CVE-2021-46910

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.11.0+

Description The vulnerability is related to the kmap local() function in the Linux kernel, which doubles the number of per-CPU fixmap slots allocated for kmap local() to use half of them as guard regions. This causes the fixmap region to grow downwards beyond the start of its reserved window if the supported number of CPUs is large, and collide with the newly added virtual DT mapping right below it. One manifestation of this is EFI boot on a kernel built with NR CPUS=32 and CONFIG DEBUG KMAP LOCAL=y, which may pass the FDT in highmem, resulting in block entries below the fixmap region that the fixmap code misidentifies as fixmap table entries, and subsequently tries to dereference using a phys-to-virt translation that is only valid for lowmem.

Recommendations To resolve the issue, limit CONFIG NR CPUS to 16 when CONFIG DEBUG KMAP LOCAL=y. Also, fix the BUILD BUG ON() check that was supposed to catch this, by checking whether the region grows below the start address rather than above the end address. As a temporary workaround, consider disabling the kmap local() function until a patch is available.