Why/how is it possible to post a receive WR to an mlx5 device without a memory registration, using a bogus LKey, and still successfully receive into arbitrary process memory?

I have created a pair of small test programs that exchange a message using IB Verbs. I can post a receive using a bogus LKey without making a memory registration at all and then successfully receive into a piece of process memory. This is while using ConnectX-5 Ex hardware and I can reproduce it on Linux or FreeBSD. (A send, however, fails as expected without a registration.)

I’ve looked at ibv_post_recv in libibverbs and see that it just calls through a function pointer to mlx5_post_recv in libmlx5. I have looked at mlx5_post_recv and see that it does nothing more to the SG entries than convert them to big-endian, stuff them into a WQE, and ring the doorbell—as I would expect. Without the page translation table established by the MR, how is the RNIC even able to DMA to the correct location? Is this behavior intentional? Is there a way to prevent myself from accidentally producing a remote scribbler by posting an illegitimate address in a receive in my production code?

Caveat: This only seems to work for messages not exceeding 256 bytes.

Attached is a program demonstrating the issue.

Heh… By “256” I meant “32.” Obviously. ;-)

Hi Michael,

We moved this request to a NVIDIA Networking support ticket as you have a valid support contract. One of our engineers is already communicating with you through the case.

Thank you,

~NVIDIA Networking Technical Support