In the Linux kernel, the following vulnerability has been resolved:
media: videobuf2: Set vmaflags in vb2dmasgmmap
vb2dmacontig sets VMA flags VMDONTEXPAND and VMDONTDUMP and I do not
see a reason why vb2dmasg should behave differently. This avoids
hitting WARN_ON(!(vma->vm_flags & VM_DONTEXPAND)); in
drmgemmmapobj() during mmap() of an imported dma-buf from the out of
tree Apple ISP camera capture driver which uses vb2dmasgmemops.
gst-launch-1.0 v4l2src ! gtk4paintablesink
[ 38.201528] ------------[ cut here ]------------ [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drmgem.c:1144 drmgemmmapobj+0x1f8/0x210 [ 38.203278] Modules linked in: rfcomm sndseqdummy sndhrtimer sndseq sndseqdevice uinput nfconntracknetbiosns nfconntrackbroadcast nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 nftables qrtr bnep nlsascii i2cdev loop fuse dmmultipath nfnetlink brcmfmacwcc hidmagicmouse hcibcm4377 brcmfmac brcmutil bluetooth ecdhgeneric cfg80211 ecc btrfs xor xorneon rfkill hidapple raid6pq joydev aopals applenvmemspmi industrialio sndsocaop applez2 sndsoccs42l84 tps6598x sndsoctas2764 macsmcreboot spinor macsmchwmon rtcmacsmc gpiomacsmc macsmcpower regmapspmi macsmcinput dockchannelhid panelsummit appledrm nvmeapple dwc3 sndsocmacaudio drmclientlib nvmecore phyappleatc hwmon applesart appledockchannel macsmc applertkithelper spmiapplecontroller aop applewdt mfdcore nvmemappleefuses pinctrlapplegpio appleisp appledcp videobuf2dmasg muxcore spiapple [ 38.203300] videobuf2memops i2cpasemiplatform sndsocapplemca videobuf2v4l2 videodev clkapplenco videobuf2common sndpcmdmaengine adpdrm asahi appleadmac adpdrmmipi drmdmahelper pwmapple i2cpasemicore drmdisplayhelper mc cec appledart ofpart applesoccpufreq ledspwm phram [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full) [ 38.219040] Tainted: [W]=WARN [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 38.221088] pc : drmgemmmapobj+0x1f8/0x210 [ 38.221643] lr : drmgemmmapobj+0x78/0x210 [ 38.222178] sp : ffffc0008dc678e0 [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480 [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968 [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0 [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968 [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8 [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8 [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000 [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038 [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb [ 38.231488] Call trace: [ 38.231806] drmgemmmapobj+0x1f8/0x210 (P) [ 38.232342] drmgem_mmap+0x140/0x260 [ 38.232813] __mmapregion+0x488/0x9a0 [ 38.233277] mmapregion+0xd0/0x148 [ 38.233703] dommap+0x350/0x5c0 [ 38.234148] vmmmappgoff+0x14c/0x200 [ 38.234612] ksysmmap_pgoff+0x150/0x208 [ 38.235107] _arm64sysmmap+0x34/0x50 [ 38.235611] invokesyscall+0x50/0x120 [ 38.236075] el0svccommon.constprop.0+0x48/0xf0 [ 38.236680] doel0svc+0x24/0x38 [ 38.237113] el0svc+0x38/0x168 [ 38.237507] el0t64synchandler+0xa0/0xe8 [ 38.238034] el0t64sync+0x198/0x1a0 [ 38.238491] ---[ end trace 0000000000000000 ]---
There were discussions in [1] at the end of 2023 that mmap() on imported ---truncated---
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46312.json",
"cna_assigner": "Linux"
}