Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2025/02/GHSA-25pf-8cvh-53fj/GHSA-25pf-8cvh-53fj.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-25pf-8cvh-53fj",
-  "modified": "2025-02-27T03:34:03Z",
+  "modified": "2025-10-28T21:30:26Z",
   "published": "2025-02-27T03:34:03Z",
   "aliases": [
     "CVE-2024-58019"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvkm/gsp: correctly advance the read pointer of GSP message queue\n\nA GSP event message consists three parts: message header, RPC header,\nmessage body. GSP calculates the number of pages to write from the\ntotal size of a GSP message. This behavior can be observed from the\nmovement of the write pointer.\n\nHowever, nvkm takes only the size of RPC header and message body as\nthe message size when advancing the read pointer. When handling a\ntwo-page GSP message in the non rollback case, It wrongly takes the\nmessage body of the previous message as the message header of the next\nmessage. As the \"message length\" tends to be zero, in the calculation of\nsize needs to be copied (0 - size of (message header)), the size needs to\nbe copied will be \"0xffffffxx\". It also triggers a kernel panic due to a\nNULL pointer error.\n\n[  547.614102] msg: 00000f90: ff ff ff ff ff ff ff ff 40 d7 18 fb 8b 00 00 00  ........@.......\n[  547.622533] msg: 00000fa0: 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00  ................\n[  547.630965] msg: 00000fb0: ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff  ................\n[  547.639397] msg: 00000fc0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff  ................\n[  547.647832] nvkm 0000:c1:00.0: gsp: peek msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[  547.655225] nvkm 0000:c1:00.0: gsp: get msg rpc fn:0 len:0x0/0xffffffffffffffe0\n[  547.662532] BUG: kernel NULL pointer dereference, address: 0000000000000020\n[  547.669485] #PF: supervisor read access in kernel mode\n[  547.674624] #PF: error_code(0x0000) - not-present page\n[  547.679755] PGD 0 P4D 0\n[  547.682294] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  547.686643] CPU: 22 PID: 322 Comm: kworker/22:1 Tainted: G            E      6.9.0-rc6+ #1\n[  547.694893] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022\n[  547.702626] Workqueue: events r535_gsp_msgq_work [nvkm]\n[  547.707921] RIP: 0010:r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[  547.713375] Code: 00 8b 70 08 48 89 e1 31 d2 4c 89 f7 e8 12 f5 ff ff 48 89 c5 48 85 c0 0f 84 cf 00 00 00 48 81 fd 00 f0 ff ff 0f 87 c4 00 00 00 <8b> 55 10 41 8b 46 30 85 d2 0f 85 f6 00 00 00 83 f8 04 76 10 ba 05\n[  547.732119] RSP: 0018:ffffabe440f87e10 EFLAGS: 00010203\n[  547.737335] RAX: 0000000000000010 RBX: 0000000000000008 RCX: 000000000000003f\n[  547.744461] RDX: 0000000000000000 RSI: ffffabe4480a8030 RDI: 0000000000000010\n[  547.751585] RBP: 0000000000000010 R08: 0000000000000000 R09: ffffabe440f87bb0\n[  547.758707] R10: ffffabe440f87dc8 R11: 0000000000000010 R12: 0000000000000000\n[  547.765834] R13: 0000000000000000 R14: ffff9351df1e5000 R15: 0000000000000000\n[  547.772958] FS:  0000000000000000(0000) GS:ffff93708eb00000(0000) knlGS:0000000000000000\n[  547.781035] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  547.786771] CR2: 0000000000000020 CR3: 00000003cc220002 CR4: 0000000000770ef0\n[  547.793896] PKRU: 55555554\n[  547.796600] Call Trace:\n[  547.799046]  <TASK>\n[  547.801152]  ? __die+0x20/0x70\n[  547.804211]  ? page_fault_oops+0x75/0x170\n[  547.808221]  ? print_hex_dump+0x100/0x160\n[  547.812226]  ? exc_page_fault+0x64/0x150\n[  547.816152]  ? asm_exc_page_fault+0x22/0x30\n[  547.820341]  ? r535_gsp_msg_recv+0x87/0x230 [nvkm]\n[  547.825184]  r535_gsp_msgq_work+0x42/0x50 [nvkm]\n[  547.829845]  process_one_work+0x196/0x3d0\n[  547.833861]  worker_thread+0x2fc/0x410\n[  547.837613]  ? __pfx_worker_thread+0x10/0x10\n[  547.841885]  kthread+0xdf/0x110\n[  547.845031]  ? __pfx_kthread+0x10/0x10\n[  547.848775]  ret_from_fork+0x30/0x50\n[  547.852354]  ? __pfx_kthread+0x10/0x10\n[  547.856097]  ret_from_fork_asm+0x1a/0x30\n[  547.860019]  </TASK>\n[  547.862208] Modules linked in: nvkm(E) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) amd64_edac(E) mlx5_ib(E) edac_mce_amd(E) kvm_amd\n---truncated---",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:12Z"

