CVE-2026-31466

Source
https://cve.org/CVERecord?id=CVE-2026-31466
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31466.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31466
Downstream
Published
2026-04-22T13:53:56.259Z
Modified
2026-06-18T03:57:02.850706943Z
Summary
mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/hugememory: fix folio isn't locked in softleafto_folio()

On arm64 server, we found folio that get from migration entry isn't locked in softleaftofolio(). This issue triggers when mTHP splitting and zapnonpresentptes() races, and the root cause is lack of memory barrier in softleaftofolio(). The race is as follows:

CPU0                                             CPU1

deferredsplitscan() zapnonpresentptes() lock folio splitfolio() unmapfolio() change ptes to migration entries _splitfoliotoorder() softleaftofolio() set flags(including PGlocked) for tail pages folio = pfnfolio(softleaftopfn(entry)) smpwmb() VMWARNONONCE(!foliotestlocked(folio)) prepcompoundpage() for tail pages

In _splitfoliotoorder(), smpwmb() guarantees page flags of tail pages are visible before the tail page becomes non-compound. smpwmb() should be paired with smprmb() in softleaftofolio(), which is missed. As a result, if zapnonpresentptes() accesses migration entry that stores tail pfn, softleaftofolio() may see the updated compoundhead of tail page before page->flags.

This issue will trigger VMWARNONONCE() in pfnswapentryfolio() because of the race between folio split and zapnonpresentptes() leading to a folio incorrectly undergoing modification without a folio lock being held.

This is a BUG_ON() before commit 93976a20345b ("mm: eliminate further swapops predicates"), which in merged in v6.19-rc1.

To fix it, add missing smprmb() if the softleaf entry is migration entry in softleaftofolio() and softleafto_page().

[tujinjiang@huawei.com: update function name and comments]

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31466.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e9b61f19858a5d6c42ce2298cf138279375d0d9b
Fixed
426ee10711586617da869c8bb798214965337617
Fixed
f1acf5887c2bbaf998dc3fe32c72b7a8b84a3ddd
Fixed
722cfaf6b31d31123439e67b5deac6b1261a3dea
Fixed
7ddcf4a245c1c5a91fdd9698757e3d95179ffe41
Fixed
b8c49ad888892ad7b77062b9c102b799a3e9b4f8
Fixed
7ad1997b9bc8032603df8f091761114479285769
Fixed
8bfb8414e9f2ce6f5f2f0e3d0da52f2d132128e7
Fixed
4c5e7f0fcd592801c9cc18f29f80fbee84eb8669

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31466.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.5.0
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.21
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31466.json"