CVE-2025-40199
Description
In the Linux kernel, the following vulnerability has been resolved:
page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches
Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the page_pool_page_is_pp() incurs false positives which crashes the machine.
Just disabling the check in page_pool_is_pp() will lead to the page_pool code itself malfunctioning; so instead of doing this, this patch changes the define for PP_DMA_INDEX_BITS to avoid mistaking arbitrary kernel pointers for page_pool-tagged pages.
The fix relies on the kernel pointers that alias with the pp_magic field always being above PAGE_OFFSET. With this assumption, we can use the lowest bit of the value of PAGE_OFFSET as the upper bound of the PP_DMA_INDEX_MASK, which should avoid the false positives.
Because we cannot rely on PAGE_OFFSET always being a compile-time constant, nor on it always being >0, we fall back to disabling the dma_index storage when there are not enough bits available. This leaves us in the situation we were in before the patch in the Fixes tag, but only on a subset of architecture configurations. This seems to be the best we can do until the transition to page types in complete for page_pool pages.
v2: - Make sure there's at least 8 bits available and that the PAGE_OFFSET bit calculation doesn't wrap
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flawed PP_MAGIC_MASK in Linux's page_pool causes false-positive page pointer checks, crashing 32-bit parisc systems.
The Linux kernel's page_pool subsystem introduced a PP_MAGIC_MASK to identify page_pool-managed pages via a magic field. Due to an overly broad mask, the check page_pool_page_is_pp() produces false positives on 32-bit parisc architectures, misidentifying arbitrary kernel pointers as page_pool pages and causing system crashes [1].
The root cause lies in PP_DMA_INDEX_BITS conflicting with pointer aliasing on architectures where PAGE_OFFSET is low. The patch redefines the mask to avoid overlaps by using the lowest bit of PAGE_OFFSET as an upper bound for the mask, ensuring only pages within the expected address range are tagged [1]. When insufficient bits are available, the dma_index storage is disabled entirely, reverting to pre-fix behavior on affected configs.
An attacker may not directly exploit this bug, as it manifests as a kernel crash (denial of service) on targeted hardware. However, any system running an unpatched kernel on 32-bit parisc is vulnerable to accidental crashes triggered by normal memory operations, making systems unreliable.
Mitigation requires applying the stable commit f62934cea32c from the Linux kernel tree. No workaround exists besides upgrading; the fix ensures compatibility without sacrificing page_pool functionality on most architectures [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
315b8a5b4cdc1f62934cea32c95920c2ed02bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.