CVE-2026-46280

In the Linux kernel, the following vulnerability has been resolved:

lib: test hmm: evict device pages on file close to avoid use-after-free

Patch series "Minor hmm test fixes and cleanups".

Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems.

This patch (of 3):

When dmirror fops release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone device data pointer to the freed dmirror.

If a subsequent fault occurs on those pages (eg. during coredump) the dmirror devmem fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages.

Fix this by calling dmirror device evict chunk() for each devmem chunk in dmirror fops release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.