From nobody Thu Apr 2 22:29:00 2026 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73C36142E83 for ; Sat, 14 Feb 2026 00:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771028148; cv=none; b=ZcwA9XczIXBon/lzK+grYHiDHhMqnltVPR7wL0ydXBBONpwHZ7Msxkr6jxonyDQuUy+YhyEMzcgM6ky4SIhAgfVRAWMwsBc915v/CYi54wuCTUSgfOsnrROL1VCyiYqv3TssYT+dR9FfAKR/1xrktj6Hv4JRhndG7L7mUfV0Hes= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771028148; c=relaxed/simple; bh=1Y2gDnp3k+QmNTMZEb9ab0smo7tRUetnDbZaljZPbCM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=TPUgfUo/CGAHwBix7fAJv9AhDI1i1h7Awyd8fyFuTMOSqwqqnvhCW9kyrudgZkpD/uGh0hl0f26qHis+fZoFol9V5keH34Zh+I5IJ+ZiGtZVFkFD0/u4THLrp1D1dWPcvaC9ifh2xlX1qinwG6ENvTkk3RePv2H2FcHvCsHBRCU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZC5OKy8Q; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZC5OKy8Q" Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-82310b74496so844151b3a.3 for ; Fri, 13 Feb 2026 16:15:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771028147; x=1771632947; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=oJSrOsjXaV/MjMNYMY7kpWcAneJSnkLcnWKVI0es/80=; b=ZC5OKy8Qo3etyte0LktEA8nVYZ3TInj/LoY9YwldgrW7b2NB7kvmWFGxhl0WKmpnpz ALnxVYNxX+isa8SGnk/tp36i7cEoAxXXbcFlD7JNVw6Wr5DgcqHIbJnf9BJ38EekSdzR 0cB+lEacc68ZsUkM8mGUp+u+H4pCRT45mgHHlRAjihEJLZh/pE3iwfqrQgNtikKLroi9 8s+J0lSSxGv4oOf9e0u9V8Z3BmipWHrX/Adnnf0DYlIeJu0qqnnXPMc1ltXRJwc32wK0 jPEDEGnxR7QeBe1D7EGN4B+zpox7gH0LXiN378vhz5TGVDw0ZbwRknY3OvPLvrv6KJDR VIxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771028147; x=1771632947; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=oJSrOsjXaV/MjMNYMY7kpWcAneJSnkLcnWKVI0es/80=; b=gxorcXnw2dNejQgdv+hJGiMJPYNUydIzffJWuxPNmQn+24St2aSPBbz5t1zwL5f25j Ic2gL7Qlozh70iB7zFSPL3ZXDM+5eiMlNq1FPQCZWPejT+YTC3FPPgyoUBeVeaU4ccfR VHYsKR+n02u+21OU53ViJ9ekA+hrL95AKBILTsO1zTom5LoEGUNA79I0CCb0oTmLCMYq 0P9WyAglwltZXxqKcTfHe7Y4KBJBwpjG1aH3ieMiRIO/EG9z2jzb8fj1lDVG5X8dHuvR pijlfds1YuJXhkeDgyPf9R9DyjhBlKHtF7vOU6DDZfDYdja6e0IInoV23hxSoMTkKe54 gzZA== X-Forwarded-Encrypted: i=1; AJvYcCW1/CjjPbLu7xwFRUeG6u8+noujVfK7GfiQouUDVvPvtrFYJ/bzeh/BAN2JBHlE5+evDdJbdoSwB0cvMbE=@vger.kernel.org X-Gm-Message-State: AOJu0YyIzSM4KGwZQ0Pb4jGKwiEFXHBODcNX0AZsSptmwELWn4lPi5/+ 1QaYBrV4fnXiYMiO+qeORPfVAFcQjAHo8h7b4MKtY6U5SlOnazaKz1NG X-Gm-Gg: AZuq6aLB3v7GIOZ0Hf0pni76TW80HOIngPCL/S5ahFADvVqau6NV0S9t4XaDQeajG0R 8Ojcsmb0w/IWV2pBuPVHBwDk7IS45R1FC4pSUy2xC4mY+YwXnMXvS7G6+hKIFI/7pH9jUUzTLtu LjETxT9Y7Hzh8zBmSS6oSg61Qu53QPp4iSmlC8MEdtStBQCA263SBtNdtJCdvpB6MavU2zZuADf eO7qX+1xXQ82nQuNXtYIlBI7ZQ3pZC9nxbRttLDn8Dg/CQqFjYgLshAHVWhb8k1IwX0Jw498P+g pL4JLMjeggCj2sxENvs8kKierk1nE5fbcTwmMyAoOQVqLgxiH2vvPhJYqo+z9vLXskDLjCkP6pD KYTVDyv7i9fefW+DYm/T547ujhiXgOYNoFng4FaT5vrlexaFwp17SlLptiz9v/lU8p4xN/yem9P qoYfLtpTsVtMpHZ/He1jNrRRdAs1Rk+39QI+R0FRjOQ1Xsd6y6vNvlQIcNFjTsC3oEjU4Rc933c hzEh0yICdvm/B7k X-Received: by 2002:a05:6300:408d:b0:38d:ec2d:80e5 with SMTP id adf61e73a8af0-3946c9220ddmr3409951637.45.1771028146749; Fri, 13 Feb 2026 16:15:46 -0800 (PST) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:1ca3:229:a9f4:8c87]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c6e52fcfc08sm217762a12.1.2026.02.13.16.15.