CVE-2025-21709

In the Linux kernel, the following vulnerability has been resolved:

kernel: be more careful about dup_mmap() failures and uprobe registering

If a memory allocation fails during dupmmap(), the maple tree can be left in an unsafe state for other iterators besides the exit path. All the locks are dropped before the exitmmap() call (in mm/mmap.c), but the incomplete mmstruct can be reached through (at least) the rmap finding the vmas which have a pointer back to the mmstruct.

Up to this point, there have been no issues with being able to find an mmstruct that was only partially initialised. Syzbot was able to make the incomplete mmstruct fail with recent forking changes, so it has been proven unsafe to use the mm_struct that hasn't been initialised, as referenced in the link below.

Although 8ac662f5da19f ("fork: avoid inappropriate uprobe access to invalid mm") fixed the uprobe access, it does not completely remove the race.

This patch sets the MMFOOMSKIP to avoid the iteration of the vmas on the oom side (even though this is extremely unlikely to be selected as an oom victim in the race window), and sets MMFUNSTABLE to avoid other potential users from using a partially initialised mmstruct.

When registering vmas for uprobe, skip the vmas in an mm that is marked unstable. Modifying a vma in an unstable mm may cause issues if the mm isn't fully initialised.