CVE-2026-46312

In the Linux kernel, the following vulnerability has been resolved:

media: videobuf2: Set vma flags in vb2 dma sg mmap

vb2 dma contig sets VMA flags VM DONTEXPAND and VM DONTDUMP and I do not see a reason why vb2 dma sg should behave differently. This avoids hitting WARN ON(!(vma->vm flags & VM DONTEXPAND)); in drm gem mmap obj() during mmap() of an imported dma-buf from the out of tree Apple ISP camera capture driver which uses vb2 dma sg memops.

gst-launch-1.0 v4l2src ! gtk4paintablesink

[ 38.201528] ------------[ cut here ]------------ [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm gem.c:1144 drm gem mmap obj+0x1f8/0x210 [ 38.203278] Modules linked in: rfcomm snd seq dummy snd hrtimer snd seq snd seq device uinput nf conntrack netbios ns nf conntrack broadcast nft fib inet nft fib ipv4 nft fib ipv6 nft fib nft reject inet nf reject ipv6 nft reject nft ct nft chain nat nf nat nf conntrack nf defrag ipv6 nf defrag ipv4 nf tables qrtr bnep nls ascii i2c dev loop fuse dm multipath nfnetlink brcmfmac wcc hid magicmouse hci bcm4377 brcmfmac brcmutil bluetooth ecdh generic cfg80211 ecc btrfs xor xor neon rfkill hid apple raid6 pq joydev aop als apple nvmem spmi industrialio snd soc aop apple z2 snd soc cs42l84 tps6598x snd soc tas2764 macsmc reboot spi nor macsmc hwmon rtc macsmc gpio macsmc macsmc power regmap spmi macsmc input dockchannel hid panel summit appledrm nvme apple dwc3 snd soc macaudio drm client lib nvme core phy apple atc hwmon apple sart apple dockchannel macsmc apple rtkit helper spmi apple controller aop apple wdt mfd core nvmem apple efuses pinctrl apple gpio apple isp apple dcp videobuf2 dma sg mux core spi apple [ 38.203300] videobuf2 memops i2c pasemi platform snd soc apple mca videobuf2 v4l2 videodev clk apple nco videobuf2 common snd pcm dmaengine adpdrm asahi apple admac adpdrm mipi drm dma helper pwm apple i2c pasemi core drm display helper mc cec apple dart ofpart apple soc cpufreq leds pwm phram [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full) [ 38.219040] Tainted: [W]=WARN [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 38.221088] pc : drm gem mmap obj+0x1f8/0x210 [ 38.221643] lr : drm gem mmap obj+0x78/0x210 [ 38.222178] sp : ffffc0008dc678e0 [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480 [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968 [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0 [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968 [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8 [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8 [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000 [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038 [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb [ 38.231488] Call trace: [ 38.231806] drm gem mmap obj+0x1f8/0x210 (P) [ 38.232342] drm gem mmap+0x140/0x260 [ 38.232813] mmap region+0x488/0x9a0 [ 38.233277] mmap region+0xd0/0x148 [ 38.233703] do mmap+0x350/0x5c0 [ 38.234148] vm mmap pgoff+0x14c/0x200 [ 38.234612] ksys mmap pgoff+0x150/0x208 [ 38.235107] arm64 sys mmap+0x34/0x50 [ 38.235611] invoke syscall+0x50/0x120 [ 38.236075] el0 svc common.constprop.0+0x48/0xf0 [ 38.236680] do el0 svc+0x24/0x38 [ 38.237113] el0 svc+0x38/0x168 [ 38.237507] el0t 64 sync handler+0xa0/0xe8 [ 38.238034] el0t 64 sync+0x198/0x1a0 [ 38.238491] ---[ end trace 0000000000000000 ]---

There were discussions in [1] at the end of 2023 that mmap() on imported ---truncated---