{"api_version":"1","generated_at":"2026-04-25T23:29:13+00:00","cve":"CVE-2026-31648","urls":{"html":"https://cve.report/CVE-2026-31648","api":"https://cve.report/api/cve/CVE-2026-31648.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-31648","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-31648"},"summary":{"title":"mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb\n[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[ 734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page’s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 734.469315] memcg:ffff000807a8ec00\n[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[ 734.469390] ------------[ cut here ]------------\n[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[ 734.469555] set_pte_range+0xd8/0x2f8\n[ 734.469566] filemap_map_folio_range+0x190/0x400\n[ 734.469579] filemap_map_pages+0x348/0x638\n[ 734.469583] do_fault_around+0x140/0x198\n......\n[ 734.469640] el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio’s size.\n\nBy adding more debug information, I found that 'nr_pages' had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page->_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0 CPU 1\nfilemap_map_pages() ext4_setattr()\n //get and lock folio with old inode->i_size\n next_uptodate_folio()\n\n .......\n //shrink the inode->i_size\n i_size_write(inode, attr->ia_size);\n\n //calculate the end_pgoff with the new inode->i_size\n file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;\n end_pgoff = min(end_pgoff, file_end);\n\n ......\n //nr_pages can be overflowed, cause xas.xa_index > end_pgoff\n end = folio_next_index(folio) - 1;\n nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n ......\n //map large folio\n filemap_map_folio_range()\n ......\n //truncate folios\n truncate_pagecache(inode, inode->i_size);\n\nTo fix this issue, move the 'end_pgoff' calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-24 15:16:44","updated_at":"2026-04-24 17:51:40"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/88591194df736a508dd5461ab2167a61e98caac1","name":"https://git.kernel.org/stable/c/88591194df736a508dd5461ab2167a61e98caac1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f58df566524ebcdfa394329c64f47e3c9257516e","name":"https://git.kernel.org/stable/c/f58df566524ebcdfa394329c64f47e3c9257516e","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9316a820b9aae07d44469d6485376dad824c5b3f","name":"https://git.kernel.org/stable/c/9316a820b9aae07d44469d6485376dad824c5b3f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/576543bedd616254032d4ebe54a90076f9e31740","name":"https://git.kernel.org/stable/c/576543bedd616254032d4ebe54a90076f9e31740","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/633ab680c405ac390e6bec5b74aaf46197c837b6","name":"https://git.kernel.org/stable/c/633ab680c405ac390e6bec5b74aaf46197c837b6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-31648","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31648","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected fe601b70eac6cd266e8d7d55030e90a73ed0e339 88591194df736a508dd5461ab2167a61e98caac1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 743a2753a02e805347969f6f89f38b736850d808 633ab680c405ac390e6bec5b74aaf46197c837b6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 743a2753a02e805347969f6f89f38b736850d808 576543bedd616254032d4ebe54a90076f9e31740 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 743a2753a02e805347969f6f89f38b736850d808 9316a820b9aae07d44469d6485376dad824c5b3f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 743a2753a02e805347969f6f89f38b736850d808 f58df566524ebcdfa394329c64f47e3c9257516e git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 84ede15f27c06b111d1398dfa80b6fac4b135e34 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.135 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.82 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.23 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.13 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["mm/filemap.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"88591194df736a508dd5461ab2167a61e98caac1","status":"affected","version":"fe601b70eac6cd266e8d7d55030e90a73ed0e339","versionType":"git"},{"lessThan":"633ab680c405ac390e6bec5b74aaf46197c837b6","status":"affected","version":"743a2753a02e805347969f6f89f38b736850d808","versionType":"git"},{"lessThan":"576543bedd616254032d4ebe54a90076f9e31740","status":"affected","version":"743a2753a02e805347969f6f89f38b736850d808","versionType":"git"},{"lessThan":"9316a820b9aae07d44469d6485376dad824c5b3f","status":"affected","version":"743a2753a02e805347969f6f89f38b736850d808","versionType":"git"},{"lessThan":"f58df566524ebcdfa394329c64f47e3c9257516e","status":"affected","version":"743a2753a02e805347969f6f89f38b736850d808","versionType":"git"},{"status":"affected","version":"84ede15f27c06b111d1398dfa80b6fac4b135e34","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["mm/filemap.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.12"},{"lessThan":"6.12","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.135","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.82","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.23","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.13","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.135","versionStartIncluding":"6.6.117","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.82","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.23","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.13","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.159","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb\n[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[ 734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page’s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 734.469315] memcg:ffff000807a8ec00\n[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[ 734.469390] ------------[ cut here ]------------\n[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[ 734.469555] set_pte_range+0xd8/0x2f8\n[ 734.469566] filemap_map_folio_range+0x190/0x400\n[ 734.469579] filemap_map_pages+0x348/0x638\n[ 734.469583] do_fault_around+0x140/0x198\n......