CVE-2026-52995

In the Linux kernel, the following vulnerability has been resolved:

net/rds: zero per-item info buffer before handing it to visitors

rds for each conn info() and rds walk conn path info() both hand a caller-allocated on-stack u64 buffer to a per-connection visitor and then copy the full item len bytes back to user space via rds info copy() regardless of how much of the buffer the visitor actually wrote.

rds ib conn info visitor() and rds6 ib conn info visitor() only write a subset of their output struct when the underlying rds connection is not in state RDS CONN UP (src/dst addr, tos, sl and the two GIDs via explicit memsets). Several u32 fields (max send wr, max recv wr, max send sge, rdma mr max, rdma mr size, cache allocs) and the 2-byte alignment hole between sl and cache allocs remain as whatever stack contents preceded the visitor call and are then memcpy to user()'d out to user space.

struct rds info rdma connection and struct rds6 info rdma connection are the only rds info * structs in include/uapi/linux/rds.h that are not marked attribute ((packed)), so they have a real alignment hole. The other info visitors (rds conn info visitor, rds6 conn info visitor, rds tcp tc info, ...) write all fields of their packed output struct today and are not known to be vulnerable, but a future visitor that adds a conditional write-path would have the same bug.

Reproduction on a kernel built without CONFIG INIT STACK ALL ZERO=y: a local unprivileged user opens AF RDS, sets SO RDS TRANSPORT=IB, binds to a local address on an RDMA-capable netdev (rxe soft-RoCE on any netdev is sufficient), sendto()'s any peer on the same subnet (fails cleanly but installs an rds connection in the global hash in RDS CONN CONNECTING), then calls getsockopt(SOL RDS, RDS INFO IB CONNECTIONS). The returned 68-byte item contains 26 bytes of stack garbage including kernel text/data pointers:

0..7 0a 63 00 01 0a 63 00 02 src=10.99.0.1 dst=10.99.0.2 8..39 00 ... gids (memset-zeroed) 40..47 e0 92 a3 81 ff ff ff ff kernel pointer (max send wr) 48..55 7f 37 b5 81 ff ff ff ff kernel pointer (rdma mr max) 56..59 01 00 08 00 rdma mr size (garbage) 60..61 00 00 tos, sl 62..63 00 00 alignment padding 64..67 18 00 00 00 cache allocs (garbage)

Fix by zeroing the per-item buffer in both rds for each conn info() and rds walk conn path info() before invoking the visitor. This covers the IPv4/IPv6 IB visitors and hardens all current and future visitors against the same class of bug.

No functional change for visitors that fully populate their output.

Changes in v2: