Vulnerability-Lookup

CVE-2026-46325 (GCVE-0-2026-46325)

Vulnerability from cvelistv5 – Published: 2026-06-09 12:25 – Updated: 2026-06-09 12:25

Title

RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE_SIZE. The core issue is that rxe_set_page() is called with mr->page_size step increments, but the page_list stores individual struct page pointers, each representing PAGE_SIZE of memory. ib_sg_to_page() has ensured that when i>=1 either a) SG[i-1].dma_end and SG[i].dma_addr are contiguous or b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned. This leads to incorrect iova-to-va conversion in scenarios: 1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K): ibmr->iova = 0x181800 sg[0]: dma_addr=0x181800, len=0x800 sg[1]: dma_addr=0x173000, len=0x1000 Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix: - index = (0x182010 >> 12) - (0x181800 >> 12) = 1 - page_offset = 0x182010 & 0xFFF = 0x10 - xarray[1] stores system page base 0x170000 - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong) 2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K): ibmr->iova = 0x18f800 sg[0]: dma_addr=0x18f800, len=0x800 sg[1]: dma_addr=0x170000, len=0x1000 Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix: - index = (0x190010 >> 16) - (0x18f800 >> 16) = 1 - page_offset = 0x190010 & 0xFFFF = 0x10 - xarray[1] stores system page for dma_addr 0x170000 - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong) Yi Zhang reported a kernel panic[1] years ago related to this defect. Solution: 1. Replace xarray with pre-allocated rxe_mr_page array for sequential indexing (all MR page indices are contiguous) 2. Each rxe_mr_page stores both struct page* and offset within the system page 3. Handle MR page_size != PAGE_SIZE relationships: - page_size > PAGE_SIZE: Split MR pages into multiple system pages - page_size <= PAGE_SIZE: Store offset within system page 4. Add boundary checks and compatibility validation This ensures correct iova-to-va conversion regardless of MR page size and system PAGE_SIZE relationship, while improving performance through array-based sequential access. Tests on 4K and 64K PAGE_SIZE hosts: - rdma-core/pytests $ ./build/bin/run_tests.py --dev eth0_rxe - blktest: $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd [1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/409c2c5508f3d3062…
https://git.kernel.org/stable/c/836f6c13c96740277…
https://git.kernel.org/stable/c/12985e5915a0b8354…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 592627ccbdff0ec6fff00fc761142a76db750dd4 , < 409c2c5508f3d30627bea576f8676de523cb906e (git) Affected: 592627ccbdff0ec6fff00fc761142a76db750dd4 , < 836f6c13c9674027793f720be3f15ecd2b90b6ca (git) Affected: 592627ccbdff0ec6fff00fc761142a76db750dd4 , < 12985e5915a0b8354796efadaaeb201eed115377 (git) Affected: 0e443760b8b7b1e6723f4408afa056b2bc4fea12 (git) Affected: 6.2.3 , < 6.3 (semver)
Linux	Linux	Affected: 6.3 Unaffected: 0 , < 6.3 (semver) Unaffected: 6.18.14 , ≤ 6.18.* (semver) Unaffected: 6.19.4 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_mr.c",
            "drivers/infiniband/sw/rxe/rxe_verbs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "409c2c5508f3d30627bea576f8676de523cb906e",
              "status": "affected",
              "version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
              "versionType": "git"
            },
            {
              "lessThan": "836f6c13c9674027793f720be3f15ecd2b90b6ca",
              "status": "affected",
              "version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
