{"cve":{"cve_id":"CVE-2026-53155","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: use correct flags for device private PMD entry\n\nCommit 65edfda6f3f2 (\"mm/rmap: extend rmap and migration support\ndevice-private entries\") updated set_pmd_migration_entry() to use\npmdp_huge_get_and_clear() in the softleaf case, but made no further\nadjustments to the function itself.\n\nTherefore this function continues to incorrectly use pmd_write(),\npmd_soft_dirty() and pmd_uffd_wp() to determine whether the installed\nmigration entry should be marked writable, softdirty or uffd-wp\nrespectively.\n\nWhilst all are incorrect, the most problematic of these is pmd_write(), as\nthis can lead to corrupted rmap state.\n\nOn x86-64 _PAGE_SWP_SOFT_DIRTY is aliased to _PAGE_RW.  So calling\npmd_write() on a softleaf will return the softdirty state encoded in the\nentry, assuming CONFIG_MEM_SOFT_DIRTY was enabled.\n\nThis was observed when running the hmm.hmm_device_private.anon_write_child\nselftest:\n\n1. The test faults in a range then migrates it such that a device-private\n   THP range is established.\n\n2. The parent then migrates it to a device-private writable PMD entry whose\n   folio is entirely AnonExclusive with entire_mapcount=1, softdirty set\n   (accidentally correct write state).\n\n3. The parent forks and the PMD entries are set to device-private read only\n   entries, entire_mapcount=2, softdirty still set.\n\n4. [BUG] The child writes to the range then migrates to RAM - intending to\n   install non-writable migration entries - but replacing parent and child\n   PMD mappings with WRITABLE entries due to misinterpreting the softdirty\n   bit.\n\n5. In remove_migration_pmd(), if !softleaf_is_migration_read(entry) we\n   set the RMAP_EXCLUSIVE flag when calling folio_add_anon_rmap_pmd() for\n   both parent and child, which are therefore AnonExclusive.\n\n6. [SPLAT] Child sets migrated folio entire_mapcount=1, parent sets\n   entire_mapcount=2 and we end up with an AnonExclusive folio with\n   entire_mapcount=2! Assert fires in __folio_add_anon_rmap():\n\n\t\tVM_WARN_ON_FOLIO(folio_test_large(folio) &&\n\t\t\t\t folio_entire_mapcount(folio) > 1 &&\n\t\t\t\t PageAnonExclusive(cur_page), folio)\n\nThis patch fixes the issue by correctly referencing the softleaf entry\nfields for writable, softdirty and uffd-wp in set_pmd_migration_entry().\n\nIt also only updates A/D flags if the entry is present as these are\notherwise not meaningful for a softleaf entry.\n\nThis patch also flips the if (!present) { ...  } else { ...  } logic in\nset_pmd_migration_entry() so it is easier to understand, and adds some\ncomments to make things clearer.\n\nI was able to bisect this to commit 775465fd26a3 (\"lib/test_hmm: add zone\ndevice private THP test infrastructure\") which first exposes this bug as\nit was the commit that permitted test_hmm to generate the test.\n\nHowever commit 65edfda6f3f2 (\"mm/rmap: extend rmap and migration support\ndevice-private entries\") is the commit that actually enabled this\nbehaviour.","published_at":"2026-06-25T08:38:38.828000Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/d7251c8d3f7cea76543abac6cf4ed15582c10846","https://git.kernel.org/stable/c/43e7f189769c512c843184a8a5892ac779a6bd90"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:28.590503Z","updated_at":"2026-06-28T23:30:50.753831Z"},"effective_severity":null,"badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"65edfda6f3f2e58f757485a056e4f1775a1404a8","version_start_inclusive":true,"version_end":"d7251c8d3f7cea76543abac6cf4ed15582c10846","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:65edfda6f3f2e58f757485a056e4f1775a1404a8:d7251c8d3f7cea76543abac6cf4ed15582c10846"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"65edfda6f3f2e58f757485a056e4f1775a1404a8","version_start_inclusive":true,"version_end":"43e7f189769c512c843184a8a5892ac779a6bd90","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:65edfda6f3f2e58f757485a056e4f1775a1404a8:43e7f189769c512c843184a8a5892ac779a6bd90"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.19","version_start_inclusive":true,"version_end":"6.19","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.19:6.19"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"6.19","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:6.19"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.13","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.13:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/d7251c8d3f7cea76543abac6cf4ed15582c10846","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/43e7f189769c512c843184a8a5892ac779a6bd90","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-25T08:38:38.828000Z","label":"CVE published","source":null}]}