In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_mapped is already 0, causing the function to return -ENODEV and triggering a WARN_ON. Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the application does that, it can trigger this issue on fork. Fix it by incrementing the user_mapped reference count without re-mapping the pages in the VMA's open callback.
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64, cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64, cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64, cf9f0f7c4c5bb45e7bb270e48bab6f7837825a64, 6.10, 6.12.77, 6.18.17, 6.19.7, 7.0-rc3, 6.12.76, 6.18.16, 6.19.6, 7.0-rc2 |
Updated affected versions to include 6.12.76, 6.18.16, 6.19.6, and 7.0-rc2, changed severity to CRITICAL, and noted that no exploit is available.
Updated description with more technical detail, added affected versions 6.12.77, 6.18.17, 6.19.7, and 7.0-rc3, changed severity to HIGH, and marked exploit as available and actively exploited.
Initial creation
