CVE-2026-53288

In the Linux kernel, the following vulnerability has been resolved:

arm64: Reserve an extra page for early kernel mapping

The final part of [data, end) segment may overflow into the next page of init pg end[1] which is the gap page before early init stack[2]:

[1] crash arm64 v9.0.1> vtop ffffffed00601000 VIRTUAL PHYSICAL ffffffed00601000 83401000

PAGE DIRECTORY: ffffffecffd62000 PGD: ffffffecffd62da0 => 10000000833fb003 PMD: ffffff80033fb018 => 10000000833fe003 PTE: ffffff80033fe008 => 68000083401f03 PAGE: 83401000

PTE PHYSICAL FLAGS 68000083401f03 83401000 (VALID|SHARED|AF|NG|PXN|UXN)

PAGE PHYSICAL MAPPING INDEX CNT FLAGS fffffffec00d0040 83401000 0 0 1 4000 reserved

[2] ffffffed002c8000 (r) pi data ffffffed0054e000 (d) pi bss start ffffffed005f5000 (b) pi init pg dir ffffffed005fe000 (b) pi init pg end ffffffed005ff000 (B) early init stack ffffffed00608000 (b) pi end

For 4K pages, the early kernel mapping may use 2MB block entries but the kernel segments are only 64KB aligned. Segment boundaries that fall within a 2MB block therefore require a PTE table so that different attributes can be applied on either side of the boundary.

KERNEL SEGMENT COUNT still correctly counts the five permanent kernel VMAs registered by declare kernel vmas(). However, since commit 5973a62efa34 ("arm64: map [ text, stext) virtual address range non-executable+read-only"), the early mapper also maps [ text, stext) separately from [ stext, etext). This adds one more early-only split and can require one more page-table page than the existing EARLY SEGMENT EXTRA PAGES allowance reserves.

Increase the 4K-page early mapping allowance by one page to cover that additional split.

[catalin.marinas@arm.com: rewrote part of the commit log] [catalin.marinas@arm.com: expanded the code comment]