{"api_version":"1","generated_at":"2026-06-24T22:49:15+00:00","cve":"CVE-2026-53109","urls":{"html":"https://cve.report/CVE-2026-53109","api":"https://cve.report/api/cve/CVE-2026-53109.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53109","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53109"},"summary":{"title":"powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy","description":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pgtable-frag: Fix bad page state in pte_frag_destroy\n\npowerpc uses pt_frag_refcount as a reference counter for tracking it's\npte and pmd page table fragments. For PTE table, in case of Hash with\n64K pagesize, we have 16 fragments of 4K size in one 64K page.\n\nPatch series [1] \"mm: free retracted page table by RCU\"\nadded pte_free_defer() to defer the freeing of PTE tables when\nretract_page_tables() is called for madvise MADV_COLLAPSE on shmem\nrange.\n[1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/\n\npte_free_defer() sets the active flag on the corresponding fragment's\nfolio & calls pte_fragment_free(), which reduces the pt_frag_refcount.\nWhen pt_frag_refcount reaches 0 (no active fragment using the folio), it\nchecks if the folio active flag is set, if set, it calls call_rcu to\nfree the folio, it the active flag is unset then it calls pte_free_now().\n\nNow, this can lead to following problem in a corner case...\n\n[  265.351553][  T183] BUG: Bad page state in process a.out  pfn:20d62\n[  265.353555][  T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62\n[  265.355457][  T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff)\n[  265.358719][  T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000\n[  265.360177][  T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000\n[  265.361438][  T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n[  265.362572][  T183] Modules linked in:\n[  265.364622][  T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY\n[  265.364785][  T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries\n[  265.364908][  T183] Call Trace:\n[  265.364955][  T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable)\n[  265.365202][  T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8\n[  265.365384][  T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08\n[  265.365554][  T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310\n[  265.365729][  T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218\n[  265.365912][  T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820\n[  265.366080][  T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300\n[  265.366244][  T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508\n[  265.366421][  T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148\n[  265.366602][  T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178\n[  265.366780][  T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0\n[  265.366958][  T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n\nThe bad page state error occurs when such a folio gets freed (with\nactive flag set), from do_exit() path in parallel.\n\n... this can happen when the pte fragment was allocated from this folio,\nbut when all the fragments get freed, the pte_frag_refcount still had some\nunused fragments. Now, if this process exits, with such folio as it's cached\npte_frag in mm->context, then during pte_frag_destroy(), we simply call\npagetable_dtor() and pagetable_free(), meaning it doesn't clear the\nactive flag. This, can lead to the above bug. Since we are anyway in\ndo_exit() path, then if the refcount is 0, then I guess it should be\nok to simply clear the folio active flag before calling pagetable_dtor()\n& pagetable_free().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:25","updated_at":"2026-06-24 17:17:25"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/a32db6fca3c74b4eb8bae5470f0680deb4cbac6f","name":"https://git.kernel.org/stable/c/a32db6fca3c74b4eb8bae5470f0680deb4cbac6f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c8b710655012a2993a9567873fb71a8a51f8459c","name":"https://git.kernel.org/stable/c/c8b710655012a2993a9567873fb71a8a51f8459c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fda4d71651f71c44b35829d13f3c8bf920032f77","name":"https://git.kernel.org/stable/c/fda4d71651f71c44b35829d13f3c8bf920032f77","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53109","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53109","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 32cc0b7c9d508efde8946a82eb3c4acfa8dfed15 c8b710655012a2993a9567873fb71a8a51f8459c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 32cc0b7c9d508efde8946a82eb3c4acfa8dfed15 a32db6fca3c74b4eb8bae5470f0680deb4cbac6f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 32cc0b7c9d508efde8946a82eb3c4acfa8dfed15 fda4d71651f71c44b35829d13f3c8bf920032f77 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["arch/powerpc/mm/pgtable-frag.