CVE-2025-40199

In the Linux kernel, the following vulnerability has been resolved:

pagepool: Fix PPMAGIC_MASK to avoid crashing on some 32-bit arches

Helge reported that the introduction of PPMAGICMASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the pagepoolpageispp() incurs false positives which crashes the machine.

Just disabling the check in pagepoolispp() will lead to the pagepool code itself malfunctioning; so instead of doing this, this patch changes the define for PPDMAINDEXBITS to avoid mistaking arbitrary kernel pointers for pagepool-tagged pages.

The fix relies on the kernel pointers that alias with the ppmagic field always being above PAGEOFFSET. With this assumption, we can use the lowest bit of the value of PAGEOFFSET as the upper bound of the PPDMAINDEXMASK, which should avoid the false positives.

Because we cannot rely on PAGEOFFSET always being a compile-time constant, nor on it always being >0, we fall back to disabling the dmaindex storage when there are not enough bits available. This leaves us in the situation we were in before the patch in the Fixes tag, but only on a subset of architecture configurations. This seems to be the best we can do until the transition to page types in complete for page_pool pages.

v2: - Make sure there's at least 8 bits available and that the PAGE_OFFSET bit calculation doesn't wrap