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Feb 2026 16:15:45 -0800 (PST) From: Deepanshu Kartikey To: akpm@linux-foundation.org, david@kernel.org, lorenzo.stoakes@oracle.com, ziy@nvidia.com, baolin.wang@linux.alibaba.com, Liam.Howlett@oracle.com, npache@redhat.com, ryan.roberts@arm.com, dev.jain@arm.com, baohua@kernel.org, lance.yang@linux.dev, i@maskray.me, shy828301@gmail.com, ackerleytng@google.com Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com, stable@vger.kernel.org, Deepanshu Kartikey Subject: [PATCH v2] mm: thp: deny THP for files on anonymous inodes Date: Sat, 14 Feb 2026 05:45:35 +0530 Message-ID: <20260214001535.435626-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" file_thp_enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest_memfd and secretmem). These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. Combined with S_ISREG(inode->i_mode) being true, they appear as read-only regular files when CONFIG_READ_ONLY_THP_FOR_FS is enabled, making them eligible for THP collapse. Anonymous inodes can never pass the inode_is_open_for_write() check since their i_writecount is never incremented through the normal VFS open path. The right thing to do is to exclude them from THP eligibility altogether, since CONFIG_READ_ONLY_THP_FOR_FS was designed for real filesystem files (e.g. shared libraries), not for pseudo-filesystem inodes. For guest_memfd, this allows khugepaged and MADV_COLLAPSE to create large folios in the page cache via the collapse path, but the guest_memfd fault handler does not support large folios. This triggers WARN_ON_ONCE(folio_test_large(folio)) in kvm_gmem_fault_user_mapping(). For secretmem, collapse_file() tries to copy page contents through the direct map, but secretmem pages are removed from the direct map. This can result in a kernel crash: BUG: unable to handle page fault for address: ffff88810284d000 RIP: 0010:memcpy_orig+0x16/0x130 Call Trace: collapse_file hpage_collapse_scan_file madvise_collapse Secretmem is not affected by the crash on upstream as the memory failure recovery handles the failed copy gracefully, but it still triggers confusing false memory failure reports: Memory failure: 0x106d96f: recovery action for clean unevictable LRU page: Recovered Check IS_ANON_FILE(inode) in file_thp_enabled() to deny THP for all anonymous inode files. Link: https://syzkaller.appspot.com/bug?extid=3D33a04338019ac7e43a44 Link: https://lore.kernel.org/linux-mm/CAEvNRgHegcz3ro35ixkDw39ES8=3DU6rs6S= 7iP0gkR9enr7HoGtA@mail.gmail.com Reported-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D33a04338019ac7e43a44 Fixes: 7fbb5e188248 ("mm: remove VM_EXEC requirement for THP eligibility") Tested-by: syzbot+33a04338019ac7e43a44@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Deepanshu Kartikey Acked-by: David Hildenbrand (Arm) Reviewed-by: Ackerley Tng Reviewed-by: Barry Song Reviewed-by: Lorenzo Stoakes Tested-by: Ackerley Tng Tested-by: Lance Yang --- v2: - Use IS_ANON_FILE(inode) to deny THP for all anonymous inode files instead of checking for specific subsystems (David Hildenbrand) - Updated Fixes tag to 7fbb5e188248 which removed the VM_EXEC requirement that accidentally protected secretmem - Expanded commit message with implications for both guest_memfd and secretmem --- mm/huge_memory.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 40cf59301c21..d3beddd8cc30 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -94,6 +94,9 @@ static inline bool file_thp_enabled(struct vm_area_struct= *vma) =20 inode =3D file_inode(vma->vm_file); =20 + if (IS_ANON_FILE(inode)) + return false; + return !inode_is_open_for_write(inode) && S_ISREG(inode->i_mode); } =20 --=20 2.43.0