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c8b710655012a2993a9567873fb71a8a51f8459c","status":"affected","version":"32cc0b7c9d508efde8946a82eb3c4acfa8dfed15","versionType":"git"},{"lessThan":"a32db6fca3c74b4eb8bae5470f0680deb4cbac6f","status":"affected","version":"32cc0b7c9d508efde8946a82eb3c4acfa8dfed15","versionType":"git"},{"lessThan":"fda4d71651f71c44b35829d13f3c8bf920032f77","status":"affected","version":"32cc0b7c9d508efde8946a82eb3c4acfa8dfed15","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["arch/powerpc/mm/pgtable-frag.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.6"},{"lessThan":"6.6","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"6.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"6.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"6.6","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pgtable-frag: Fix bad page state in pte_frag_destroy\n\npowerpc uses pt_frag_refcount as a reference counter for tracking it's\npte and pmd page table fragments. For PTE table, in case of Hash with\n64K pagesize, we have 16 fragments of 4K size in one 64K page.\n\nPatch series [1] \"mm: free retracted page table by RCU\"\nadded pte_free_defer() to defer the freeing of PTE tables when\nretract_page_tables() is called for madvise MADV_COLLAPSE on shmem\nrange.\n[1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/\n\npte_free_defer() sets the active flag on the corresponding fragment's\nfolio & calls pte_fragment_free(), which reduces the pt_frag_refcount.\nWhen pt_frag_refcount reaches 0 (no active fragment using the folio), it\nchecks if the folio active flag is set, if set, it calls call_rcu to\nfree the folio, it the active flag is unset then it calls pte_free_now().\n\nNow, this can lead to following problem in a corner case...\n\n[  265.351553][  T183] BUG: Bad page state in process a.out  pfn:20d62\n[  265.353555][  T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62\n[  265.355457][  T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff)\n[  265.358719][  T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000\n[  265.360177][  T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000\n[  265.361438][  T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n[  265.362572][  T183] Modules linked in:\n[  265.364622][  T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY\n[  265.364785][  T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries\n[  265.364908][  T183] Call Trace:\n[  265.364955][  T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable)\n[  265.365202][  T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8\n[  265.365384][  T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08\n[  265.365554][  T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310\n[  265.365729][  T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218\n[  265.365912][  T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820\n[  265.366080][  T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300\n[  265.366244][  T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508\n[  265.366421][  T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148\n[  265.366602][  T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178\n[  265.366780][  T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0\n[  265.366958][  T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n\nThe bad page state error occurs when such a folio gets freed (with\nactive flag set), from do_exit() path in parallel.\n\n... this can happen when the pte fragment was allocated from this folio,\nbut when all the fragments get freed, the pte_frag_refcount still had some\nunused fragments. Now, if this process exits, with such folio as it's cached\npte_frag in mm->context, then during pte_frag_destroy(), we simply call\npagetable_dtor() and pagetable_free(), meaning it doesn't clear the\nactive flag. This, can lead to the above bug. Since we are anyway in\ndo_exit() path, then if the refcount is 0, then I guess it should be\nok to simply clear the folio active flag before calling pagetable_dtor()\n& pagetable_free()."