CVE-2026-23380

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix WARN ON in tracing buffers mmap close

When a process forks, the child process copies the parent's VMAs but the user mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing buffers mmap close() is called twice. On the second call, user mapped is already 0, causing the function to return -ENODEV and triggering a WARN ON.

Normally, this isn't an issue as the memory is mapped with VM DONTCOPY set. But this is only a hint, and the application can call madvise(MADVISE DOFORK) which resets the VM DONTCOPY flag. When the application does that, it can trigger this issue on fork.

Fix it by incrementing the user mapped reference count without re-mapping the pages in the VMA's open callback.