CVE-2026-53108

Source
https://cve.org/CVERecord?id=CVE-2026-53108
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53108.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53108
Downstream
Published
2026-06-24T16:30:42.707Z
Modified
2026-07-08T08:13:46.012541372Z
Summary
powerpc/64s: Fix unmap race with PMD migration entries
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/64s: Fix unmap race with PMD migration entries

The following race is possible with migration swap entries or device-private THP entries. e.g. when movepages is called on a PMD THP page, then there maybe an intermediate state, where PMD entry acts as a migration swap entry (pmdpresent() is true). Then if an munmap happens at the same time, then this VMBUGON() can happen in pmdphugegetandclear_full().

This patch fixes that.

Thread A: movepages() syscall addfolioformigration() mmapreadlock(mm) folioisolatelru(folio) mmapreadunlock(mm)

domovepagestonode() migratepages() trytomigrateone() spinlock(ptl) setpmdmigrationentry() pmdpinvalidate() # PMD: PAGEINVALID | PAGEPTE | pfn setpmdat() # PMD: migration swap entry (pmdpresent=0) spin_unlock(ptl) [page copy phase] # <--- RACE WINDOW -->

Thread B: munmap() mmapwritedowngrade(mm) unmapvmas() -> zappmdrange() zaphuge_pmd() _pmdtranshugelock() pmdishuge(): # !pmdpresent && !pmdnone -> TRUE (swap entry) pmdlock() -> # spinlock(ptl), waits for Thread A to release ptl pmdphugegetandclearfull() VMBUGON(!pmdpresent(*pmdp)) # HITS!

[ 287.738700][ T1867] ------------[ cut here ]------------ [ 287.743843][ T1867] kernel BUG at arch/powerpc/mm/book3s64/pgtable.c:187! cpu 0x0: Vector: 700 (Program Check) at [c00000044037f4f0] pc: c000000000094ca4: pmdphugegetandclearfull+0x6c/0x23c lr: c000000000645dec: zaphugepmd+0xb0/0x868 sp: c00000044037f790 msr: 800000000282b033 current = 0xc0000004032c1a00 paca = 0xc000000004fe0000 irqmask: 0x03 irqhappened: 0x09 pid = 1867, comm = a.out kernel BUG at :187! Linux version 6.19.0-12136-g14360d4f917c-dirty (powerpc64le-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #27 SMP PREEMPT Sun Feb 22 10:38:56 IST 2026 enter ? for help [link register ] c000000000645dec zaphugepmd+0xb0/0x868 [c00000044037f790] c00000044037f7d0 (unreliable) [c00000044037f7d0] c000000000645dcc zaphugepmd+0x90/0x868 [c00000044037f840] c0000000005724cc unmappagerange+0x176c/0x1f40 [c00000044037fa00] c000000000572ea0 unmapvmas+0xb0/0x1d8 [c00000044037fa90] c0000000005af254 unmapregion+0xb4/0x128 [c00000044037fb50] c0000000005af400 vmscompletemunmapvmas+0x138/0x310 [c00000044037fbe0] c0000000005b0f1c dovmialignmunmap+0x1ec/0x238 [c00000044037fd30] c0000000005b3688 _vmmunmap+0x170/0x1f8 [c00000044037fdf0] c000000000587f74 sysmunmap+0x2c/0x40 [c00000044037fe10] c000000000032668 systemcallexception+0x128/0x350 [c00000044037fe50] c00000000000d05c systemcallvectoredcommon+0x15c/0x2ec ---- Exception: 3000 (System Call Vectored) at 0000000010064a2c SP (7fff9b1ee9c0) is in userspace 0:mon> zh

commit a30b48bf1b24 ("mm/migrate_device: implement THP migration of zone device pages"), enabled migration for device-private PMD entries. Hence this is one other path where this warning could get trigger from.

------------[ cut here ]------------ WARNING: arch/powerpc/mm/book3s64/hashpgtable.c:199 at hashpmdhugepageupdate+0x48/0x284, CPU#3: hmm-tests/1905 Modules linked in: testhmm CPU: 3 UID: 0 PID: 1905 Comm: hmm-tests Tainted: G B W L N 7.0.0-rc1-01438-g7e2f0ee7581c #21 PREEMPT Tainted: [B]=BADPAGE, [W]=WARN, [L]=SOFTLOCKUP, [N]=TEST Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries NIP [c000000000096b70] hashpmdhugepageupdate+0x48/0x284 LR [c000000000096e7c] hashpmdphugegetandclear+0xd0/0xd4 Call Trace: [c000000604707670] [c000000004e102b8] 0xc000000004e102b8 (unreliable) [c000000604707700] [c00000000064ec3c] setpmdmigrationentry+0x414/0x498 [c000000604707760] [c00000000063e5a4] migratevmacol ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53108.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
75358ea359e7c0dfceb3c7b3d854570b4260cb7f
Fixed
829367e55012c053738ebe7db20c4a90d6609ece
Fixed
bbcbf045d6c778e82b47a35fc8728387708e9a3d

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53108.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53108.json"