CVE-2025-40199

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches<br /> <br /> Helge reported that the introduction of PP_MAGIC_MASK let to crashes on<br /> boot on his 32-bit parisc machine. The cause of this is the mask is set<br /> too wide, so the page_pool_page_is_pp() incurs false positives which<br /> crashes the machine.<br /> <br /> Just disabling the check in page_pool_is_pp() will lead to the page_pool<br /> code itself malfunctioning; so instead of doing this, this patch changes<br /> the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel<br /> pointers for page_pool-tagged pages.<br /> <br /> The fix relies on the kernel pointers that alias with the pp_magic field<br /> always being above PAGE_OFFSET. With this assumption, we can use the<br /> lowest bit of the value of PAGE_OFFSET as the upper bound of the<br /> PP_DMA_INDEX_MASK, which should avoid the false positives.<br /> <br /> Because we cannot rely on PAGE_OFFSET always being a compile-time<br /> constant, nor on it always being &gt;0, we fall back to disabling the<br /> dma_index storage when there are not enough bits available. This leaves<br /> us in the situation we were in before the patch in the Fixes tag, but<br /> only on a subset of architecture configurations. This seems to be the<br /> best we can do until the transition to page types in complete for<br /> page_pool pages.<br /> <br /> v2:<br /> - Make sure there&amp;#39;s at least 8 bits available and that the PAGE_OFFSET<br /> bit calculation doesn&amp;#39;t wrap