From: Jason Gunthorpe <jgg@nvidia.com> mainline inclusion from mainline-v7.1 commit 15fe76e23615f502d051ef0768f86babaf08746c category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15827 CVE: CVE-2026-53133 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When the iommu is used the linearization of the mapping can give a single block that is very large split across multiple SG entries. When __rdma_block_iter_next() reassembles the split SG entries it is overflowing the 32 bit stack values and computed the wrong DMA addresses for blocks after the truncation. Use the right types to hold DMA addresses. Link: https://patch.msgid.link/r/1-v1-88303e9e509f+f7-ib_umem_types_jgg@nvidia.com Cc: stable@vger.kernel.org Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks") Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Conflicts: drivers/infiniband/core/iter.c drivers/infiniband/core/verbs.c [Newer versions moved this function to iter.c, this version adapts the changes in verbs.c.] Signed-off-by: Xia Fukun <xiafukun@huawei.com> --- drivers/infiniband/core/verbs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c index 47a969a7f6f6..1b87b8d02cf9 100644 --- a/drivers/infiniband/core/verbs.c +++ b/drivers/infiniband/core/verbs.c @@ -2644,7 +2644,7 @@ EXPORT_SYMBOL(__rdma_block_iter_start); bool __rdma_block_iter_next(struct ib_block_iter *biter) { - unsigned int block_offset; + dma_addr_t block_offset; if (!biter->__sg_nents || !biter->__sg) return false; -- 2.34.1