CVE-2026-23100

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix hugetlb_pmd_shared()<br /> <br /> Patch series "mm/hugetlb: fixes for PMD table sharing (incl. using<br /> mmu_gather)", v3.<br /> <br /> One functional fix, one performance regression fix, and two related<br /> comment fixes.<br /> <br /> I cleaned up my prototype I recently shared [1] for the performance fix,<br /> deferring most of the cleanups I had in the prototype to a later point. <br /> While doing that I identified the other things.<br /> <br /> The goal of this patch set is to be backported to stable trees "fairly"<br /> easily. At least patch #1 and #4.<br /> <br /> Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing<br /> Patch #2 + #3 are simple comment fixes that patch #4 interacts with.<br /> Patch #4 is a fix for the reported performance regression due to excessive<br /> IPI broadcasts during fork()+exit().<br /> <br /> The last patch is all about TLB flushes, IPIs and mmu_gather.<br /> Read: complicated<br /> <br /> There are plenty of cleanups in the future to be had + one reasonable<br /> optimization on x86. But that&amp;#39;s all out of scope for this series.<br /> <br /> Runtime tested, with a focus on fixing the performance regression using<br /> the original reproducer [2] on x86.<br /> <br /> <br /> This patch (of 4):<br /> <br /> We switched from (wrongly) using the page count to an independent shared<br /> count. Now, shared page tables have a refcount of 1 (excluding<br /> speculative references) and instead use ptdesc-&gt;pt_share_count to identify<br /> sharing.<br /> <br /> We didn&amp;#39;t convert hugetlb_pmd_shared(), so right now, we would never<br /> detect a shared PMD table as such, because sharing/unsharing no longer<br /> touches the refcount of a PMD table.<br /> <br /> Page migration, like mbind() or migrate_pages() would allow for migrating<br /> folios mapped into such shared PMD tables, even though the folios are not<br /> exclusive. In smaps we would account them as "private" although they are<br /> "shared", and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the<br /> pagemap interface.<br /> <br /> Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared().