CVE-2025-38563

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf/core: Prevent VMA split of buffer mappings<br /> <br /> The perf mmap code is careful about mmap()&amp;#39;ing the user page with the<br /> ringbuffer and additionally the auxiliary buffer, when the event supports<br /> it. Once the first mapping is established, subsequent mapping have to use<br /> the same offset and the same size in both cases. The reference counting for<br /> the ringbuffer and the auxiliary buffer depends on this being correct.<br /> <br /> Though perf does not prevent that a related mapping is split via mmap(2),<br /> munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,<br /> which take reference counts, but then the subsequent perf_mmap_close()<br /> calls are not longer fulfilling the offset and size checks. This leads to<br /> reference count leaks.<br /> <br /> As perf already has the requirement for subsequent mappings to match the<br /> initial mapping, the obvious consequence is that VMA splits, caused by<br /> resizing of a mapping or partial unmapping, have to be prevented.<br /> <br /> Implement the vm_operations_struct::may_split() callback and return<br /> unconditionally -EINVAL.<br /> <br /> That ensures that the mapping offsets and sizes cannot be changed after the<br /> fact. Remapping to a different fixed address with the same size is still<br /> possible as it takes the references for the new mapping and drops those of<br /> the old mapping.