CVE-2026-53084

In the Linux kernel, the following vulnerability has been resolved:

bpf: return VMA snapshot from task vma iterator

Holding the per-VMA lock across the BPF program body creates a lock ordering problem when helpers acquire locks that depend on mmap lock:

vm lock -> i rwsem -> mmap lock -> vm lock

Snapshot the VMA under the per-VMA lock in next() via memcpy(), then drop the lock before returning. The BPF program accesses only the snapshot.

The verifier only trusts vm mm and vm file pointers (see BTF TYPE SAFE TRUSTED OR NULL in verifier.c). vm file is reference- counted with get file() under the lock and released via fput() on the next iteration or in destroy(). vm mm is already correct because lock vma under rcu() verifies vma->vm mm == mm. All other pointers are left as-is by memcpy() since the verifier treats them as untrusted.