Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-46325

Gravedad CVSS v3.1:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
08/07/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE<br /> <br /> The current implementation incorrectly handles memory regions (MRs) with<br /> page sizes different from the system PAGE_SIZE. The core issue is that<br /> rxe_set_page() is called with mr-&gt;page_size step increments, but the<br /> page_list stores individual struct page pointers, each representing<br /> PAGE_SIZE of memory.<br /> <br /> ib_sg_to_page() has ensured that when i&gt;=1 either<br /> a) SG[i-1].dma_end and SG[i].dma_addr are contiguous<br /> or<br /> b) SG[i-1].dma_end and SG[i].dma_addr are mr-&gt;page_size aligned.<br /> <br /> This leads to incorrect iova-to-va conversion in scenarios:<br /> <br /> 1) page_size iova = 0x181800<br /> sg[0]: dma_addr=0x181800, len=0x800<br /> sg[1]: dma_addr=0x173000, len=0x1000<br /> <br /> Access iova = 0x181800 + 0x810 = 0x182010<br /> Expected VA: 0x173010 (second SG, offset 0x10)<br /> Before fix:<br /> - index = (0x182010 &gt;&gt; 12) - (0x181800 &gt;&gt; 12) = 1<br /> - page_offset = 0x182010 &amp; 0xFFF = 0x10<br /> - xarray[1] stores system page base 0x170000<br /> - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)<br /> <br /> 2) page_size &gt; PAGE_SIZE (e.g., MR: 64K, system: 4K):<br /> ibmr-&gt;iova = 0x18f800<br /> sg[0]: dma_addr=0x18f800, len=0x800<br /> sg[1]: dma_addr=0x170000, len=0x1000<br /> <br /> Access iova = 0x18f800 + 0x810 = 0x190010<br /> Expected VA: 0x170010 (second SG, offset 0x10)<br /> Before fix:<br /> - index = (0x190010 &gt;&gt; 16) - (0x18f800 &gt;&gt; 16) = 1<br /> - page_offset = 0x190010 &amp; 0xFFFF = 0x10<br /> - xarray[1] stores system page for dma_addr 0x170000<br /> - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)<br /> <br /> Yi Zhang reported a kernel panic[1] years ago related to this defect.<br /> <br /> Solution:<br /> 1. Replace xarray with pre-allocated rxe_mr_page array for sequential<br /> indexing (all MR page indices are contiguous)<br /> 2. Each rxe_mr_page stores both struct page* and offset within the<br /> system page<br /> 3. Handle MR page_size != PAGE_SIZE relationships:<br /> - page_size &gt; PAGE_SIZE: Split MR pages into multiple system pages<br /> - page_size

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2.3 (incluyendo) 6.18.14 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)