)]}' { "commit": "dfd76308ba62f00253b0f99cf10089931d12241d", "tree": "c2d32ee6bfa52cef126a9b393351752ab85a4ce5", "parents": [ "5629ec06e1c073e0f3fb4a707c28f3fb1e8ef459" ], "author": { "name": "Piotr Jaroszynski", "email": "pjaroszynski@nvidia.com", "time": "Thu Mar 05 15:26:29 2026 -0800" }, "committer": { "name": "Daniel Velasquez", "email": "rdvelasquez@google.com", "time": "Tue May 19 15:34:09 2026 -0700" }, "message": "arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults\n\ncommit 97c5550b763171dbef61e6239cab372b9f9cd4a2 upstream.\n\ncontpte_ptep_set_access_flags() compared the gathered ptep_get() value\nagainst the requested entry to detect no-ops. ptep_get() ORs AF/dirty\nfrom all sub-PTEs in the CONT block, so a dirty sibling can make the\ntarget appear already-dirty. When the gathered value matches entry, the\nfunction returns 0 even though the target sub-PTE still has PTE_RDONLY\nset in hardware.\n\nFor a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may\nset AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered\nacross the CONT range. But page-table walkers that evaluate each\ndescriptor individually (e.g. a CPU without DBM support, or an SMMU\nwithout HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the\nunchanged target sub-PTE, causing an infinite fault loop.\n\nGathering can therefore cause false no-ops when only a sibling has been\nupdated:\n - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)\n - read faults: target still lacks PTE_AF\n\nFix by checking each sub-PTE against the requested AF/dirty/write state\n(the same bits consumed by __ptep_set_access_flags()), using raw\nper-PTE values rather than the gathered ptep_get() view, before\nreturning no-op. Keep using the raw target PTE for the write-bit unfold\ndecision.\n\nPer Arm ARM (DDI 0487) D8.7.1 (\"The Contiguous bit\"), any sub-PTE in a CONT\nrange may become the effective cached translation and software must\nmaintain consistent attributes across the range.\n\nBUG\u003db/513185883\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2026-43486 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: 4602e5757bcc (\"arm64/mm: wire up PTE_CONT for user mappings\")\nCc: Ryan Roberts \u003cryan.roberts@arm.com\u003e\nCc: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nCc: Will Deacon \u003cwill@kernel.org\u003e\nCc: Jason Gunthorpe \u003cjgg@nvidia.com\u003e\nCc: John Hubbard \u003cjhubbard@nvidia.com\u003e\nCc: Zi Yan \u003cziy@nvidia.com\u003e\nCc: Breno Leitao \u003cleitao@debian.org\u003e\nCc: stable@vger.kernel.org\nReviewed-by: Alistair Popple \u003capopple@nvidia.com\u003e\nReviewed-by: James Houghton \u003cjthoughton@google.com\u003e\nReviewed-by: Ryan Roberts \u003cryan.roberts@arm.com\u003e\nReviewed-by: Catalin Marinas \u003ccatalin.marinas@arm.com\u003e\nTested-by: Breno Leitao \u003cleitao@debian.org\u003e\nChange-Id: If2989901aa480902a64bc69dec6d08dbc96e9ab6\nSigned-off-by: Piotr Jaroszynski \u003cpjaroszynski@nvidia.com\u003e\nAcked-by: Balbir Singh \u003cbalbirs@nvidia.com\u003e\nSigned-off-by: Will Deacon \u003cwill@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/152044\nReviewed-by: Daniel Velasquez \u003crdvelasquez@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Miri Amarilio \u003cmirilio@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "55107d27d3f8834f85f4d968e770fc47e1b61521", "old_mode": 33188, "old_path": "arch/arm64/mm/contpte.c", "new_id": "726c56aa2dfcc8eb3420cf69e3b1f22f5fb4a028", "new_mode": 33188, "new_path": "arch/arm64/mm/contpte.c" } ] }