In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s: Fix unmap race with PMD migration entries
The following race is possible with migration swap entries or device-private THP entries. e.g. when movepages is called on a PMD THP page, then there maybe an intermediate state, where PMD entry acts as a migration swap entry (pmdpresent() is true). Then if an munmap happens at the same time, then this VMBUGON() can happen in pmdphugegetandclear_full().
This patch fixes that.
Thread A: movepages() syscall addfolioformigration() mmapreadlock(mm) folioisolatelru(folio) mmapreadunlock(mm)
domovepagestonode() migratepages() trytomigrateone() spinlock(ptl) setpmdmigrationentry() pmdpinvalidate() # PMD: PAGEINVALID | PAGEPTE | pfn setpmdat() # PMD: migration swap entry (pmdpresent=0) spin_unlock(ptl) [page copy phase] # <--- RACE WINDOW -->
Thread B: munmap() mmapwritedowngrade(mm) unmapvmas() -> zappmdrange() zaphuge_pmd() _pmdtranshugelock() pmdishuge(): # !pmdpresent && !pmdnone -> TRUE (swap entry) pmdlock() -> # spinlock(ptl), waits for Thread A to release ptl pmdphugegetandclearfull() VMBUGON(!pmdpresent(*pmdp)) # HITS!
[ 287.738700][ T1867] ------------[ cut here ]------------ [ 287.743843][ T1867] kernel BUG at arch/powerpc/mm/book3s64/pgtable.c:187! cpu 0x0: Vector: 700 (Program Check) at [c00000044037f4f0] pc: c000000000094ca4: pmdphugegetandclearfull+0x6c/0x23c lr: c000000000645dec: zaphugepmd+0xb0/0x868 sp: c00000044037f790 msr: 800000000282b033 current = 0xc0000004032c1a00 paca = 0xc000000004fe0000 irqmask: 0x03 irqhappened: 0x09 pid = 1867, comm = a.out kernel BUG at :187! Linux version 6.19.0-12136-g14360d4f917c-dirty (powerpc64le-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #27 SMP PREEMPT Sun Feb 22 10:38:56 IST 2026 enter ? for help [link register ] c000000000645dec zaphugepmd+0xb0/0x868 [c00000044037f790] c00000044037f7d0 (unreliable) [c00000044037f7d0] c000000000645dcc zaphugepmd+0x90/0x868 [c00000044037f840] c0000000005724cc unmappagerange+0x176c/0x1f40 [c00000044037fa00] c000000000572ea0 unmapvmas+0xb0/0x1d8 [c00000044037fa90] c0000000005af254 unmapregion+0xb4/0x128 [c00000044037fb50] c0000000005af400 vmscompletemunmapvmas+0x138/0x310 [c00000044037fbe0] c0000000005b0f1c dovmialignmunmap+0x1ec/0x238 [c00000044037fd30] c0000000005b3688 _vmmunmap+0x170/0x1f8 [c00000044037fdf0] c000000000587f74 sysmunmap+0x2c/0x40 [c00000044037fe10] c000000000032668 systemcallexception+0x128/0x350 [c00000044037fe50] c00000000000d05c systemcallvectoredcommon+0x15c/0x2ec ---- Exception: 3000 (System Call Vectored) at 0000000010064a2c SP (7fff9b1ee9c0) is in userspace 0:mon> zh
commit a30b48bf1b24 ("mm/migrate_device: implement THP migration of zone device pages"), enabled migration for device-private PMD entries. Hence this is one other path where this warning could get trigger from.
------------[ cut here ]------------ WARNING: arch/powerpc/mm/book3s64/hashpgtable.c:199 at hashpmdhugepageupdate+0x48/0x284, CPU#3: hmm-tests/1905 Modules linked in: testhmm CPU: 3 UID: 0 PID: 1905 Comm: hmm-tests Tainted: G B W L N 7.0.0-rc1-01438-g7e2f0ee7581c #21 PREEMPT Tainted: [B]=BADPAGE, [W]=WARN, [L]=SOFTLOCKUP, [N]=TEST Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries NIP [c000000000096b70] hashpmdhugepageupdate+0x48/0x284 LR [c000000000096e7c] hashpmdphugegetandclear+0xd0/0xd4 Call Trace: [c000000604707670] [c000000004e102b8] 0xc000000004e102b8 (unreliable) [c000000604707700] [c00000000064ec3c] setpmdmigrationentry+0x414/0x498 [c000000604707760] [c00000000063e5a4] migratevmacol ---truncated---
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53108.json",
"cna_assigner": "Linux"
}