PT-2026-52295 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53199
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
hv netvsc: use kmap local page in netvsc copy to send buf
netvsc copy to send buf() copies page buffer entries into the VMBus
send buffer using phys to virt() on the entry PFN. Entries for the
RNDIS header and the skb linear data come from kmalloc'd memory and
are always in the kernel direct map, but entries for skb fragments
reference page cache or user pages, which on 32-bit x86 with
CONFIG HIGHMEM=y can live above the LOWMEM boundary. For such a page
phys to virt() returns an address outside the direct map and the
subsequent memcpy() faults on the transmit softirq path, which is
fatal.
Map the pages with kmap local page() instead, handling two properties
of the page buffer entries:
-
pb[i].pfn is a Hyper-V PFN at HV HYP PAGE SIZE (4K) granularity, not a native PFN. Reconstruct the physical address first and derive the native page from it, so the mapping stays correct where PAGE SIZE > HV HYP PAGE SIZE (e.g. arm64 with 64K pages).
-
Since commit 41a6328b2c55 ("hv netvsc: Preserve contiguous PFN grouping in the page buffer array"), an entry describes a full physically contiguous fragment and pb[i].len can exceed PAGE SIZE, while kmap local page() maps a single page. Copy page by page, splitting at native page boundaries.
The copy path only handles packets smaller than the send section size
(6144 bytes by default); larger packets take the cp partial path where
only the RNDIS header is copied. So entries here are bounded by the
section size and a copy is split at most once on 4K-page systems. On
!CONFIG HIGHMEM configs kmap local page() folds to page address() and
no mapping work is added.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux