CVE-2026-31686

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/kasan: fix double free for kasan pXds<br /> <br /> kasan_free_pxd() assumes the page table is always struct page aligned. <br /> But that&amp;#39;s not always the case for all architectures. E.g. In case of<br /> powerpc with 64K pagesize, PUD table (of size 4096) comes from slab cache<br /> named pgtable-2^9. Hence instead of page_to_virt(pxd_page()) let&amp;#39;s just<br /> directly pass the start of the pxd table which is passed as the 1st<br /> argument.<br /> <br /> This fixes the below double free kasan issue seen with PMEM:<br /> <br /> radix-mmu: Mapped 0x0000047d10000000-0x0000047f90000000 with 2.00 MiB pages<br /> ==================================================================<br /> BUG: KASAN: double-free in kasan_remove_zero_shadow+0x9c4/0xa20<br /> Free of addr c0000003c38e0000 by task ndctl/2164<br /> <br /> CPU: 34 UID: 0 PID: 2164 Comm: ndctl Not tainted 6.19.0-rc1-00048-gea1013c15392 #157 VOLUNTARY<br /> Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_012) hv:phyp pSeries<br /> Call Trace:<br /> dump_stack_lvl+0x88/0xc4 (unreliable)<br /> print_report+0x214/0x63c<br /> kasan_report_invalid_free+0xe4/0x110<br /> check_slab_allocation+0x100/0x150<br /> kmem_cache_free+0x128/0x6e0<br /> kasan_remove_zero_shadow+0x9c4/0xa20<br /> memunmap_pages+0x2b8/0x5c0<br /> devm_action_release+0x54/0x70<br /> release_nodes+0xc8/0x1a0<br /> devres_release_all+0xe0/0x140<br /> device_unbind_cleanup+0x30/0x120<br /> device_release_driver_internal+0x3e4/0x450<br /> unbind_store+0xfc/0x110<br /> drv_attr_store+0x78/0xb0<br /> sysfs_kf_write+0x114/0x140<br /> kernfs_fop_write_iter+0x264/0x3f0<br /> vfs_write+0x3bc/0x7d0<br /> ksys_write+0xa4/0x190<br /> system_call_exception+0x190/0x480<br /> system_call_vectored_common+0x15c/0x2ec<br /> ---- interrupt: 3000 at 0x7fff93b3d3f4<br /> NIP: 00007fff93b3d3f4 LR: 00007fff93b3d3f4 CTR: 0000000000000000<br /> REGS: c0000003f1b07e80 TRAP: 3000 Not tainted (6.19.0-rc1-00048-gea1013c15392)<br /> MSR: 800000000280f033 CR: 48888208 XER: 00000000<br /> <br /> NIP [00007fff93b3d3f4] 0x7fff93b3d3f4<br /> LR [00007fff93b3d3f4] 0x7fff93b3d3f4<br /> ---- interrupt: 3000<br /> <br /> The buggy address belongs to the object at c0000003c38e0000<br /> which belongs to the cache pgtable-2^9 of size 4096<br /> The buggy address is located 0 bytes inside of<br /> 4096-byte region [c0000003c38e0000, c0000003c38e1000)<br /> <br /> The buggy address belongs to the physical page:<br /> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c38c<br /> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> memcg:c0000003bfd63e01<br /> flags: 0x63ffff800000040(head|node=6|zone=0|lastcpupid=0x7ffff)<br /> page_type: f5(slab)<br /> raw: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000<br /> raw: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01<br /> head: 063ffff800000040 c000000140058980 5deadbeef0000122 0000000000000000<br /> head: 0000000000000000 0000000080200020 00000000f5000000 c0000003bfd63e01<br /> head: 063ffff800000002 c00c000000f0e301 00000000ffffffff 00000000ffffffff<br /> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004<br /> page dumped because: kasan: bad access detected<br /> <br /> [ 138.953636] [ T2164] Memory state around the buggy address:<br /> [ 138.953643] [ T2164] c0000003c38dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [ 138.953652] [ T2164] c0000003c38dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [ 138.953661] [ T2164] &gt;c0000003c38e0000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [ 138.953669] [ T2164] ^<br /> [ 138.953675] [ T2164] c0000003c38e0080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [ 138.953684] [ T2164] c0000003c38e0100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> [ 138.953692] [ T2164] ==================================================================<br /> [ 138.953701] [ T2164] Disabling lock debugging due to kernel taint