CVE-2025-39992

In the Linux kernel, the following vulnerability has been resolved:

mm: swap: check for stable address space before operating on the VMA

It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XAZEROENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault

The issue is manifested from the below race between the fork() on a process and swapoff: fork(dupmmap()) swapoff(unusemm) --------------- ----------------- 1) Identical mtree is built using _mtdup().

2) copypterange()--> copynonpresentpte(): The dst mm is added into the mmlist to be visible to the swapoff operation.

3) Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XAZEROENTRY as a marker for this process that helps during exit_mmap().

                 4) swapoff is tried on the
                'mm' added to the 'mmlist' as
                part of the 2.

                 5) unuse_mm(), that iterates
                through the vma's of this 'mm'
                will hit the non-NULL zero entry
                and operating on this zero entry
                as a vma is resulting into the
                oops.

The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMFUNSTABLE, as it is set if mmstruct is not fully initialized in dup_mmap().

Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue.