{"id":"CVE-2025-38207","summary":"mm: fix uprobe pte be overwritten when expanding vma","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix uprobe pte be overwritten when expanding vma\n\nPatch series \"Fix uprobe pte be overwritten when expanding vma\".\n\n\nThis patch (of 4):\n\nWe encountered a BUG alert triggered by Syzkaller as follows:\n   BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1\n\nAnd we can reproduce it with the following steps:\n1. register uprobe on file at zero offset\n2. mmap the file at zero offset:\n   addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0);\n3. mremap part of vma1 to new vma2:\n   addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE);\n4. mremap back to orig addr1:\n   mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1);\n\nIn step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2\nwith range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1\nto vma2, then unmap the vma1 range [addr1, addr1 + 4096].\n\nIn step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the\naddr range [addr1, addr1 + 4096].  Since the addr range [addr1 + 4096,\naddr1 + 8192] still maps the file, it will take vma_merge_new_range to\nexpand the range, and then do uprobe_mmap in vma_complete.  Since the\nmerged vma pgoff is also zero offset, it will install uprobe anon page to\nthe merged vma.  However, the upcomming move_page_tables step, which use\nset_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite\nthe newly uprobe pte in the merged vma, and lead that pte to be orphan.\n\nSince the uprobe pte will be remapped to the merged vma, we can remove the\nunnecessary uprobe_mmap upon merged vma.\n\nThis problem was first found in linux-6.6.y and also exists in the\ncommunity syzkaller:\nhttps://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/","modified":"2026-03-20T12:42:44.269374Z","published":"2025-07-04T13:37:27.508Z","related":["CGA-hrhc-r89q-7qhg"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38207.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2b12d06c37fd3a394376f42f026a7478d826ed63"},{"type":"WEB","url":"https://git.kernel.org/stable/c/58b83b9a9a929611a2a2e7d88f45cb0d786b7ee0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38207.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38207"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2b144498350860b6ee9dc57ff27a93ad488de5dc"},{"fixed":"58b83b9a9a929611a2a2e7d88f45cb0d786b7ee0"},{"fixed":"2b12d06c37fd3a394376f42f026a7478d826ed63"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38207.json"}}],"schema_version":"1.7.5"}