              "versionType": "git"
            },
            {
              "lessThan": "12985e5915a0b8354796efadaaeb201eed115377",
              "status": "affected",
              "version": "592627ccbdff0ec6fff00fc761142a76db750dd4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0e443760b8b7b1e6723f4408afa056b2bc4fea12",
              "versionType": "git"
            },
            {
              "lessThan": "6.3",
              "status": "affected",
              "version": "6.2.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_mr.c",
            "drivers/infiniband/sw/rxe/rxe_verbs.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE\n\nThe current implementation incorrectly handles memory regions (MRs) with\npage sizes different from the system PAGE_SIZE. The core issue is that\nrxe_set_page() is called with mr-\u003epage_size step increments, but the\npage_list stores individual struct page pointers, each representing\nPAGE_SIZE of memory.\n\nib_sg_to_page() has ensured that when i\u003e=1 either\na) SG[i-1].dma_end and SG[i].dma_addr are contiguous\nor\nb) SG[i-1].dma_end and SG[i].dma_addr are mr-\u003epage_size aligned.\n\nThis leads to incorrect iova-to-va conversion in scenarios:\n\n1) page_size \u003c PAGE_SIZE (e.g., MR: 4K, system: 64K):\n   ibmr-\u003eiova = 0x181800\n   sg[0]: dma_addr=0x181800, len=0x800\n   sg[1]: dma_addr=0x173000, len=0x1000\n\n   Access iova = 0x181800 + 0x810 = 0x182010\n   Expected VA: 0x173010 (second SG, offset 0x10)\n   Before fix:\n     - index = (0x182010 \u003e\u003e 12) - (0x181800 \u003e\u003e 12) = 1\n     - page_offset = 0x182010 \u0026 0xFFF = 0x10\n     - xarray[1] stores system page base 0x170000\n     - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)\n\n2) page_size \u003e PAGE_SIZE (e.g., MR: 64K, system: 4K):\n   ibmr-\u003eiova = 0x18f800\n   sg[0]: dma_addr=0x18f800, len=0x800\n   sg[1]: dma_addr=0x170000, len=0x1000\n\n   Access iova = 0x18f800 + 0x810 = 0x190010\n   Expected VA: 0x170010 (second SG, offset 0x10)\n   Before fix:\n     - index = (0x190010 \u003e\u003e 16) - (0x18f800 \u003e\u003e 16) = 1\n     - page_offset = 0x190010 \u0026 0xFFFF = 0x10\n     - xarray[1] stores system page for dma_addr 0x170000\n     - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)\n\nYi Zhang reported a kernel panic[1] years ago related to this defect.\n\nSolution:\n1. Replace xarray with pre-allocated rxe_mr_page array for sequential\n   indexing (all MR page indices are contiguous)\n2. Each rxe_mr_page stores both struct page* and offset within the\n   system page\n3. Handle MR page_size != PAGE_SIZE relationships:\n   - page_size \u003e PAGE_SIZE: Split MR pages into multiple system pages\n   - page_size \u003c= PAGE_SIZE: Store offset within system page\n4. Add boundary checks and compatibility validation\n\nThis ensures correct iova-to-va conversion regardless of MR page size\nand system PAGE_SIZE relationship, while improving performance through\narray-based sequential access.\n\nTests on 4K and 64K PAGE_SIZE hosts:\n- rdma-core/pytests\n  $ ./build/bin/run_tests.py  --dev eth0_rxe\n- blktest:\n  $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd\n\n[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T12:25:52.792Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/409c2c5508f3d30627bea576f8676de523cb906e"
        },
        {
          "url": "https://git.kernel.org/stable/c/836f6c13c9674027793f720be3f15ecd2b90b6ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/12985e5915a0b8354796efadaaeb201eed115377"