}],"providerMetadata":{"dateUpdated":"2026-06-24T16:30:43.364Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c8b710655012a2993a9567873fb71a8a51f8459c"},{"url":"https://git.kernel.org/stable/c/a32db6fca3c74b4eb8bae5470f0680deb4cbac6f"},{"url":"https://git.kernel.org/stable/c/fda4d71651f71c44b35829d13f3c8bf920032f77"}],"title":"powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53109","datePublished":"2026-06-24T16:30:43.364Z","dateReserved":"2026-06-09T07:44:35.385Z","dateUpdated":"2026-06-24T16:30:43.364Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:25","lastModifiedDate":"2026-06-24 17:17:25","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53109","Ordinal":"1","Title":"powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy","CVE":"CVE-2026-53109","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53109","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pgtable-frag: Fix bad page state in pte_frag_destroy\n\npowerpc uses pt_frag_refcount as a reference counter for tracking it's\npte and pmd page table fragments. For PTE table, in case of Hash with\n64K pagesize, we have 16 fragments of 4K size in one 64K page.\n\nPatch series [1] \"mm: free retracted page table by RCU\"\nadded pte_free_defer() to defer the freeing of PTE tables when\nretract_page_tables() is called for madvise MADV_COLLAPSE on shmem\nrange.\n[1]: https://lore.kernel.org/all/7cd843a9-aa80-14f-5eb2-33427363c20@google.com/\n\npte_free_defer() sets the active flag on the corresponding fragment's\nfolio & calls pte_fragment_free(), which reduces the pt_frag_refcount.\nWhen pt_frag_refcount reaches 0 (no active fragment using the folio), it\nchecks if the folio active flag is set, if set, it calls call_rcu to\nfree the folio, it the active flag is unset then it calls pte_free_now().\n\nNow, this can lead to following problem in a corner case...\n\n[  265.351553][  T183] BUG: Bad page state in process a.out  pfn:20d62\n[  265.353555][  T183] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20d62\n[  265.355457][  T183] flags: 0x3ffff800000100(active|node=0|zone=0|lastcpupid=0x7ffff)\n[  265.358719][  T183] raw: 003ffff800000100 0000000000000000 5deadbeef0000122 0000000000000000\n[  265.360177][  T183] raw: 0000000000000000 c0000000119caf58 00000000ffffffff 0000000000000000\n[  265.361438][  T183] page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n[  265.362572][  T183] Modules linked in:\n[  265.364622][  T183] CPU: 0 UID: 0 PID: 183 Comm: a.out Not tainted 6.18.0-rc3-00141-g1ddeaaace7ff-dirty #53 VOLUNTARY\n[  265.364785][  T183] Hardware name: IBM pSeries (emulated by qemu) POWER10 (architected) 0x801200 0xf000006 of:SLOF,git-ee03ae pSeries\n[  265.364908][  T183] Call Trace:\n[  265.364955][  T183] [c000000011e6f7c0] [c000000001cfaa18] dump_stack_lvl+0x130/0x148 (unreliable)\n[  265.365202][  T183] [c000000011e6f7f0] [c000000000794758] bad_page+0xb4/0x1c8\n[  265.365384][  T183] [c000000011e6f890] [c00000000079c020] __free_frozen_pages+0x838/0xd08\n[  265.365554][  T183] [c000000011e6f980] [c0000000000a70ac] pte_frag_destroy+0x298/0x310\n[  265.365729][  T183] [c000000011e6fa30] [c0000000000aa764] arch_exit_mmap+0x34/0x218\n[  265.365912][  T183] [c000000011e6fa80] [c000000000751698] exit_mmap+0xb8/0x820\n[  265.366080][  T183] [c000000011e6fc30] [c0000000001b1258] __mmput+0x98/0x300\n[  265.366244][  T183] [c000000011e6fc80] [c0000000001c81f8] do_exit+0x470/0x1508\n[  265.366421][  T183] [c000000011e6fd70] [c0000000001c95e4] do_group_exit+0x88/0x148\n[  265.366602][  T183] [c000000011e6fdc0] [c0000000001c96ec] pid_child_should_wake+0x0/0x178\n[  265.366780][  T183] [c000000011e6fdf0] [c00000000003a270] system_call_exception+0x1b0/0x4e0\n[  265.366958][  T183] [c000000011e6fe50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec\n\nThe bad page state error occurs when such a folio gets freed (with\nactive flag set), from do_exit() path in parallel.\n\n... this can happen when the pte fragment was allocated from this folio,\nbut when all the fragments get freed, the pte_frag_refcount still had some\nunused fragments. Now, if this process exits, with such folio as it's cached\npte_frag in mm->context, then during pte_frag_destroy(), we simply call\npagetable_dtor() and pagetable_free(), meaning it doesn't clear the\nactive flag. This, can lead to the above bug. Since we are anyway in\ndo_exit() path, then if the refcount is 0, then I guess it should be\nok to simply clear the folio active flag before calling pagetable_dtor()\n& pagetable_free().","Type":"Description","Title":"powerpc/pgtable-frag: Fix bad page state in pte_frag_destroy"}]}}}