CVE-2021-46910 - pub/scm/linux/kernel/git/sashal/vulns-desc - Git at Google

 The Linux kernel vulnerability CVE-2021-46910 occurs when the `DEBUG_KMAP_LOCAL` debugging feature is enabled, which causes the fixmap region to grow downwards beyond its reserved window if the supported number of CPUs is large. This can lead to a collision with the virtual DT mapping, causing the fixmap code to misidentify block entries as fixmap table entries and attempt to dereference them using an invalid phys-to-virt translation.

 On ARM architectures, this issue can manifest during EFI boot on a kernel built with `NR_CPUS=32` and `CONFIG_DEBUG_KMAP_LOCAL=y`, resulting in a kernel paging request error. The error occurs because the fixmap region grows beyond its reserved window and collides with the virtual DT mapping, causing the fixmap code to misidentify block entries.

 To resolve this issue, the maximum number of CPUs is limited to 16 when `DEBUG_KMAP_LOCAL` is enabled, and a BUILD_BUG_ON() check is fixed to catch this condition. The vulnerability was introduced in Linux kernel version 5.11 with commit 2a15ba82fa6c and was fixed in versions 5.11.16 and 5.12 with commits 5965ac11b1d5 and d624833f5984, respectively.

 The affected files are `arch/arm/Kconfig` and `arch/arm/mm/mmu.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, rather than cherry-picking individual commits.
	The Linux kernel vulnerability CVE-2021-46910 occurs when the `DEBUG_KMAP_LOCAL` debugging feature is enabled, which causes the fixmap region to grow downwards beyond its reserved window if the supported number of CPUs is large. This can lead to a collision with the virtual DT mapping, causing the fixmap code to misidentify block entries as fixmap table entries and attempt to dereference them using an invalid phys-to-virt translation.

	On ARM architectures, this issue can manifest during EFI boot on a kernel built with `NR_CPUS=32` and `CONFIG_DEBUG_KMAP_LOCAL=y`, resulting in a kernel paging request error. The error occurs because the fixmap region grows beyond its reserved window and collides with the virtual DT mapping, causing the fixmap code to misidentify block entries.

	To resolve this issue, the maximum number of CPUs is limited to 16 when `DEBUG_KMAP_LOCAL` is enabled, and a BUILD_BUG_ON() check is fixed to catch this condition. The vulnerability was introduced in Linux kernel version 5.11 with commit 2a15ba82fa6c and was fixed in versions 5.11.16 and 5.12 with commits 5965ac11b1d5 and d624833f5984, respectively.

	The affected files are `arch/arm/Kconfig` and `arch/arm/mm/mmu.c`. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, rather than cherry-picking individual commits.