CVE-2026-23375

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: thp: deny THP for files on anonymous inodes<br /> <br /> file_thp_enabled() incorrectly allows THP for files on anonymous inodes<br /> (e.g. guest_memfd and secretmem). These files are created via<br /> alloc_file_pseudo(), which does not call get_write_access() and leaves<br /> inode-&gt;i_writecount at 0. Combined with S_ISREG(inode-&gt;i_mode) being<br /> true, they appear as read-only regular files when<br /> CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP<br /> collapse.<br /> <br /> Anonymous inodes can never pass the inode_is_open_for_write() check<br /> since their i_writecount is never incremented through the normal VFS<br /> open path. The right thing to do is to exclude them from THP eligibility<br /> altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real<br /> filesystem files (e.g. shared libraries), not for pseudo-filesystem<br /> inodes.<br /> <br /> For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create<br /> large folios in the page cache via the collapse path, but the<br /> guest_memfd fault handler does not support large folios. This triggers<br /> WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().<br /> <br /> For secretmem, collapse_file() tries to copy page contents through the<br /> direct map, but secretmem pages are removed from the direct map. This<br /> can result in a kernel crash:<br /> <br /> BUG: unable to handle page fault for address: ffff88810284d000<br /> RIP: 0010:memcpy_orig+0x16/0x130<br /> Call Trace:<br /> collapse_file<br /> hpage_collapse_scan_file<br /> madvise_collapse<br /> <br /> Secretmem is not affected by the crash on upstream as the memory failure<br /> recovery handles the failed copy gracefully, but it still triggers<br /> confusing false memory failure reports:<br /> <br /> Memory failure: 0x106d96f: recovery action for clean unevictable<br /> LRU page: Recovered<br /> <br /> Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all<br /> anonymous inode files.