CVE-2026-46017

In the Linux kernel, the following vulnerability has been resolved:

mm: fix deferred split queue races during migration

migrate folio move() records the deferred split queue state from src and replays it on dst. Replaying it after remove migration ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred split folio().

Move the requeue before remove migration ptes() so dst is back on the deferred split queue before it becomes visible again.

Because migration still holds dst locked at that point, teach deferred split scan() to requeue a folio when folio trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split queue.

[ziy@nvidia.com: move the comment]