CVE-2026-23375

In the Linux kernel, the following vulnerability has been resolved:

mm: thp: deny THP for files on anonymous inodes

file thp enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest memfd and secretmem). These files are created via alloc file pseudo(), which does not call get write access() and leaves inode->i writecount at 0. Combined with S ISREG(inode->i mode) being true, they appear as read-only regular files when CONFIG READ ONLY THP FOR FS is enabled, making them eligible for THP collapse.

Anonymous inodes can never pass the inode is open for write() check since their i writecount is never incremented through the normal VFS open path. The right thing to do is to exclude them from THP eligibility altogether, since CONFIG READ ONLY THP FOR FS was designed for real filesystem files (e.g. shared libraries), not for pseudo-filesystem inodes.

For guest memfd, this allows khugepaged and MADV COLLAPSE to create large folios in the page cache via the collapse path, but the guest memfd fault handler does not support large folios. This triggers WARN ON ONCE(folio test large(folio)) in kvm gmem fault user mapping().

For secretmem, collapse file() tries to copy page contents through the direct map, but secretmem pages are removed from the direct map. This can result in a kernel crash:

BUG: unable to handle page fault for address: ffff88810284d000 RIP: 0010:memcpy orig+0x16/0x130 Call Trace: collapse file hpage collapse scan file madvise collapse

Secretmem is not affected by the crash on upstream as the memory failure recovery handles the failed copy gracefully, but it still triggers confusing false memory failure reports:

Memory failure: 0x106d96f: recovery action for clean unevictable LRU page: Recovered

Check IS ANON FILE(inode) in file thp enabled() to deny THP for all anonymous inode files.