CVE-2026-31425

In the Linux kernel, the following vulnerability has been resolved:

rds: ib: reject FRMR registration before IB connection is established

rds ib get mr() extracts the rds ib connection from conn->c transport data and passes it to rds ib reg frmr() for FRWR memory registration. On a fresh outgoing connection, ic is allocated in rds ib conn alloc() with i cm id = NULL because the connection worker has not yet called rds ib conn path connect() to create the rdma cm id. When sendmsg() with RDS CMSG RDMA MAP is called on such a connection, the sendmsg path parses the control message before any connection establishment, allowing rds ib post reg frmr() to dereference ic->i cm id->qp and crash the kernel.

The existing guard in rds ib reg frmr() only checks for !ic (added in commit 9e630bcb7701), which does not catch this case since ic is allocated early and is always non-NULL once the connection object exists.

KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:rds ib post reg frmr+0x50e/0x920 Call Trace: rds ib post reg frmr (net/rds/ib frmr.c:167) rds ib map frmr (net/rds/ib frmr.c:252) rds ib reg frmr (net/rds/ib frmr.c:430) rds ib get mr (net/rds/ib rdma.c:615) rds rdma map (net/rds/rdma.c:295) rds cmsg rdma map (net/rds/rdma.c:860) rds sendmsg (net/rds/send.c:1363) sys sendmsg do syscall 64

Add a check in rds ib get mr() that verifies ic, i cm id, and qp are all non-NULL before proceeding with FRMR registration, mirroring the guard already present in rds ib post inv(). Return -ENODEV when the connection is not ready, which the existing error handling in rds cmsg send() converts to -EAGAIN for userspace retry and triggers rds conn connect if down() to start the connection worker.