CVE-2025-38256

In the Linux kernel, the following vulnerability has been resolved:

io_uring/rsrc: fix folio unpinning

syzbot complains about an unmapping failure:

[ 108.070381][ T14] kernel BUG at mm/gup.c:71! [ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025 [ 108.127458][ T14] Workqueue: iouexit ioringexitwork [ 108.174205][ T14] Call trace: [ 108.175649][ T14] sanitycheckpinnedpages+0x7cc/0x7d0 (P) [ 108.178138][ T14] unpinuserpage+0x80/0x10c [ 108.180189][ T14] ioreleaseubuf+0x84/0xf8 [ 108.182196][ T14] iofreersrcnode+0x250/0x57c [ 108.184345][ T14] iorsrcdatafree+0x148/0x298 [ 108.186493][ T14] iosqebuffersunregister+0x84/0xa0 [ 108.188991][ T14] ioringctxfree+0x48/0x480 [ 108.191057][ T14] ioringexitwork+0x764/0x7d8 [ 108.193207][ T14] processonework+0x7e8/0x155c [ 108.195431][ T14] workerthread+0x958/0xed8 [ 108.197561][ T14] kthread+0x5fc/0x75c [ 108.199362][ T14] retfrom_fork+0x10/0x20

We can pin a tail page of a folio, but then iouring will try to unpin the head page of the folio. While it should be fine in terms of keeping the page actually alive, mm folks say it's wrong and triggers a debug warning. Use unpinuserfolio() instead of unpinuser_page*.

[axboe: adapt to current tree, massage commit message]