advisories/unreviewed/2025/02/GHSA-2q85-cv3g-7mxp/GHSA-2q85-cv3g-7mxp.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2q85-cv3g-7mxp",
-  "modified": "2025-02-27T03:34:04Z",
+  "modified": "2025-10-28T21:30:27Z",
   "published": "2025-02-27T03:34:04Z",
   "aliases": [
     "CVE-2025-21747"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ast: astdp: Fix timeout for enabling video signal\n\nThe ASTDP transmitter sometimes takes up to 1 second for enabling the\nvideo signal, while the timeout is only 200 msec. This results in a\nkernel error message. Increase the timeout to 1 second. An example\nof the error message is shown below.\n\n[  697.084433] ------------[ cut here ]------------\n[  697.091115] ast 0000:02:00.0: [drm] drm_WARN_ON(!__ast_dp_wait_enable(ast, enabled))\n[  697.091233] WARNING: CPU: 1 PID: 160 at drivers/gpu/drm/ast/ast_dp.c:232 ast_dp_set_enable+0x123/0x140 [ast]\n[...]\n[  697.272469] RIP: 0010:ast_dp_set_enable+0x123/0x140 [ast]\n[...]\n[  697.415283] Call Trace:\n[  697.420727]  <TASK>\n[  697.425908]  ? show_trace_log_lvl+0x196/0x2c0\n[  697.433304]  ? show_trace_log_lvl+0x196/0x2c0\n[  697.440693]  ? drm_atomic_helper_commit_modeset_enables+0x30a/0x470\n[  697.450115]  ? ast_dp_set_enable+0x123/0x140 [ast]\n[  697.458059]  ? __warn.cold+0xaf/0xca\n[  697.464713]  ? ast_dp_set_enable+0x123/0x140 [ast]\n[  697.472633]  ? report_bug+0x134/0x1d0\n[  697.479544]  ? handle_bug+0x58/0x90\n[  697.486127]  ? exc_invalid_op+0x13/0x40\n[  697.492975]  ? asm_exc_invalid_op+0x16/0x20\n[  697.500224]  ? preempt_count_sub+0x14/0xc0\n[  697.507473]  ? ast_dp_set_enable+0x123/0x140 [ast]\n[  697.515377]  ? ast_dp_set_enable+0x123/0x140 [ast]\n[  697.523227]  drm_atomic_helper_commit_modeset_enables+0x30a/0x470\n[  697.532388]  drm_atomic_helper_commit_tail+0x58/0x90\n[  697.540400]  ast_mode_config_helper_atomic_commit_tail+0x30/0x40 [ast]\n[  697.550009]  commit_tail+0xfe/0x1d0\n[  697.556547]  drm_atomic_helper_commit+0x198/0x1c0\n\nThis is a cosmetical problem. Enabling the video signal still works\neven with the error message. The problem has always been present, but\nonly recent versions of the ast driver warn about missing the timeout.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -25,7 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:15Z"

