[PATCH] mm: memfd_luo: fix PFN conversion in retrieve cleanup

Next message: Naman Jain: "Re: [PATCH 06/11] Drivers: hv: Make sint vector architecture neutral in MSHV_VTL"
Previous message: Arnd Bergmann: "Re: [PATCH 1/7] x86/vdso: Respect COMPAT_32BIT_TIME"
Next in thread: Pratyush Yadav: "Re: [PATCH] mm: memfd_luo: fix PFN conversion in retrieve cleanup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: DaeMyung Kang

Date: Mon Apr 13 2026 - 13:16:51 EST

memfd_luo_retrieve_folios()'s error-path cleanup loop passes the raw
PFN to kho_restore_folio(), but the function expects a physical
address. The two other call sites in the same file (the discard path
and the main retrieve loop) correctly convert with PFN_PHYS() before
calling. Without the conversion the cleanup operates on the wrong
address and fails to release the folios that were preserved but not
yet inserted into the address space, leaking them across the live
update.

Apply PFN_PHYS() to match the other call sites.

Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd")
Signed-off-by: DaeMyung Kang <charsyam@xxxxxxxxx>
---
mm/memfd_luo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c
index b8edb9f981d7..6d8aa429f553 100644
--- a/mm/memfd_luo.c
+++ b/mm/memfd_luo.c
@@ -467,7 +467,7 @@ static int memfd_luo_retrieve_folios(struct file *file,
for (long j = i + 1; j < nr_folios; j++) {
const struct memfd_luo_folio_ser *pfolio = &folios_ser[j];

- folio = kho_restore_folio(pfolio->pfn);
+ folio = kho_restore_folio(PFN_PHYS(pfolio->pfn));
if (folio)
folio_put(folio);
}
--
2.43.0