1. Patchew
  2. linux
  3. View series

[PATCH] mm: memfd_luo: fix PFN conversion in retrieve cleanup

DaeMyung Kang posted 1 patch 2 months ago 
mm/memfd_luo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] mm: memfd_luo: fix PFN conversion in retrieve cleanup
Posted by DaeMyung Kang 2 months ago 
memfd_luo_retrieve_folios()'s error-path cleanup loop passes the raw
PFN to kho_restore_folio(), but the function expects a physical
address. The two other call sites in the same file (the discard path
and the main retrieve loop) correctly convert with PFN_PHYS() before
calling. Without the conversion the cleanup operates on the wrong
address and fails to release the folios that were preserved but not
yet inserted into the address space, leaking them across the live
update.

Apply PFN_PHYS() to match the other call sites.

Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd")
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
---
 mm/memfd_luo.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c
index b8edb9f981d7..6d8aa429f553 100644
--- a/mm/memfd_luo.c
+++ b/mm/memfd_luo.c
@@ -467,7 +467,7 @@ static int memfd_luo_retrieve_folios(struct file *file,
 	for (long j = i + 1; j < nr_folios; j++) {
 		const struct memfd_luo_folio_ser *pfolio = &folios_ser[j];
 
-		folio = kho_restore_folio(pfolio->pfn);
+		folio = kho_restore_folio(PFN_PHYS(pfolio->pfn));
 		if (folio)
 			folio_put(folio);
 	}
-- 
2.43.0
Re: [PATCH] mm: memfd_luo: fix PFN conversion in retrieve cleanup
Posted by Pratyush Yadav 2 months ago 
Hi DaeMyung,

On Tue, Apr 14 2026, DaeMyung Kang wrote:

> memfd_luo_retrieve_folios()'s error-path cleanup loop passes the raw
> PFN to kho_restore_folio(), but the function expects a physical
> address. The two other call sites in the same file (the discard path
> and the main retrieve loop) correctly convert with PFN_PHYS() before
> calling. Without the conversion the cleanup operates on the wrong
> address and fails to release the folios that were preserved but not
> yet inserted into the address space, leaking them across the live
> update.
>
> Apply PFN_PHYS() to match the other call sites.
>
> Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd")
> Signed-off-by: DaeMyung Kang <charsyam@gmail.com>

Thanks, but this bug is also already fixed, by this patch [0].

[0] https://lore.kernel.org/linux-mm/20260326084727.118437-6-duanchenghao@kylinos.cn/

[...]

-- 
Regards,
Pratyush Yadav

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.