CVE-2025-40199

Description

In the Linux kernel, the following vulnerability has been resolved:page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit archesHelge reported that the introduction of PP_MAGIC_MASK let to crashes onboot on his 32-bit parisc machine. The cause of this is the mask is settoo wide, so the page_pool_page_is_pp() incurs false positives whichcrashes the machine.Just disabling the check in page_pool_is_pp() will lead to the page_poolcode itself malfunctioning; so instead of doing this, this patch changesthe define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernelpointers for page_pool-tagged pages.The fix relies on the kernel pointers that alias with the pp_magic fieldalways being above PAGE_OFFSET. With this assumption, we can use thelowest bit of the value of PAGE_OFFSET as the upper bound of thePP_DMA_INDEX_MASK, which should avoid the false positives.Because we cannot rely on PAGE_OFFSET always being a compile-timeconstant, nor on it always being >0, we fall back to disabling thedma_index storage when there are not enough bits available. This leavesus in the situation we were in before the patch in the Fixes tag, butonly on a subset of architecture configurations. This seems to be thebest we can do until the transition to page types in complete forpage_pool pages.v2:- Make sure theres at least 8 bits available and that the PAGE_OFFSET bit calculation doesnt wrap

Risk Information

Associated Vulnerability

Patch Details

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234