CVE-2026-53108
Received Received - Intake
Race Condition in Linux Kernel PowerPC PMD Migration

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix unmap race with PMD migration entries The following race is possible with migration swap entries or device-private THP entries. e.g. when move_pages is called on a PMD THP page, then there maybe an intermediate state, where PMD entry acts as a migration swap entry (pmd_present() is true). Then if an munmap happens at the same time, then this VM_BUG_ON() can happen in pmdp_huge_get_and_clear_full(). This patch fixes that. Thread A: move_pages() syscall add_folio_for_migration() mmap_read_lock(mm) folio_isolate_lru(folio) mmap_read_unlock(mm) do_move_pages_to_node() migrate_pages() try_to_migrate_one() spin_lock(ptl) set_pmd_migration_entry() pmdp_invalidate() # PMD: _PAGE_INVALID | _PAGE_PTE | pfn set_pmd_at() # PMD: migration swap entry (pmd_present=0) spin_unlock(ptl) [page copy phase] # <--- RACE WINDOW --> Thread B: munmap() mmap_write_downgrade(mm) unmap_vmas() -> zap_pmd_range() zap_huge_pmd() __pmd_trans_huge_lock() pmd_is_huge(): # !pmd_present && !pmd_none -> TRUE (swap entry) pmd_lock() -> # spin_lock(ptl), waits for Thread A to release ptl pmdp_huge_get_and_clear_full() VM_BUG_ON(!pmd_present(*pmdp)) # HITS! [ 287.738700][ T1867] ------------[ cut here ]------------ [ 287.743843][ T1867] kernel BUG at arch/powerpc/mm/book3s64/pgtable.c:187! cpu 0x0: Vector: 700 (Program Check) at [c00000044037f4f0] pc: c000000000094ca4: pmdp_huge_get_and_clear_full+0x6c/0x23c lr: c000000000645dec: zap_huge_pmd+0xb0/0x868 sp: c00000044037f790 msr: 800000000282b033 current = 0xc0000004032c1a00 paca = 0xc000000004fe0000 irqmask: 0x03 irq_happened: 0x09 pid = 1867, comm = a.out kernel BUG at :187! Linux version 6.19.0-12136-g14360d4f917c-dirty (powerpc64le-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #27 SMP PREEMPT Sun Feb 22 10:38:56 IST 2026 enter ? for help [link register ] c000000000645dec zap_huge_pmd+0xb0/0x868 [c00000044037f790] c00000044037f7d0 (unreliable) [c00000044037f7d0] c000000000645dcc zap_huge_pmd+0x90/0x868 [c00000044037f840] c0000000005724cc unmap_page_range+0x176c/0x1f40 [c00000044037fa00] c000000000572ea0 unmap_vmas+0xb0/0x1d8 [c00000044037fa90] c0000000005af254 unmap_region+0xb4/0x128 [c00000044037fb50] c0000000005af400 vms_complete_munmap_vmas+0x138/0x310 [c00000044037fbe0] c0000000005b0f1c do_vmi_align_munmap+0x1ec/0x238 [c00000044037fd30] c0000000005b3688 __vm_munmap+0x170/0x1f8 [c00000044037fdf0] c000000000587f74 sys_munmap+0x2c/0x40 [c00000044037fe10] c000000000032668 system_call_exception+0x128/0x350 [c00000044037fe50] c00000000000d05c system_call_vectored_common+0x15c/0x2ec ---- Exception: 3000 (System Call Vectored) at 0000000010064a2c SP (7fff9b1ee9c0) is in userspace 0:mon> zh commit a30b48bf1b24 ("mm/migrate_device: implement THP migration of zone device pages"), enabled migration for device-private PMD entries. Hence this is one other path where this warning could get trigger from. ------------[ cut here ]------------ WARNING: arch/powerpc/mm/book3s64/hash_pgtable.c:199 at hash__pmd_hugepage_update+0x48/0x284, CPU#3: hmm-tests/1905 Modules linked in: test_hmm CPU: 3 UID: 0 PID: 1905 Comm: hmm-tests Tainted: G B W L N 7.0.0-rc1-01438-g7e2f0ee7581c #21 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP, [N]=TEST Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries NIP [c000000000096b70] hash__pmd_hugepage_update+0x48/0x284 LR [c000000000096e7c] hash__pmdp_huge_get_and_clear+0xd0/0xd4 Call Trace: [c000000604707670] [c000000004e102b8] 0xc000000004e102b8 (unreliable) [c000000604707700] [c00000000064ec3c] set_pmd_migration_entry+0x414/0x498 [c000000604707760] [c00000000063e5a4] migrate_vma_col ---truncated---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53108
EUVD
EUVD-2026-38976
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19.0-12136-g14360d4f917c-dirty
linux linux_kernel 7.0.0-rc1-01438-g7e2f0ee7581c
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel on powerpc/64s architectures and involves a race condition related to migration swap entries or device-private Transparent Huge Pages (THP). Specifically, when the move_pages system call is used on a PMD THP page, an intermediate state can occur where the PMD entry acts as a migration swap entry. If, at the same time, a munmap operation happens, a race condition can trigger a kernel bug (VM_BUG_ON) in the function pmdp_huge_get_and_clear_full(). This race occurs because two threads (one performing move_pages and the other munmap) can concurrently manipulate page table entries, leading to inconsistent states and a kernel crash.

The vulnerability was fixed by a patch that addresses the unmap race with PMD migration entries, preventing the kernel bug from occurring.

Impact Analysis

This vulnerability can cause a kernel crash (kernel BUG) on affected Linux systems running on powerpc/64s architectures. Such crashes can lead to system instability, denial of service, and potential data loss if the system unexpectedly stops or reboots. Applications relying on move_pages or munmap system calls may trigger this race condition, impacting system reliability.

Detection Guidance

This vulnerability manifests as a kernel BUG triggered by a race condition involving migration swap entries and device-private THP entries in the Linux kernel on powerpc/64s architectures.

Detection can be done by monitoring kernel logs for specific BUG messages related to pmdp_huge_get_and_clear_full() and zap_huge_pmd(), which indicate the race condition has occurred.

Commands to check kernel logs include:

  • dmesg | grep -i 'pmdp_huge_get_and_clear_full'
  • journalctl -k | grep -i 'zap_huge_pmd'
  • journalctl -k | grep -i 'kernel BUG'

Additionally, monitoring for system crashes or BUG messages during operations involving move_pages() or munmap() syscalls on huge pages may help detect the issue.

Mitigation Strategies

The vulnerability is fixed by a patch in the Linux kernel that addresses the race condition in the powerpc/64s architecture related to migration swap entries.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the patch fixing this race condition.
  • Avoid running workloads that heavily use move_pages() or munmap() syscalls on huge pages on affected powerpc/64s systems until the patch is applied.
  • Monitor kernel logs for BUG messages to detect if the issue occurs before patching.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart