From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 43BE748AE1B for ; Wed, 1 Jul 2026 13:34:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782912901; cv=none; b=CeBWVtFRy2ME71KZyjAN6fZrt/y/HmtufrI7JMWM/A8KPx46CPMurOdLs5PT/hb2HsFmvEK7T87aJ8SDR10JPUAnwXZrZbyGKSaVbte9uHeVxLRViIkfWN082ZA5BHNpkG/BgjOMqKCFG0HLXSo35Wd9gvpweboP7ZFG3mjvgtk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782912901; c=relaxed/simple; bh=HofMHOTIZv/1jDfK7WZ+vnpjKq2sTRGVXB3bpK/tkQw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=sO5olrdMYwmpksMc16l2s379KYw3S5DRKtpAAZgStBgJsy3Q2HruCSINM0C7jwnMBQWm0pb+shDhuMoNbRwWW7zs+oLS06LEAemdInlwhbQHbsvO5M0XqL895+MZRwd/2yovtk0QvGT+cRQfUWYbLnARtoIgz4xupjgVCvAU/rE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=QdEk+X+6; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="QdEk+X+6" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 144101F000E9; Wed, 1 Jul 2026 13:34:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1782912898; bh=CjVn2PXamvHr3aiz4wlsAlW5wnddTSissIeaiBAuKbU=; h=From:To:Cc:Subject:Date:Reply-To; b=QdEk+X+6wUK7m+ZelmZkVMz5j0eiDzHyKx43RgoiqFMS56jECrySJkmjYs2sPCa35 ucsNvcLbyzDALZyr+hDw6T7anMMakICtMkmqXb5ol+zX68bXUk4roWkLyzIZLglaqb 56V4CvpHVkjUSQ182siE0HrJdT5wGVREwjrqgZX8= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-53342: arm64: mm: call pagetable dtor when freeing hot-removed page tables Date: Wed, 1 Jul 2026 15:34:57 +0200 Message-ID: <2026070144-CVE-2026-53342-cd87@gregkh> X-Mailer: git-send-email 2.55.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3465; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=SM3JXLbfxGXfXXevUdNkYrfMXJRy3Ct2T/2ycZnPNsQ=; b=owGbwMvMwCRo6H6F97bub03G02pJDFmu4iX6P8y+vJwrebX6/9dFatcC3mzxE6jd+f6LYE7l/ RSFhGNXOmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAiE5YxzK+RK+ESkVl+R3ji 4cxDn9wyG7mWr2aYH71d/8HSKRwH9txsCfbuvPpQt8xdGwA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: arm64: mm: call pagetable dtor when freeing hot-removed page tables Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in __create_pgd_mapping()") page-table allocation on ARM64 always calls pagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to PGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However the matching pagetable_dtor() calls were never added. With DEBUG_VM enabled on kernel versions prior to v6.17 without 2dfcd1608f3a9 ("mm/page_alloc: let page freeing clear any set page type") this leads to the following warning when freeing these pages due to page->page_type sharing page->_mapcount: BUG: Bad page state in process ... pfn:284fbb page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff) page_type: f2(table) page dumped because: nonzero mapcount Call trace: bad_page+0x13c/0x160 __free_frozen_pages+0x6cc/0x860 ___free_pages+0xf4/0x180 free_pages+0x54/0x80 free_hotplug_page_range.part.0+0x58/0x90 free_empty_tables+0x438/0x500 __remove_pgd_mapping.constprop.0+0x60/0xa8 arch_remove_memory+0x48/0x80 try_remove_memory+0x158/0x1d8 offline_and_remove_memory+0x138/0x180 It can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is defined and incorrect NR_PAGETABLE stats. Fix this by calling pagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page to undo the effects of calling pagetable_*_ctor(). The Linux kernel CVE team has assigned CVE-2026-53342 to this issue. Affected and fixed versions =========================== Issue introduced in 6.16 with commit 5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f and fixed in 6.18.36 with commit 95f27fcda681021ed3906d3cae7e68b6a57a1d8e Issue introduced in 6.16 with commit 5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f and fixed in 7.0.13 with commit aaa688ac9f18207f7452c6472e647c1febaea6a3 Issue introduced in 6.16 with commit 5e8eb9aeeda3a7aaf48efa1d34ae804e894e307f and fixed in 7.1 with commit c594b83457ccdee76d458416fb3bc9348a37592f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-53342 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/arm64/mm/mmu.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/95f27fcda681021ed3906d3cae7e68b6a57a1d8e https://git.kernel.org/stable/c/aaa688ac9f18207f7452c6472e647c1febaea6a3 https://git.kernel.org/stable/c/c594b83457ccdee76d458416fb3bc9348a37592f