\n[ 734.469640] el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio’s size.\n\nBy adding more debug information, I found that 'nr_pages' had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page->_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0 CPU 1\nfilemap_map_pages() ext4_setattr()\n //get and lock folio with old inode->i_size\n next_uptodate_folio()\n\n .......\n //shrink the inode->i_size\n i_size_write(inode, attr->ia_size);\n\n //calculate the end_pgoff with the new inode->i_size\n file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;\n end_pgoff = min(end_pgoff, file_end);\n\n ......\n //nr_pages can be overflowed, cause xas.xa_index > end_pgoff\n end = folio_next_index(folio) - 1;\n nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n ......\n //map large folio\n filemap_map_folio_range()\n ......\n //truncate folios\n truncate_pagecache(inode, inode->i_size);\n\nTo fix this issue, move the 'end_pgoff' calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-04-24T14:45:01.728Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/88591194df736a508dd5461ab2167a61e98caac1"},{"url":"https://git.kernel.org/stable/c/633ab680c405ac390e6bec5b74aaf46197c837b6"},{"url":"https://git.kernel.org/stable/c/576543bedd616254032d4ebe54a90076f9e31740"},{"url":"https://git.kernel.org/stable/c/9316a820b9aae07d44469d6485376dad824c5b3f"},{"url":"https://git.kernel.org/stable/c/f58df566524ebcdfa394329c64f47e3c9257516e"}],"title":"mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-31648","datePublished":"2026-04-24T14:45:01.728Z","dateReserved":"2026-03-09T15:48:24.128Z","dateUpdated":"2026-04-24T14:45:01.728Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-24 15:16:44","lastModifiedDate":"2026-04-24 17:51:40","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"31648","Ordinal":"1","Title":"mm: filemap: fix nr_pages calculation overflow in filemap_map_pa","CVE":"CVE-2026-31648","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"31648","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: filemap: fix nr_pages calculation overflow in filemap_map_pages()\n\nWhen running stress-ng on my Arm64 machine with v7.0-rc3 kernel, I\nencountered some very strange crash issues showing up as \"Bad page state\":\n\n\"\n[ 734.496287] BUG: Bad page state in process stress-ng-env pfn:415735fb\n[ 734.496427] page: refcount:0 mapcount:1 mapping:0000000000000000 index:0x4cf316 pfn:0x415735fb\n[ 734.496434] flags: 0x57fffe000000800(owner_2|node=1|zone=2|lastcpupid=0x3ffff)\n[ 734.496439] raw: 057fffe000000800 0000000000000000 dead000000000122 0000000000000000\n[ 734.496440] raw: 00000000004cf316 0000000000000000 0000000000000000 0000000000000000\n[ 734.496442] page dumped because: nonzero mapcount\n\"\n\nAfter analyzing this page’s state, it is hard to understand why the\nmapcount is not 0 while the refcount is 0, since this page is not where\nthe issue first occurred. By enabling the CONFIG_DEBUG_VM config, I can\nreproduce the crash as well and captured the first warning where the issue\nappears:\n\n\"\n[ 734.469226] page: refcount:33 mapcount:0 mapping:00000000bef2d187 index:0x81a0 pfn:0x415735c0\n[ 734.469304] head: order:5 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 734.469315] memcg:ffff000807a8ec00\n[ 734.469320] aops:ext4_da_aops ino:100b6f dentry name(?):\"stress-ng-mmaptorture-9397-0-2736200540\"\n[ 734.469335] flags: 0x57fffe400000069(locked|uptodate|lru|head|node=1|zone=2|lastcpupid=0x3ffff)\n......\n[ 734.469364] page dumped because: VM_WARN_ON_FOLIO((_Generic((page + nr_pages - 1),\nconst struct page *: (const struct folio *)_compound_head(page + nr_pages - 1), struct page *:\n(struct folio *)_compound_head(page + nr_pages - 1))) != folio)\n[ 734.469390] ------------[ cut here ]------------\n[ 734.469393] WARNING: ./include/linux/rmap.h:351 at folio_add_file_rmap_ptes+0x3b8/0x468,\nCPU#90: stress-ng-mlock/9430\n[ 734.469551] folio_add_file_rmap_ptes+0x3b8/0x468 (P)\n[ 734.469555] set_pte_range+0xd8/0x2f8\n[ 734.469566] filemap_map_folio_range+0x190/0x400\n[ 734.469579] filemap_map_pages+0x348/0x638\n[ 734.469583] do_fault_around+0x140/0x198\n......\n[ 734.469640] el0t_64_sync+0x184/0x188\n\"\n\nThe code that triggers the warning is: \"VM_WARN_ON_FOLIO(page_folio(page +\nnr_pages - 1) != folio, folio)\", which indicates that set_pte_range()\ntried to map beyond the large folio’s size.\n\nBy adding more debug information, I found that 'nr_pages' had overflowed\nin filemap_map_pages(), causing set_pte_range() to establish mappings for\na range exceeding the folio size, potentially corrupting fields of pages\nthat do not belong to this folio (e.g., page->_mapcount).\n\nAfter above analysis, I think the possible race is as follows:\n\nCPU 0 CPU 1\nfilemap_map_pages() ext4_setattr()\n //get and lock folio with old inode->i_size\n next_uptodate_folio()\n\n .......\n //shrink the inode->i_size\n i_size_write(inode, attr->ia_size);\n\n //calculate the end_pgoff with the new inode->i_size\n file_end = DIV_ROUND_UP(i_size_read(mapping->host), PAGE_SIZE) - 1;\n end_pgoff = min(end_pgoff, file_end);\n\n ......\n //nr_pages can be overflowed, cause xas.xa_index > end_pgoff\n end = folio_next_index(folio) - 1;\n nr_pages = min(end, end_pgoff) - xas.xa_index + 1;\n\n ......\n //map large folio\n filemap_map_folio_range()\n ......\n //truncate folios\n truncate_pagecache(inode, inode->i_size);\n\nTo fix this issue, move the 'end_pgoff' calculation before\nnext_uptodate_folio(), so the retrieved folio stays consistent with the\nfile end to avoid \n---truncated---","Type":"Description","Title":"mm: filemap: fix nr_pages calculation overflow in filemap_map_pa"}]}}}