DEBIAN-CVE-2026-46325

In the Linux kernel, the following vulnerability has been resolved:  RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGESIZE  The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGESIZE. The core issue is that rxesetpage() is called with mr->pagesize step increments, but the pagelist stores individual struct page pointers, each representing PAGESIZE of memory.  ibsgtopage() has ensured that when i>=1 either a) SG[i-1].dmaend and SG[i].dmaaddr are contiguous or b) SG[i-1].dmaend and SG[i].dmaaddr are mr->pagesize aligned.  This leads to incorrect iova-to-va conversion in scenarios:  1) pagesize < PAGESIZE (e.g., MR: 4K, system: 64K):    ibmr->iova = 0x181800    sg[0]: dmaaddr=0x181800, len=0x800    sg[1]: dmaaddr=0x173000, len=0x1000     Access iova = 0x181800 + 0x810 = 0x182010    Expected VA: 0x173010 (second SG, offset 0x10)    Before fix:      - index = (0x182010 >> 12) - (0x181800 >> 12) = 1      - pageoffset = 0x182010 & 0xFFF = 0x10      - xarray[1] stores system page base 0x170000      - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong)  2) pagesize > PAGESIZE (e.g., MR: 64K, system: 4K):    ibmr->iova = 0x18f800    sg[0]: dmaaddr=0x18f800, len=0x800    sg[1]: dmaaddr=0x170000, len=0x1000     Access iova = 0x18f800 + 0x810 = 0x190010    Expected VA: 0x170010 (second SG, offset 0x10)    Before fix:      - index = (0x190010 >> 16) - (0x18f800 >> 16) = 1      - pageoffset = 0x190010 & 0xFFFF = 0x10      - xarray[1] stores system page for dmaaddr 0x170000      - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong)  Yi Zhang reported a kernel panic[1] years ago related to this defect.  Solution: 1. Replace xarray with pre-allocated rxemrpage array for sequential    indexing (all MR page indices are contiguous) 2. Each rxemrpage stores both struct page* and offset within the    system page 3. Handle MR pagesize != PAGESIZE relationships:    - pagesize > PAGESIZE: Split MR pages into multiple system pages    - pagesize <= PAGESIZE: Store offset within system page 4. Add boundary checks and compatibility validation  This ensures correct iova-to-va conversion regardless of MR page size and system PAGESIZE relationship, while improving performance through array-based sequential access.  Tests on 4K and 64K PAGESIZE hosts: - rdma-core/pytests   $ ./build/bin/runtests.py  --dev eth0rxe - blktest:   $ TIMEOUT=30 QUICKRUN=1 USERXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd  [1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/