable check because it implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items in place sequentially while the MR is live, so it will continue to not support this combination.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing validation when re-registering a memory region's access flags from read-only to read-write without re-pinning the underlying umem as writable."
Attack vector
A local attacker with access to RDMA verbs can call `rereg_mr` with `IB_MR_REREG_ACCESS` to change a memory region's access flags from read-only (RO) to read-write (RW). Because the underlying `umem` was originally pinned as read-only, the kernel would not re-pin the pages as writable, allowing the attacker to write to memory that was never validated for write access. This bypasses the memory pinning semantics introduced by commit `b40656aa7d55` ("RDMA/umem: remove FOLL_FORCE usage").
Affected code
The vulnerability affects the RDMA subsystem's memory registration (MR) re-registration path in the Linux kernel. The core fix is in `drivers/infiniband/core/umem.c` where the new `ib_umem_check_rereg()` function is added, and the header `include/rdma/ib_umem.h`. Driver-specific changes are in `drivers/infiniband/hw/mlx4/mr.c`, `drivers/infiniband/hw/mlx5/mr.c`, `drivers/infiniband/hw/hns/hns_roce_mr.c`, `drivers/infiniband/hw/irdma/verbs.c`, and `drivers/infiniband/sw/rxe/rxe_verbs.c`.
What the fix does
The patch adds a new `ib_umem_check_rereg()` function in `drivers/infiniband/core/umem.c` that validates compatibility when `IB_MR_REREG_ACCESS` is used without `IB_MR_REREG_TRANS`. If the new access flags request writable access (`ib_access_writable(new_access_flags)`) but the existing `umem` was not originally pinned as writable (`!umem->writable`), the function returns `-EACCES`, preventing the unsafe re-registration. Each RDMA driver (mlx4, mlx5, hns, irdma, rxe) now calls this check early in its `rereg_user_mr` handler before proceeding with the re-registration.
Preconditions
- authThe attacker must have access to RDMA verbs and be able to issue a rereg_mr operation on a memory region that was originally registered as read-only.
- inputThe attacker must be able to specify IB_MR_REREG_ACCESS with new access flags requesting write permission.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/09dc18894148381d3bfc550083b1236043870dcemitre
- git.kernel.org/stable/c/2904e985a2917b5dac65df82733065e78a65fc9dmitre
- git.kernel.org/stable/c/50334a05a950840b39a1ce3d2a173b4183db9b3emitre
- git.kernel.org/stable/c/badad6fad60def1b9805559dd81dbab3d97b82aamitre
- git.kernel.org/stable/c/eba5df21eda0fe7418efbea2f799f8ea1b8ca94cmitre
News mentions
0No linked articles in our index yet.