CVE-2025-21778

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Do not allow mmap() of persistent ring buffer<br /> <br /> When trying to mmap a trace instance buffer that is attached to<br /> reserve_mem, it would crash:<br /> <br /> BUG: unable to handle page fault for address: ffffe97bd00025c8<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 2862f3067 P4D 2862f3067 PUD 0<br /> Oops: Oops: 0000 [#1] PREEMPT_RT SMP PTI<br /> CPU: 4 UID: 0 PID: 981 Comm: mmap-rb Not tainted 6.14.0-rc2-test-00003-g7f1a5e3fbf9e-dirty #233<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> RIP: 0010:validate_page_before_insert+0x5/0xb0<br /> Code: e2 01 89 d0 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 8b 46 08 a8 01 75 67 66 90 48 89 f0 8b 50 34 85 d2 74 76 48 89<br /> RSP: 0018:ffffb148c2f3f968 EFLAGS: 00010246<br /> RAX: ffff9fa5d3322000 RBX: ffff9fa5ccff9c08 RCX: 00000000b879ed29<br /> RDX: ffffe97bd00025c0 RSI: ffffe97bd00025c0 RDI: ffff9fa5ccff9c08<br /> RBP: ffffb148c2f3f9f0 R08: 0000000000000004 R09: 0000000000000004<br /> R10: 0000000000000000 R11: 0000000000000200 R12: 0000000000000000<br /> R13: 00007f16a18d5000 R14: ffff9fa5c48db6a8 R15: 0000000000000000<br /> FS: 00007f16a1b54740(0000) GS:ffff9fa73df00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffe97bd00025c8 CR3: 00000001048c6006 CR4: 0000000000172ef0<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x19/0x1f<br /> ? __die+0x2e/0x40<br /> ? page_fault_oops+0x157/0x2b0<br /> ? search_module_extables+0x53/0x80<br /> ? validate_page_before_insert+0x5/0xb0<br /> ? kernelmode_fixup_or_oops.isra.0+0x5f/0x70<br /> ? __bad_area_nosemaphore+0x16e/0x1b0<br /> ? bad_area_nosemaphore+0x16/0x20<br /> ? do_kern_addr_fault+0x77/0x90<br /> ? exc_page_fault+0x22b/0x230<br /> ? asm_exc_page_fault+0x2b/0x30<br /> ? validate_page_before_insert+0x5/0xb0<br /> ? vm_insert_pages+0x151/0x400<br /> __rb_map_vma+0x21f/0x3f0<br /> ring_buffer_map+0x21b/0x2f0<br /> tracing_buffers_mmap+0x70/0xd0<br /> __mmap_region+0x6f0/0xbd0<br /> mmap_region+0x7f/0x130<br /> do_mmap+0x475/0x610<br /> vm_mmap_pgoff+0xf2/0x1d0<br /> ksys_mmap_pgoff+0x166/0x200<br /> __x64_sys_mmap+0x37/0x50<br /> x64_sys_call+0x1670/0x1d70<br /> do_syscall_64+0xbb/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> The reason was that the code that maps the ring buffer pages to user space<br /> has:<br /> <br /> page = virt_to_page((void *)cpu_buffer-&gt;subbuf_ids[s]);<br /> <br /> And uses that in:<br /> <br /> vm_insert_pages(vma, vma-&gt;vm_start, pages, &amp;nr_pages);<br /> <br /> But virt_to_page() does not work with vmap()&amp;#39;d memory which is what the<br /> persistent ring buffer has. It is rather trivial to allow this, but for<br /> now just disable mmap() of instances that have their ring buffer from the<br /> reserve_mem option.<br /> <br /> If an mmap() is performed on a persistent buffer it will return -ENODEV<br /> just like it would if the .mmap field wasn&amp;#39;t defined in the<br /> file_operations structure.