CVE-2025-38256

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/rsrc: fix folio unpinning<br /> <br /> syzbot complains about an unmapping failure:<br /> <br /> [ 108.070381][ T14] kernel BUG at mm/gup.c:71!<br /> [ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP<br /> [ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025<br /> [ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work<br /> [ 108.174205][ T14] Call trace:<br /> [ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P)<br /> [ 108.178138][ T14] unpin_user_page+0x80/0x10c<br /> [ 108.180189][ T14] io_release_ubuf+0x84/0xf8<br /> [ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c<br /> [ 108.184345][ T14] io_rsrc_data_free+0x148/0x298<br /> [ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0<br /> [ 108.188991][ T14] io_ring_ctx_free+0x48/0x480<br /> [ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8<br /> [ 108.193207][ T14] process_one_work+0x7e8/0x155c<br /> [ 108.195431][ T14] worker_thread+0x958/0xed8<br /> [ 108.197561][ T14] kthread+0x5fc/0x75c<br /> [ 108.199362][ T14] ret_from_fork+0x10/0x20<br /> <br /> We can pin a tail page of a folio, but then io_uring will try to unpin<br /> the head page of the folio. While it should be fine in terms of keeping<br /> the page actually alive, mm folks say it&amp;#39;s wrong and triggers a debug<br /> warning. Use unpin_user_folio() instead of unpin_user_page*.<br /> <br /> [axboe: adapt to current tree, massage commit message]