        }
      ],
      "title": "RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46325",
    "datePublished": "2026-06-09T12:25:52.792Z",
    "dateReserved": "2026-05-13T15:03:33.112Z",
    "dateUpdated": "2026-06-09T12:25:52.792Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46325",
      "date": "2026-06-10",
      "epss": "0.00017",
      "percentile": "0.04236"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46325\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-09T14:16:42.177\",\"lastModified\":\"2026-06-09T14:16:42.177\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE\\n\\nThe current implementation incorrectly handles memory regions (MRs) with\\npage sizes different from the system PAGE_SIZE. The core issue is that\\nrxe_set_page() is called with mr-\u003epage_size step increments, but the\\npage_list stores individual struct page pointers, each representing\\nPAGE_SIZE of memory.\\n\\nib_sg_to_page() has ensured that when i\u003e=1 either\\na) SG[i-1].dma_end and SG[i].dma_addr are contiguous\\nor\\nb) SG[i-1].dma_end and SG[i].dma_addr are mr-\u003epage_size aligned.\\n\\nThis leads to incorrect iova-to-va conversion in scenarios:\\n\\n1) page_size \u003c PAGE_SIZE (e.g., MR: 4K, system: 64K):\\n   ibmr-\u003eiova = 0x181800\\n   sg[0]: dma_addr=0x181800, len=0x800\\n   sg[1]: dma_addr=0x173000, len=0x1000\\n\\n   Access iova = 0x181800 + 0x810 = 0x182010\\n   Expected VA: 0x173010 (second SG, offset 0x10)\\n   Before fix:\\n     - index = (0x182010 \u003e\u003e 12) - (0x181800 \u003e\u003e 12) = 1\\n     - page_offset = 0x182010 \u0026 0xFFF = 0x10\\n     - xarray[1] stores system page base 0x170000\\n     - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)\\n\\n2) page_size \u003e PAGE_SIZE (e.g., MR: 64K, system: 4K):\\n   ibmr-\u003eiova = 0x18f800\\n   sg[0]: dma_addr=0x18f800, len=0x800\\n   sg[1]: dma_addr=0x170000, len=0x1000\\n\\n   Access iova = 0x18f800 + 0x810 = 0x190010\\n   Expected VA: 0x170010 (second SG, offset 0x10)\\n   Before fix:\\n     - index = (0x190010 \u003e\u003e 16) - (0x18f800 \u003e\u003e 16) = 1\\n     - page_offset = 0x190010 \u0026 0xFFFF = 0x10\\n     - xarray[1] stores system page for dma_addr 0x170000\\n     - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)\\n\\nYi Zhang reported a kernel panic[1] years ago related to this defect.\\n\\nSolution:\\n1. Replace xarray with pre-allocated rxe_mr_page array for sequential\\n   indexing (all MR page indices are contiguous)\\n2. Each rxe_mr_page stores both struct page* and offset within the\\n   system page\\n3. Handle MR page_size != PAGE_SIZE relationships:\\n   - page_size \u003e PAGE_SIZE: Split MR pages into multiple system pages\\n   - page_size \u003c= PAGE_SIZE: Store offset within system page\\n4. Add boundary checks and compatibility validation\\n\\nThis ensures correct iova-to-va conversion regardless of MR page size\\nand system PAGE_SIZE relationship, while improving performance through\\narray-based sequential access.\\n\\nTests on 4K and 64K PAGE_SIZE hosts:\\n- rdma-core/pytests\\n  $ ./build/bin/run_tests.py  --dev eth0_rxe\\n- blktest:\\n  $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd\\n\\n[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/12985e5915a0b8354796efadaaeb201eed115377\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/409c2c5508f3d30627bea576f8676de523cb906e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/836f6c13c9674027793f720be3f15ecd2b90b6ca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

