CVE-2026-43486

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults<br /> <br /> contpte_ptep_set_access_flags() compared the gathered ptep_get() value<br /> against the requested entry to detect no-ops. ptep_get() ORs AF/dirty<br /> from all sub-PTEs in the CONT block, so a dirty sibling can make the<br /> target appear already-dirty. When the gathered value matches entry, the<br /> function returns 0 even though the target sub-PTE still has PTE_RDONLY<br /> set in hardware.<br /> <br /> For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may<br /> set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered<br /> across the CONT range. But page-table walkers that evaluate each<br /> descriptor individually (e.g. a CPU without DBM support, or an SMMU<br /> without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the<br /> unchanged target sub-PTE, causing an infinite fault loop.<br /> <br /> Gathering can therefore cause false no-ops when only a sibling has been<br /> updated:<br /> - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)<br /> - read faults: target still lacks PTE_AF<br /> <br /> Fix by checking each sub-PTE against the requested AF/dirty/write state<br /> (the same bits consumed by __ptep_set_access_flags()), using raw<br /> per-PTE values rather than the gathered ptep_get() view, before<br /> returning no-op. Keep using the raw target PTE for the write-bit unfold<br /> decision.<br /> <br /> Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT<br /> range may become the effective cached translation and software must<br /> maintain consistent attributes across the range.