CVE-2026-31600

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: mm: Handle invalid large leaf mappings correctly<br /> <br /> It has been possible for a long time to mark ptes in the linear map as<br /> invalid. This is done for secretmem, kfence, realm dma memory un/share,<br /> and others, by simply clearing the PTE_VALID bit. But until commit<br /> a166563e7ec37 ("arm64: mm: support large block mapping when<br /> rodata=full") large leaf mappings were never made invalid in this way.<br /> <br /> It turns out various parts of the code base are not equipped to handle<br /> invalid large leaf mappings (in the way they are currently encoded) and<br /> I&amp;#39;ve observed a kernel panic while booting a realm guest on a<br /> BBML2_NOABORT system as a result:<br /> <br /> [ 15.432706] software IO TLB: Memory encryption is active and system is using DMA bounce buffers<br /> [ 15.476896] Unable to handle kernel paging request at virtual address ffff000019600000<br /> [ 15.513762] Mem abort info:<br /> [ 15.527245] ESR = 0x0000000096000046<br /> [ 15.548553] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 15.572146] SET = 0, FnV = 0<br /> [ 15.592141] EA = 0, S1PTW = 0<br /> [ 15.612694] FSC = 0x06: level 2 translation fault<br /> [ 15.640644] Data abort info:<br /> [ 15.661983] ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000<br /> [ 15.694875] CM = 0, WnR = 1, TnD = 0, TagAccess = 0<br /> [ 15.723740] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 15.755776] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081f3f000<br /> [ 15.800410] [ffff000019600000] pgd=0000000000000000, p4d=180000009ffff403, pud=180000009fffe403, pmd=00e8000199600704<br /> [ 15.855046] Internal error: Oops: 0000000096000046 [#1] SMP<br /> [ 15.886394] Modules linked in:<br /> [ 15.900029] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 7.0.0-rc4-dirty #4 PREEMPT<br /> [ 15.935258] Hardware name: linux,dummy-virt (DT)<br /> [ 15.955612] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 15.986009] pc : __pi_memcpy_generic+0x128/0x22c<br /> [ 16.006163] lr : swiotlb_bounce+0xf4/0x158<br /> [ 16.024145] sp : ffff80008000b8f0<br /> [ 16.038896] x29: ffff80008000b8f0 x28: 0000000000000000 x27: 0000000000000000<br /> [ 16.069953] x26: ffffb3976d261ba8 x25: 0000000000000000 x24: ffff000019600000<br /> [ 16.100876] x23: 0000000000000001 x22: ffff0000043430d0 x21: 0000000000007ff0<br /> [ 16.131946] x20: 0000000084570010 x19: 0000000000000000 x18: ffff00001ffe3fcc<br /> [ 16.163073] x17: 0000000000000000 x16: 00000000003fffff x15: 646e612065766974<br /> [ 16.194131] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br /> [ 16.225059] x11: 0000000000000000 x10: 0000000000000010 x9 : 0000000000000018<br /> [ 16.256113] x8 : 0000000000000018 x7 : 0000000000000000 x6 : 0000000000000000<br /> [ 16.287203] x5 : ffff000019607ff0 x4 : ffff000004578000 x3 : ffff000019600000<br /> [ 16.318145] x2 : 0000000000007ff0 x1 : ffff000004570010 x0 : ffff000019600000<br /> [ 16.349071] Call trace:<br /> [ 16.360143] __pi_memcpy_generic+0x128/0x22c (P)<br /> [ 16.380310] swiotlb_tbl_map_single+0x154/0x2b4<br /> [ 16.400282] swiotlb_map+0x5c/0x228<br /> [ 16.415984] dma_map_phys+0x244/0x2b8<br /> [ 16.432199] dma_map_page_attrs+0x44/0x58<br /> [ 16.449782] virtqueue_map_page_attrs+0x38/0x44<br /> [ 16.469596] virtqueue_map_single_attrs+0xc0/0x130<br /> [ 16.490509] virtnet_rq_alloc.isra.0+0xa4/0x1fc<br /> [ 16.510355] try_fill_recv+0x2a4/0x584<br /> [ 16.526989] virtnet_open+0xd4/0x238<br /> [ 16.542775] __dev_open+0x110/0x24c<br /> [ 16.558280] __dev_change_flags+0x194/0x20c<br /> [ 16.576879] netif_change_flags+0x24/0x6c<br /> [ 16.594489] dev_change_flags+0x48/0x7c<br /> [ 16.611462] ip_auto_config+0x258/0x1114<br /> [ 16.628727] do_one_initcall+0x80/0x1c8<br /> [ 16.645590] kernel_init_freeable+0x208/0x2f0<br /> [ 16.664917] kernel_init+0x24/0x1e0<br /> [ 16.680295] ret_from_fork+0x10/0x20<br /> [ 16.696369] Code: 927cec03 cb0e0021 8b0e0042 a9411c26 (a900340c)<br /> [ 16.723106] ---[ end trace 0000000000000000 ]---<br /> [ 16.752866] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b<br /> [ 16.792556] Kernel Offset: 0x3396ea200000 from 0xffff8000800000<br /> ---truncated---