I have created a pair of small test programs that exchange a message using IB Verbs. I can post a receive using a bogus LKey without making a memory registration at all and then successfully receive into a piece of process memory. This is while using ConnectX-5 Ex hardware and I can reproduce it on Linux or FreeBSD. (A send, however, fails as expected without a registration.)
I’ve looked at ibv_post_recv in libibverbs and see that it just calls through a function pointer to mlx5_post_recv in libmlx5. I have looked at mlx5_post_recv and see that it does nothing more to the SG entries than convert them to big-endian, stuff them into a WQE, and ring the doorbell—as I would expect. Without the page translation table established by the MR, how is the RNIC even able to DMA to the correct location? Is this behavior intentional? Is there a way to prevent myself from accidentally producing a remote scribbler by posting an illegitimate address in a receive in my production code?