HIGH
s390 SecureStorage Exception Loop
CVE-2026-31568
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: s390/mm: Add missing secure storage access fixups for donated memory There are special cases where secure storage access exceptions happen in a kernel context for pages that don't have the PG_arch_1 bit set. That bit is set for non-exported guest secure storage (memory) but is absent on storage donated to the Ultravisor since the kernel isn't allowed to export donated pages. Prior to this patch we would try to export the page by calling arch_make_folio_accessible() which would instantly return since the arch bit is absent signifying that the page was already exported and no further action is necessary. This leads to secure storage access exception loops which can never be resolved. With this patch we unconditionally try to export and if that fails we fixup.
02KernelScan AI Analysis
Risk summary
An attacker with local access to an s390 system with secure execution could potentially trigger infinite exception loops by causing the kernel to access donated secure memory, leading to system hang and denial of service. The vulnerability requires specific s390 hardware features and secure execution configuration to be exploitable.
Vulnerability analysis
Summary: The s390 secure storage access exception handler enters an infinite loop when handling donated memory pages that lack the PG_arch_1 bit, causing a denial of service condition.
Root Cause: The original code incorrectly assumed that pages without the PG_arch_1 bit were already exported and needed no further action. However, pages donated to the Ultravisor legitimately lack this bit but still require export handling. When arch_make_folio_accessible() returns immediately due to the missing bit, the secure storage access exception is never resolved, creating an infinite exception loop.
Attack Surface: This vulnerability affects s390 systems running secure execution environments with Ultravisor support. It can be triggered locally when the kernel attempts to access donated secure memory pages, potentially by unprivileged processes that cause the kernel to access such memory regions.
Fix Mechanism: The patch replaces the conditional export logic with unconditional export attempts using uv_convert_from_secure(). If the export fails, it properly handles the error through handle_fault_error_nolock() instead of triggering a BUG(), allowing the system to recover gracefully from legitimate access patterns to donated secure memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.21 | b36b0e804aee |
| 6.19 | 6.19.11 | 43ac2d18db11 |
| mainline | 7.0 | b00be77302d7 |