PT-2026-47783 · Linux · Linux

Published

2026-06-09

·

Updated

2026-06-09

·

CVE-2026-46325

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE SIZE
The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE SIZE. The core issue is that rxe set page() is called with mr->page size step increments, but the page list stores individual struct page pointers, each representing PAGE SIZE of memory.
ib sg to page() has ensured that when i>=1 either a) SG[i-1].dma end and SG[i].dma addr are contiguous or b) SG[i-1].dma end and SG[i].dma addr are mr->page size aligned.
This leads to incorrect iova-to-va conversion in scenarios:
  1. page size < PAGE SIZE (e.g., MR: 4K, system: 64K): ibmr->iova = 0x181800 sg[0]: dma addr=0x181800, len=0x800 sg[1]: dma addr=0x173000, len=0x1000
Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix:
  • index = (0x182010 >> 12) - (0x181800 >> 12) = 1
  • page offset = 0x182010 & 0xFFF = 0x10
  • xarray[1] stores system page base 0x170000
  • Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)
  1. page size > PAGE SIZE (e.g., MR: 64K, system: 4K): ibmr->iova = 0x18f800 sg[0]: dma addr=0x18f800, len=0x800 sg[1]: dma addr=0x170000, len=0x1000
Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix:
  • index = (0x190010 >> 16) - (0x18f800 >> 16) = 1
  • page offset = 0x190010 & 0xFFFF = 0x10
  • xarray[1] stores system page for dma addr 0x170000
  • Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)
Yi Zhang reported a kernel panic[1] years ago related to this defect.
Solution:
  1. Replace xarray with pre-allocated rxe mr page array for sequential indexing (all MR page indices are contiguous)
  2. Each rxe mr page stores both struct page* and offset within the system page
  3. Handle MR page size != PAGE SIZE relationships:
  • page size > PAGE SIZE: Split MR pages into multiple system pages
  • page size <= PAGE SIZE: Store offset within system page
  1. Add boundary checks and compatibility validation
This ensures correct iova-to-va conversion regardless of MR page size and system PAGE SIZE relationship, while improving performance through array-based sequential access.
Tests on 4K and 64K PAGE SIZE hosts:
  • rdma-core/pytests $ ./build/bin/run tests.py --dev eth0 rxe
  • blktest: $ TIMEOUT=30 QUICK RUN=1 USE RXE=1 NVMET TRTYPES=rdma ./check nvme srp rnbd
[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/

Related Identifiers

CVE-2026-46325

Affected Products

Linux