CVE-2026-45856

In the Linux kernel, the following vulnerability has been resolved:

RDMA/uverbs: Validate wqe size before using it in ib uverbs post send

ib uverbs post send() uses cmd.wqe size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib uverbs send wr.

If a user provides a small wqe size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user wr->opcode, user wr->num sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace.

Additionally, providing an excessively large wqe size can trigger a WARNING in the memory allocation path, as reported by syzkaller.

This is inconsistent with ib uverbs unmarshall recv() which properly validates that wqe size >= sizeof(struct ib uverbs recv wr) before proceeding.

Add the same validation for ib uverbs post send() to ensure wqe size is at least sizeof(struct ib uverbs send wr).