CVE-2026-46325
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
09/06/2026
Última modificación:
08/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE<br />
<br />
The current implementation incorrectly handles memory regions (MRs) with<br />
page sizes different from the system PAGE_SIZE. The core issue is that<br />
rxe_set_page() is called with mr->page_size step increments, but the<br />
page_list stores individual struct page pointers, each representing<br />
PAGE_SIZE of memory.<br />
<br />
ib_sg_to_page() has ensured that when i>=1 either<br />
a) SG[i-1].dma_end and SG[i].dma_addr are contiguous<br />
or<br />
b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned.<br />
<br />
This leads to incorrect iova-to-va conversion in scenarios:<br />
<br />
1) page_size iova = 0x181800<br />
sg[0]: dma_addr=0x181800, len=0x800<br />
sg[1]: dma_addr=0x173000, len=0x1000<br />
<br />
Access iova = 0x181800 + 0x810 = 0x182010<br />
Expected VA: 0x173010 (second SG, offset 0x10)<br />
Before fix:<br />
- index = (0x182010 >> 12) - (0x181800 >> 12) = 1<br />
- page_offset = 0x182010 & 0xFFF = 0x10<br />
- xarray[1] stores system page base 0x170000<br />
- Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)<br />
<br />
2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K):<br />
ibmr->iova = 0x18f800<br />
sg[0]: dma_addr=0x18f800, len=0x800<br />
sg[1]: dma_addr=0x170000, len=0x1000<br />
<br />
Access iova = 0x18f800 + 0x810 = 0x190010<br />
Expected VA: 0x170010 (second SG, offset 0x10)<br />
Before fix:<br />
- index = (0x190010 >> 16) - (0x18f800 >> 16) = 1<br />
- page_offset = 0x190010 & 0xFFFF = 0x10<br />
- xarray[1] stores system page for dma_addr 0x170000<br />
- Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)<br />
<br />
Yi Zhang reported a kernel panic[1] years ago related to this defect.<br />
<br />
Solution:<br />
1. Replace xarray with pre-allocated rxe_mr_page array for sequential<br />
indexing (all MR page indices are contiguous)<br />
2. Each rxe_mr_page stores both struct page* and offset within the<br />
system page<br />
3. Handle MR page_size != PAGE_SIZE relationships:<br />
- page_size > PAGE_SIZE: Split MR pages into multiple system pages<br />
- page_size
Impacto
Puntuación base 3.x
9.80
Gravedad 3.x
CRÍTICA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2.3 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