advisories/unreviewed/2025/02/GHSA-49m4-j2fj-6qvh/GHSA-49m4-j2fj-6qvh.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-49m4-j2fj-6qvh",
-  "modified": "2025-02-27T03:34:05Z",
+  "modified": "2025-10-28T21:30:28Z",
   "published": "2025-02-27T03:34:05Z",
   "aliases": [
     "CVE-2025-21771"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix incorrect autogroup migration detection\n\nscx_move_task() is called from sched_move_task() and tells the BPF scheduler\nthat cgroup migration is being committed. sched_move_task() is used by both\ncgroup and autogroup migrations and scx_move_task() tried to filter out\nautogroup migrations by testing the destination cgroup and PF_EXITING but\nthis is not enough. In fact, without explicitly tagging the thread which is\ndoing the cgroup migration, there is no good way to tell apart\nscx_move_task() invocations for racing migration to the root cgroup and an\nautogroup migration.\n\nThis led to scx_move_task() incorrectly ignoring a migration from non-root\ncgroup to an autogroup of the root cgroup triggering the following warning:\n\n  WARNING: CPU: 7 PID: 1 at kernel/sched/ext.c:3725 scx_cgroup_can_attach+0x196/0x340\n  ...\n  Call Trace:\n  <TASK>\n    cgroup_migrate_execute+0x5b1/0x700\n    cgroup_attach_task+0x296/0x400\n    __cgroup_procs_write+0x128/0x140\n    cgroup_procs_write+0x17/0x30\n    kernfs_fop_write_iter+0x141/0x1f0\n    vfs_write+0x31d/0x4a0\n    __x64_sys_write+0x72/0xf0\n    do_syscall_64+0x82/0x160\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFix it by adding an argument to sched_move_task() that indicates whether the\nmoving is for a cgroup or autogroup migration. After the change,\nscx_move_task() is called only for cgroup migrations and renamed to\nscx_cgroup_move_task().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -29,7 +34,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:17Z"

advisories/unreviewed/2025/02/GHSA-5v2w-fx47-6rq2/GHSA-5v2w-fx47-6rq2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5v2w-fx47-6rq2",
-  "modified": "2025-03-13T15:32:52Z",
+  "modified": "2025-10-28T21:30:28Z",
   "published": "2025-02-27T03:34:06Z",
   "aliases": [
     "CVE-2025-21781"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix panic during interface removal\n\nReference counting is used to ensure that\nbatadv_hardif_neigh_node and batadv_hard_iface\nare not freed before/during\nbatadv_v_elp_throughput_metric_update work is\nfinished.\n\nBut there isn't a guarantee that the hard if will\nremain associated with a soft interface up until\nthe work is finished.\n\nThis fixes a crash triggered by reboot that looks\nlike this:\n\nCall trace:\n batadv_v_mesh_free+0xd0/0x4dc [batman_adv]\n batadv_v_elp_throughput_metric_update+0x1c/0xa4\n process_one_work+0x178/0x398\n worker_thread+0x2e8/0x4d0\n kthread+0xd8/0xdc\n ret_from_fork+0x10/0x20\n\n(the batadv_v_mesh_free call is misleading,\nand does not actually happen)\n\nI was able to make the issue happen more reliably\nby changing hardif_neigh->bat_v.metric_work work\nto be delayed work. This allowed me to track down\nand confirm the fix.\n\n[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without\n soft_iface]",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -49,7 +54,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:18Z"

advisories/unreviewed/2025/02/GHSA-6m6q-fm24-h726/GHSA-6m6q-fm24-h726.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6m6q-fm24-h726",
-  "modified": "2025-02-27T03:34:05Z",
+  "modified": "2025-10-28T21:30:27Z",
   "published": "2025-02-27T03:34:04Z",
   "aliases": [
     "CVE-2025-21750"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the return value of of_property_read_string_index()\n\nSomewhen between 6.10 and 6.11 the driver started to crash on my\nMacBookPro14,3. The property doesn't exist and 'tmp' remains\nuninitialized, so we pass a random pointer to devm_kstrdup().\n\nThe crash I am getting looks like this:\n\nBUG: unable to handle page fault for address: 00007f033c669379\nPF: supervisor read access in kernel mode\nPF: error_code(0x0001) - permissions violation\nPGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025\nOops: Oops: 0001 [#1] SMP PTI\nCPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1\nHardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024\nRIP: 0010:strlen+0x4/0x30\nCode: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc\nRSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202\nRAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001\nRDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379\nRBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a\nR10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8\nR13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30\nFS:  00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n ? __die+0x23/0x70\n ? page_fault_oops+0x149/0x4c0\n ? raw_spin_rq_lock_nested+0xe/0x20\n ? sched_balance_newidle+0x22b/0x3c0\n ? update_load_avg+0x78/0x770\n ? exc_page_fault+0x6f/0x150\n ? asm_exc_page_fault+0x26/0x30\n ? __pfx_pci_conf1_write+0x10/0x10\n ? strlen+0x4/0x30\n devm_kstrdup+0x25/0x70\n brcmf_of_probe+0x273/0x350 [brcmfmac]",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:15Z"