FKIE_CVE-2026-46325

Vulnerability from fkie_nvd - Published: 2026-06-09 14:16 - Updated: 2026-06-09 14:16

Severity

Summary

References

	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/12985e5915a0b8354796efadaaeb201eed115377
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/409c2c5508f3d30627bea576f8676de523cb906e
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/836f6c13c9674027793f720be3f15ecd2b90b6ca

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE\n\nThe current implementation incorrectly handles memory regions (MRs) with\npage sizes different from the system PAGE_SIZE. The core issue is that\nrxe_set_page() is called with mr-\u003epage_size step increments, but the\npage_list stores individual struct page pointers, each representing\nPAGE_SIZE of memory.\n\nib_sg_to_page() has ensured that when i\u003e=1 either\na) SG[i-1].dma_end and SG[i].dma_addr are contiguous\nor\nb) SG[i-1].dma_end and SG[i].dma_addr are mr-\u003epage_size aligned.\n\nThis leads to incorrect iova-to-va conversion in scenarios:\n\n1) page_size \u003c PAGE_SIZE (e.g., MR: 4K, system: 64K):\n   ibmr-\u003eiova = 0x181800\n   sg[0]: dma_addr=0x181800, len=0x800\n   sg[1]: dma_addr=0x173000, len=0x1000\n\n   Access iova = 0x181800 + 0x810 = 0x182010\n   Expected VA: 0x173010 (second SG, offset 0x10)\n   Before fix:\n     - index = (0x182010 \u003e\u003e 12) - (0x181800 \u003e\u003e 12) = 1\n     - page_offset = 0x182010 \u0026 0xFFF = 0x10\n     - xarray[1] stores system page base 0x170000\n     - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)\n\n2) page_size \u003e PAGE_SIZE (e.g., MR: 64K, system: 4K):\n   ibmr-\u003eiova = 0x18f800\n   sg[0]: dma_addr=0x18f800, len=0x800\n   sg[1]: dma_addr=0x170000, len=0x1000\n\n   Access iova = 0x18f800 + 0x810 = 0x190010\n   Expected VA: 0x170010 (second SG, offset 0x10)\n   Before fix:\n     - index = (0x190010 \u003e\u003e 16) - (0x18f800 \u003e\u003e 16) = 1\n     - page_offset = 0x190010 \u0026 0xFFFF = 0x10\n     - xarray[1] stores system page for dma_addr 0x170000\n     - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)\n\nYi Zhang reported a kernel panic[1] years ago related to this defect.\n\nSolution:\n1. Replace xarray with pre-allocated rxe_mr_page array for sequential\n   indexing (all MR page indices are contiguous)\n2. Each rxe_mr_page stores both struct page* and offset within the\n   system page\n3. Handle MR page_size != PAGE_SIZE relationships:\n   - page_size \u003e PAGE_SIZE: Split MR pages into multiple system pages\n   - page_size \u003c= PAGE_SIZE: Store offset within system page\n4. Add boundary checks and compatibility validation\n\nThis ensures correct iova-to-va conversion regardless of MR page size\nand system PAGE_SIZE relationship, while improving performance through\narray-based sequential access.\n\nTests on 4K and 64K PAGE_SIZE hosts:\n- rdma-core/pytests\n  $ ./build/bin/run_tests.py  --dev eth0_rxe\n- blktest:\n  $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd\n\n[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/"
    }
  ],
  "id": "CVE-2026-46325",
  "lastModified": "2026-06-09T14:16:42.177",
  "metrics": {},
  "published": "2026-06-09T14:16:42.177",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/12985e5915a0b8354796efadaaeb201eed115377"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/409c2c5508f3d30627bea576f8676de523cb906e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/836f6c13c9674027793f720be3f15ecd2b90b6ca"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Received"
}

GHSA-RMW9-5H46-94MM

Vulnerability from github – Published: 2026-06-09 15:32 – Updated: 2026-06-09 15:32

Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE

The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE_SIZE. The core issue is that rxe_set_page() is called with mr->page_size step increments, but the page_list stores individual struct page pointers, each representing PAGE_SIZE of memory.

ib_sg_to_page() has ensured that when i>=1 either a) SG[i-1].dma_end and SG[i].dma_addr are contiguous or b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned.

This leads to incorrect iova-to-va conversion in scenarios:

1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K): ibmr->iova = 0x181800 sg[0]: dma_addr=0x181800, len=0x800 sg[1]: dma_addr=0x173000, len=0x1000

Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix: - index = (0x182010 >> 12) - (0x181800 >> 12) = 1 - page_offset = 0x182010 & 0xFFF = 0x10 - xarray[1] stores system page base 0x170000 - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)

2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K): ibmr->iova = 0x18f800 sg[0]: dma_addr=0x18f800, len=0x800 sg[1]: dma_addr=0x170000, len=0x1000

Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix: - index = (0x190010 >> 16) - (0x18f800 >> 16) = 1 - page_offset = 0x190010 & 0xFFFF = 0x10 - xarray[1] stores system page for dma_addr 0x170000 - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)

Yi Zhang reported a kernel panic[1] years ago related to this defect.

Solution: 1. Replace xarray with pre-allocated rxe_mr_page array for sequential indexing (all MR page indices are contiguous) 2. Each rxe_mr_page stores both struct page* and offset within the system page 3. Handle MR page_size != PAGE_SIZE relationships: - page_size > PAGE_SIZE: Split MR pages into multiple system pages - page_size <= PAGE_SIZE: Store offset within system page 4. Add boundary checks and compatibility validation

This ensures correct iova-to-va conversion regardless of MR page size and system PAGE_SIZE relationship, while improving performance through array-based sequential access.

