From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9ADC4385D85 for ; Thu, 25 Jun 2026 08:47:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782377258; cv=none; b=u8NV19e+CUgh/oSz0hYZSzVBN4aQo+rXXn1fivumxWKMwvCBF8eJA7XKkv8efQwwi5LEspiQuFi4WumuFQsJEsmyvpeAIBND1Ot5yizc8zAgwRNo1z+k/soUSFJU769ZP2ymmT6rRg/X5I9GBw0e/HaqNEWqCKDWssD9L0H7k/Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782377258; c=relaxed/simple; bh=bQ7pFH9s/K5HvhSa5vw0FDkQt0Fx/EmDf/G8zPAblZI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=VH3qK3YWqD0CnVOqzGIvs4htJ49x2HecXJImUa4zjq5mQT5OeP3jdt20fXSKkV4Oc70ajLjGomJpuxUeIlC7mBtK65TYv+qToZBc8UCI/G59uTHMeON/W4FT21bG/HD/Y4Z0grPAEBSyar30jIaQGbhtHYOYRxTbjFaB1s3p0t8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Z12CtHUm; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Z12CtHUm" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A02B91F01558; Thu, 25 Jun 2026 08:47:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1782377257; bh=Ilm90WleiiXEuWSobO1cqnNjlkQedjdFt4uRb/pmPjg=; h=From:To:Cc:Subject:Date:Reply-To; b=Z12CtHUmeEf+4/x2OS0j7ItHO1YbG0M5AM9R6TYR3FxRHoiW+odR6FcovwZ6ctxPI pCIlgqrLbV0kaizQO0K+EBIYEvgijx/9M39KTNOCeWPszpz2GQV7aLuOvOotaLTWAF RyPG+0gUJtasfGAmgNrmi0LSKKvCsn7UgLrP2Cq0= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-53199: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf Date: Thu, 25 Jun 2026 09:40:47 +0100 Message-ID: <2026062500-CVE-2026-53199-e12a@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4756; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=M6kKyrjb4YkCgl1SChXv/KR1PLh1tR+8l9PkA/DUupQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDFk2LxPUw2REzxslXjWNKHzxY8HjM2LfqwSmrLTdevDub cOZvVEPOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiuTIMCzaf21PsemABW+ok hRTHC5lb92//38swP8bDZOsR54X/nnHMNOjbfslCapZWJwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf netvsc_copy_to_send_buf() copies page buffer entries into the VMBus send buffer using phys_to_virt() on the entry PFN. Entries for the RNDIS header and the skb linear data come from kmalloc'd memory and are always in the kernel direct map, but entries for skb fragments reference page cache or user pages, which on 32-bit x86 with CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page phys_to_virt() returns an address outside the direct map and the subsequent memcpy() faults on the transmit softirq path, which is fatal. Map the pages with kmap_local_page() instead, handling two properties of the page buffer entries: - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity, not a native PFN. Reconstruct the physical address first and derive the native page from it, so the mapping stays correct where PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages). - Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN grouping in the page buffer array"), an entry describes a full physically contiguous fragment and pb[i].len can exceed PAGE_SIZE, while kmap_local_page() maps a single page. Copy page by page, splitting at native page boundaries. The copy path only handles packets smaller than the send section size (6144 bytes by default); larger packets take the cp_partial path where only the RNDIS header is copied. So entries here are bounded by the section size and a copy is split at most once on 4K-page systems. On !CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and no mapping work is added. The Linux kernel CVE team has assigned CVE-2026-53199 to this issue. Affected and fixed versions =========================== Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 5.10.259 with commit 16514afeb7d3d121072ba9a0b640d6c1c5507db0 Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 5.15.210 with commit a82d4251918f37d9c5aab7b365157669fb885ec3 Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.1.176 with commit 695c59cf7bf707e6ff8cea01916ee50e86616933 Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.6.143 with commit 09b8a7aa5a341bb345dc492aac139525efa13515 Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.12.94 with commit 918c0c988239aa5ab96b254e504d191af6191061 Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 6.18.36 with commit 0b38870d81ab3a04c1ab0598d9d3285f5d9d0584 Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 7.0.13 with commit fe7221b4346418d27ec2daccfc09df6692b76f0b Issue introduced in 3.16 with commit c25aaf814a63f9d9c4e45416f13d70ef0aa0be2e and fixed in 7.1 with commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-53199 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/hyperv/netvsc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/16514afeb7d3d121072ba9a0b640d6c1c5507db0 https://git.kernel.org/stable/c/a82d4251918f37d9c5aab7b365157669fb885ec3 https://git.kernel.org/stable/c/695c59cf7bf707e6ff8cea01916ee50e86616933 https://git.kernel.org/stable/c/09b8a7aa5a341bb345dc492aac139525efa13515 https://git.kernel.org/stable/c/918c0c988239aa5ab96b254e504d191af6191061 https://git.kernel.org/stable/c/0b38870d81ab3a04c1ab0598d9d3285f5d9d0584 https://git.kernel.org/stable/c/fe7221b4346418d27ec2daccfc09df6692b76f0b https://git.kernel.org/stable/c/004e9ecfe6c5384f9e0b2f6f6389d42ec22789af