{"id":"CVE-2026-23375","summary":"mm: thp: deny THP for files on anonymous inodes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: thp: deny THP for files on anonymous inodes\n\nfile_thp_enabled() incorrectly allows THP for files on anonymous inodes\n(e.g. guest_memfd and secretmem). These files are created via\nalloc_file_pseudo(), which does not call get_write_access() and leaves\ninode-\u003ei_writecount at 0. Combined with S_ISREG(inode-\u003ei_mode) being\ntrue, they appear as read-only regular files when\nCONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP\ncollapse.\n\nAnonymous inodes can never pass the inode_is_open_for_write() check\nsince their i_writecount is never incremented through the normal VFS\nopen path. The right thing to do is to exclude them from THP eligibility\naltogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real\nfilesystem files (e.g. shared libraries), not for pseudo-filesystem\ninodes.\n\nFor guest_memfd, this allows khugepaged and MADV_COLLAPSE to create\nlarge folios in the page cache via the collapse path, but the\nguest_memfd fault handler does not support large folios. This triggers\nWARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping().\n\nFor secretmem, collapse_file() tries to copy page contents through the\ndirect map, but secretmem pages are removed from the direct map. This\ncan result in a kernel crash:\n\n    BUG: unable to handle page fault for address: ffff88810284d000\n    RIP: 0010:memcpy_orig+0x16/0x130\n    Call Trace:\n     collapse_file\n     hpage_collapse_scan_file\n     madvise_collapse\n\nSecretmem is not affected by the crash on upstream as the memory failure\nrecovery handles the failed copy gracefully, but it still triggers\nconfusing false memory failure reports:\n\n    Memory failure: 0x106d96f: recovery action for clean unevictable\n    LRU page: Recovered\n\nCheck IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all\nanonymous inode files.","modified":"2026-04-02T13:12:23.161332Z","published":"2026-03-25T10:27:55.754Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23375.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0524ee56af2c9bfbad152a810f1ca95de8ca00d7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/08de46a75f91a6661bc1ce0a93614f4bc313c581"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd085fe9a8ebfc5d10314c60452db38d2b75e609"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f6fa05f0dddd387417d0c28281ddb951582514d6"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23375.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23375"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7fbb5e188248c50f737720825da1864ce42536d1"},{"fixed":"08de46a75f91a6661bc1ce0a93614f4bc313c581"},{"fixed":"0524ee56af2c9bfbad152a810f1ca95de8ca00d7"},{"fixed":"f6fa05f0dddd387417d0c28281ddb951582514d6"},{"fixed":"dd085fe9a8ebfc5d10314c60452db38d2b75e609"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23375.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.8.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23375.json"}}],"schema_version":"1.7.5"}