Tests on 4K and 64K PAGE_SIZE hosts: - rdma-core/pytests $ ./build/bin/run_tests.py --dev eth0_rxe - blktest: $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd

[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-46325"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T14:16:42Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE\n\nThe current implementation incorrectly handles memory regions (MRs) with\npage sizes different from the system PAGE_SIZE. The core issue is that\nrxe_set_page() is called with mr-\u003epage_size step increments, but the\npage_list stores individual struct page pointers, each representing\nPAGE_SIZE of memory.\n\nib_sg_to_page() has ensured that when i\u003e=1 either\na) SG[i-1].dma_end and SG[i].dma_addr are contiguous\nor\nb) SG[i-1].dma_end and SG[i].dma_addr are mr-\u003epage_size aligned.\n\nThis leads to incorrect iova-to-va conversion in scenarios:\n\n1) page_size \u003c PAGE_SIZE (e.g., MR: 4K, system: 64K):\n   ibmr-\u003eiova = 0x181800\n   sg[0]: dma_addr=0x181800, len=0x800\n   sg[1]: dma_addr=0x173000, len=0x1000\n\n   Access iova = 0x181800 + 0x810 = 0x182010\n   Expected VA: 0x173010 (second SG, offset 0x10)\n   Before fix:\n     - index = (0x182010 \u003e\u003e 12) - (0x181800 \u003e\u003e 12) = 1\n     - page_offset = 0x182010 \u0026 0xFFF = 0x10\n     - xarray[1] stores system page base 0x170000\n     - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)\n\n2) page_size \u003e PAGE_SIZE (e.g., MR: 64K, system: 4K):\n   ibmr-\u003eiova = 0x18f800\n   sg[0]: dma_addr=0x18f800, len=0x800\n   sg[1]: dma_addr=0x170000, len=0x1000\n\n   Access iova = 0x18f800 + 0x810 = 0x190010\n   Expected VA: 0x170010 (second SG, offset 0x10)\n   Before fix:\n     - index = (0x190010 \u003e\u003e 16) - (0x18f800 \u003e\u003e 16) = 1\n     - page_offset = 0x190010 \u0026 0xFFFF = 0x10\n     - xarray[1] stores system page for dma_addr 0x170000\n     - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)\n\nYi Zhang reported a kernel panic[1] years ago related to this defect.\n\nSolution:\n1. Replace xarray with pre-allocated rxe_mr_page array for sequential\n   indexing (all MR page indices are contiguous)\n2. Each rxe_mr_page stores both struct page* and offset within the\n   system page\n3. Handle MR page_size != PAGE_SIZE relationships:\n   - page_size \u003e PAGE_SIZE: Split MR pages into multiple system pages\n   - page_size \u003c= PAGE_SIZE: Store offset within system page\n4. Add boundary checks and compatibility validation\n\nThis ensures correct iova-to-va conversion regardless of MR page size\nand system PAGE_SIZE relationship, while improving performance through\narray-based sequential access.\n\nTests on 4K and 64K PAGE_SIZE hosts:\n- rdma-core/pytests\n  $ ./build/bin/run_tests.py  --dev eth0_rxe\n- blktest:\n  $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd\n\n[1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/",
  "id": "GHSA-rmw9-5h46-94mm",
  "modified": "2026-06-09T15:32:18Z",
  "published": "2026-06-09T15:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46325"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12985e5915a0b8354796efadaaeb201eed115377"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/409c2c5508f3d30627bea576f8676de523cb906e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/836f6c13c9674027793f720be3f15ecd2b90b6ca"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

MSRC_CVE-2026-46325

Vulnerability from csaf_microsoft - Published: 2026-06-02 00:00 - Updated: 2026-06-10 01:06

Summary

RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-46325

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Unresolved product id: 17084-1		—	None Available

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-46325 RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-46325.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE",
    "tracking": {
      "current_release_date": "2026-06-10T01:06:20.000Z",
      "generator": {
        "date": "2026-06-10T07:02:18.608Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-46325",
      "initial_release_date": "2026-06-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-06-10T01:06:20.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 kernel 0:6.6.139.1-1.azl3",
                "product": {
                  "name": "azl3 kernel 0:6.6.139.1-1.azl3",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "kernel"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kernel 0:6.6.139.1-1.azl3 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-46325",
      "notes": [
        {
          "category": "general",
          "text": "Linux",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-46325 RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-46325.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-06-10T01:06:20.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        }
      ],
      "title": "RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46325 (GCVE-0-2026-46325)

FKIE_CVE-2026-46325

GHSA-RMW9-5H46-94MM

MSRC_CVE-2026-46325

Tags

Sightings

Nomenclature