Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]perf/core: Prevent VMA split of buffer mappings[EOL][EOL]The perf mmap code is careful about mmap()'ing the user page with the[EOL]ringbuffer and additionally the auxiliary buffer, when the event supports[EOL]it. Once the first mapping is established, subsequent mapping have to use[EOL]the same offset and the same size in both cases. The reference counting for[EOL]the ringbuffer and the auxiliary buffer depends on this being correct.[EOL][EOL]Though perf does not prevent that a related mapping is split via mmap(2),[EOL]munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls,[EOL]which take reference counts, but then the subsequent perf_mmap_close()[EOL]calls are not longer fulfilling the offset and size checks. This leads to[EOL]reference count leaks.[EOL][EOL]As perf already has the requirement for subsequent mappings to match the[EOL]initial mapping, the obvious consequence is that VMA splits, caused by[EOL]resizing of a mapping or partial unmapping, have to be prevented.[EOL][EOL]Implement the vm_operations_struct::may_split() callback and return[EOL]unconditionally -EINVAL.[EOL][EOL]That ensures that the mapping offsets and sizes cannot be changed after the[EOL]fact. Remapping to a different fixed address with the same size is still[EOL]possible as it takes the references for the new mapping and drops those of[EOL]the old mapping.

CREATE(Triage):(User=lchen-cn) [CVE-2025-38563 (https://nvd.nist.gov/vuln/detail/CVE-2025-38563)