Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-46268

Description

In the Linux kernel, the following vulnerability has been resolved:

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

Commit b7e282378773 has already changed the initial page refcount of p2pdma page from one to zero, however, in p2pmem_alloc_mmap() it uses "VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))" to assert the initial page refcount should not be zero and the following will be reported when CONFIG_DEBUG_VM is enabled:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x380400000 flags: 0x20000000002000(reserved|node=0|zone=4) raw: 0020000000002000 ff1100015e3ab440 0000000000000000 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_WARN_ON_ONCE_PAGE(!page_ref_count(page)) ------------[ cut here ]------------ WARNING: CPU: 5 PID: 449 at drivers/pci/p2pdma.c:240 p2pmem_alloc_mmap+0x83a/0xa60

Fix by using "page_ref_count(page)" as the assertion condition.

Affected products

Linux/Kernelllm-fuzzy

Patches

eb9aa9f80104

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHou TaoDec 20, 2025Fixed in 6.18.14via kernel-cna

commit

1 file changed · +1 −2

drivers/pci/p2pdma.c+1 −2 modified

diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
index 5497ce0be7c5c..12c69bb2b2326 100644
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -147,7 +147,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct kobject *kobj,
 		 * we have just allocated the page no one else should be
 		 * using it.
 		 */
-		VM_WARN_ON_ONCE_PAGE(!page_ref_count(page), page);
+		VM_WARN_ON_ONCE_PAGE(page_ref_count(page), page);
 		set_page_count(page, 1);
 		ret = vm_insert_page(vma, vaddr, page);
 		if (ret) {
-- 
cgit 1.3-korg

9b69243983fb

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHou TaoDec 20, 2025Fixed in 6.19.4via kernel-cna

commit

1 file changed · +1 −2

drivers/pci/p2pdma.c+1 −2 modified

diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
index 218c1f5252b66..dd64ec830fdd4 100644
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -147,7 +147,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct kobject *kobj,
 		 * we have just allocated the page no one else should be
 		 * using it.
 		 */
-		VM_WARN_ON_ONCE_PAGE(!page_ref_count(page), page);
+		VM_WARN_ON_ONCE_PAGE(page_ref_count(page), page);
 		set_page_count(page, 1);
 		ret = vm_insert_page(vma, vaddr, page);
 		if (ret) {
-- 
cgit 1.3-korg

cb500023a752

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitHou TaoDec 20, 2025Fixed in 7.0via kernel-cna

commit

1 file changed · +1 −2

drivers/pci/p2pdma.c+1 −2 modified

diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
index 218c1f5252b66..dd64ec830fdd4 100644
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -147,7 +147,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct kobject *kobj,
 		 * we have just allocated the page no one else should be
 		 * using it.
 		 */
-		VM_WARN_ON_ONCE_PAGE(!page_ref_count(page), page);
+		VM_WARN_ON_ONCE_PAGE(page_ref_count(page), page);
 		set_page_count(page, 1);
 		ret = vm_insert_page(vma, vaddr, page);
 		if (ret) {
-- 
cgit 1.3-korg

9b69243983fb

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHou TaoDec 20, 2025via nvd-ref

commit

1 file changed · +1 −2

drivers/pci/p2pdma.c+1 −2 modified

diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
index 218c1f5252b66..dd64ec830fdd4 100644
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -147,7 +147,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct kobject *kobj,
 		 * we have just allocated the page no one else should be
 		 * using it.
 		 */
-		VM_WARN_ON_ONCE_PAGE(!page_ref_count(page), page);
+		VM_WARN_ON_ONCE_PAGE(page_ref_count(page), page);
 		set_page_count(page, 1);
 		ret = vm_insert_page(vma, vaddr, page);
 		if (ret) {
-- 
cgit 1.3-korg

cb500023a752

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHou TaoDec 20, 2025via nvd-ref

commit

1 file changed · +1 −2

drivers/pci/p2pdma.c+1 −2 modified

diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
index 218c1f5252b66..dd64ec830fdd4 100644
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -147,7 +147,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct kobject *kobj,
 		 * we have just allocated the page no one else should be
 		 * using it.
 		 */
-		VM_WARN_ON_ONCE_PAGE(!page_ref_count(page), page);
+		VM_WARN_ON_ONCE_PAGE(page_ref_count(page), page);
 		set_page_count(page, 1);
 		ret = vm_insert_page(vma, vaddr, page);
 		if (ret) {
-- 
cgit 1.3-korg

eb9aa9f80104

PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitHou TaoDec 20, 2025via nvd-ref

commit

1 file changed · +1 −2

drivers/pci/p2pdma.c+1 −2 modified

diff --git a/drivers/pci/p2pdma.c b/drivers/pci/p2pdma.c
index 5497ce0be7c5c..12c69bb2b2326 100644
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -147,7 +147,7 @@ static int p2pmem_alloc_mmap(struct file *filp, struct kobject *kobj,
 		 * we have just allocated the page no one else should be
 		 * using it.
 		 */
-		VM_WARN_ON_ONCE_PAGE(!page_ref_count(page), page);
+		VM_WARN_ON_ONCE_PAGE(page_ref_count(page), page);
 		set_page_count(page, 1);
 		ret = vm_insert_page(vma, vaddr, page);
 		if (ret) {
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"A race condition exists where a page's reference count is decremented before a check that expects it to be non-zero."

Attack vector

When CONFIG_DEBUG_VM is enabled, the system may report a kernel warning. This occurs due to a mismatch in expected page reference counts within the p2pmem_alloc_mmap function. The warning indicates a potential issue in memory management related to PCI/P2PDMA operations. The specific warning message details the page's state, including a refcount of 0, and points to the drivers/pci/p2pdma.c file.

Affected code

The vulnerability lies within the `p2pmem_alloc_mmap` function in the file `drivers/pci/p2pdma.c`. Specifically, the line `VM_WARN_ON_ONCE_PAGE(!page_ref_count(page), page);` is the source of the incorrect warning condition.

What the fix does

The patch modifies the assertion condition in the p2pmem_alloc_mmap function within drivers/pci/p2pdma.c. Previously, it checked for `!page_ref_count(page)`, which would trigger a warning when the page's reference count was zero. The fix changes this to `page_ref_count(page)`, ensuring the warning only triggers if the page's reference count is not zero, aligning the check with the expected state after a previous commit that sets the initial refcount to zero [patch_id=4686546].

Preconditions

configCONFIG_DEBUG_VM must be enabled.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 3, 2026
Vypr Intelligence · Jun 3, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000