CVE-2026-23243

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umad: Reject negative data len in ib umad write

ib umad write computes data len from user-controlled count and the MAD header sizes. With a mismatched user MAD header size and RMPP header length, data len can become negative and reach ib create send mad(). This can make the padding calculation exceed the segment size and trigger an out-of-bounds memset in alloc send rmpp list().

Add an explicit check to reject negative data len before creating the send buffer.

KASAN splat: [ 211.363464] BUG: KASAN: slab-out-of-bounds in ib create send mad+0xa01/0x11b0 [ 211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray thread/102 [ 211.365867] ib create send mad+0xa01/0x11b0 [ 211.365887] ib umad write+0x853/0x1c80