CVE-2026-31601

Source
https://cve.org/CVERecord?id=CVE-2026-31601
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31601.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31601
Downstream
Related
Published
2026-04-24T14:42:25.287Z
Modified
2026-06-18T03:55:01.092331690Z
Summary
vfio/xe: Reorganize the init to decouple migration from reset
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/xe: Reorganize the init to decouple migration from reset

Attempting to issue reset on VF devices that don't support migration leads to the following:

BUG: unable to handle page fault for address: 00000000000011f8 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 7443 Comm: xesriovflr Tainted: G S U 7.0.0-rc1-lgci-xe-xe-4588-cec43d5c2696af219-nodebug+ #1 PREEMPT(lazy) Tainted: [S]=CPUOUTOFSPEC, [U]=USER Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 RIP: 0010:xesriovvfiowaitflrdone+0xc/0x80 [xe] Code: ff c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 54 53 <83> bf f8 11 00 00 02 75 61 41 89 f4 85 f6 74 52 48 8b 47 08 48 89 RSP: 0018:ffffc9000f7c39b8 EFLAGS: 00010202 RAX: ffffffffa04d8660 RBX: ffff88813e3e4000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000f7c39c8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888101a48800 R13: ffff88813e3e4150 R14: ffff888130d0d008 R15: ffff88813e3e40d0 FS: 00007877d3d0d940(0000) GS:ffff88890b6d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000011f8 CR3: 000000015a762000 CR4: 0000000000f52ef0 PKRU: 55555554 Call Trace: <TASK> xevfiopciresetdone+0x49/0x120 [xevfiopci] pcidevrestore+0x3b/0x80 pciresetfunction+0x109/0x140 resetstore+0x5c/0xb0 devattrstore+0x17/0x40 sysfskfwrite+0x72/0x90 kernfsfopwriteiter+0x161/0x1f0 vfswrite+0x261/0x440 ksys_write+0x69/0xf0 __x64syswrite+0x19/0x30 x64syscall+0x259/0x26e0 dosyscall64+0xcb/0x1500 ? __fput+0x1a2/0x2d0 ? fputclosesync+0x3d/0xa0 ? __x64sysclose+0x3e/0x90 ? x64syscall+0x1b7c/0x26e0 ? dosyscall64+0x109/0x1500 ? __taskpidnr_ns+0x68/0x100 ? __dosysgetpid+0x1d/0x30 ? x64_syscall+0x10b5/0x26e0 ? dosyscall64+0x109/0x1500 ? putname+0x41/0x90 ? dofaccessat+0x1e8/0x300 ? _x64sysaccess+0x1c/0x30 ? x64syscall+0x1822/0x26e0 ? dosyscall64+0x109/0x1500 ? tickprogramevent+0x43/0xa0 ? hrtimerinterrupt+0x126/0x260 ? irqentryexit+0xb2/0x710 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7877d5f1c5a4 Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d a5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 RSP: 002b:00007fff48e5f908 EFLAGS: 00000202 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007877d5f1c5a4 RDX: 0000000000000001 RSI: 00007877d621b0c9 RDI: 0000000000000009 RBP: 0000000000000001 R08: 00005fb49113b010 R09: 0000000000000007 R10: 0000000000000000 R11: 0000000000000202 R12: 00007877d621b0c9 R13: 0000000000000009 R14: 00007fff48e5fac0 R15: 00007fff48e5fac0 </TASK>

This is caused by the fact that some of the xevfiopcicoredevice members needed for handling reset are only initialized as part of migration init.

Fix the problem by reorganizing the code to decouple VF init from migration init.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31601.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1f5556ec8b9efbb784aeb3536e147182dee73d0f
Fixed
8fa4113fc65b8b29a30fbbca5fd82221dc6e146e
Fixed
73e53ff144a538f1843b3dea1e2740a755031cdc
Fixed
1b81ed612e12ea9df8c5cb6f0ddd4419fd0b8ac8

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31601.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14
Type
ECOSYSTEM
Events
Introduced
6.20.0
Fixed
7.0.1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31601.json"