CVE-2026-46280

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib: test_hmm: evict device pages on file close to avoid use-after-free<br /> <br /> Patch series "Minor hmm_test fixes and cleanups".<br /> <br /> Two bugfixes a cleanup for the HMM kernel selftests. These were mostly<br /> reported by Zenghui Yu with special thanks to Lorenzo for analysing and<br /> pointing out the problems.<br /> <br /> <br /> This patch (of 3):<br /> <br /> When dmirror_fops_release() is called it frees the dmirror struct but<br /> doesn&amp;#39;t migrate device private pages back to system memory first. This<br /> leaves those pages with a dangling zone_device_data pointer to the freed<br /> dmirror.<br /> <br /> If a subsequent fault occurs on those pages (eg. during coredump) the<br /> dmirror_devmem_fault() callback dereferences the stale pointer causing a<br /> kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,<br /> where a test failure triggered SIGABRT and the resulting coredump walked<br /> the VMAs faulting in the stale device private pages.<br /> <br /> Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in<br /> dmirror_fops_release() to migrate all device private pages back to system<br /> memory before freeing the dmirror struct. The function is moved earlier<br /> in the file to avoid a forward declaration.