advisories/unreviewed/2025/02/GHSA-7r26-6h4q-5x56/GHSA-7r26-6h4q-5x56.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7r26-6h4q-5x56",
-  "modified": "2025-03-13T15:32:51Z",
+  "modified": "2025-10-28T21:30:28Z",
   "published": "2025-02-27T03:34:05Z",
   "aliases": [
     "CVE-2025-21766"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: use RCU protection in __ip_rt_update_pmtu()\n\n__ip_rt_update_pmtu() must use RCU protection to make\nsure the net structure it reads does not disappear.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -41,7 +46,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:17Z"

advisories/unreviewed/2025/02/GHSA-9964-v64g-g4c3/GHSA-9964-v64g-g4c3.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9964-v64g-g4c3",
-  "modified": "2025-02-27T15:31:51Z",
+  "modified": "2025-10-28T21:30:27Z",
   "published": "2025-02-27T03:34:04Z",
   "aliases": [
     "CVE-2025-21746"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: synaptics - fix crash when enabling pass-through port\n\nWhen enabling a pass-through port an interrupt might come before psmouse\ndriver binds to the pass-through port. However synaptics sub-driver\ntries to access psmouse instance presumably associated with the\npass-through port to figure out if only 1 byte of response or entire\nprotocol packet needs to be forwarded to the pass-through port and may\ncrash if psmouse instance has not been attached to the port yet.\n\nFix the crash by introducing open() and close() methods for the port and\ncheck if the port is open before trying to access psmouse instance.\nBecause psmouse calls serio_open() only after attaching psmouse instance\nto serio port instance this prevents the potential crash.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -32,8 +37,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-367"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:15Z"

advisories/unreviewed/2025/02/GHSA-9x83-7qxw-53vc/GHSA-9x83-7qxw-53vc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9x83-7qxw-53vc",
-  "modified": "2025-02-27T03:34:06Z",
+  "modified": "2025-10-28T21:30:28Z",
   "published": "2025-02-27T03:34:06Z",
   "aliases": [
     "CVE-2025-21778"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Do not allow mmap() of persistent ring buffer\n\nWhen trying to mmap a trace instance buffer that is attached to\nreserve_mem, it would crash:\n\n BUG: unable to handle page fault for address: ffffe97bd00025c8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 2862f3067 P4D 2862f3067 PUD 0\n Oops: Oops: 0000 [#1] PREEMPT_RT SMP PTI\n CPU: 4 UID: 0 PID: 981 Comm: mmap-rb Not tainted 6.14.0-rc2-test-00003-g7f1a5e3fbf9e-dirty #233\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n RIP: 0010:validate_page_before_insert+0x5/0xb0\n Code: e2 01 89 d0 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 <48> 8b 46 08 a8 01 75 67 66 90 48 89 f0 8b 50 34 85 d2 74 76 48 89\n RSP: 0018:ffffb148c2f3f968 EFLAGS: 00010246\n RAX: ffff9fa5d3322000 RBX: ffff9fa5ccff9c08 RCX: 00000000b879ed29\n RDX: ffffe97bd00025c0 RSI: ffffe97bd00025c0 RDI: ffff9fa5ccff9c08\n RBP: ffffb148c2f3f9f0 R08: 0000000000000004 R09: 0000000000000004\n R10: 0000000000000000 R11: 0000000000000200 R12: 0000000000000000\n R13: 00007f16a18d5000 R14: ffff9fa5c48db6a8 R15: 0000000000000000\n FS:  00007f16a1b54740(0000) GS:ffff9fa73df00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffffe97bd00025c8 CR3: 00000001048c6006 CR4: 0000000000172ef0\n Call Trace:\n  <TASK>\n  ? __die_body.cold+0x19/0x1f\n  ? __die+0x2e/0x40\n  ? page_fault_oops+0x157/0x2b0\n  ? search_module_extables+0x53/0x80\n  ? validate_page_before_insert+0x5/0xb0\n  ? kernelmode_fixup_or_oops.isra.0+0x5f/0x70\n  ? __bad_area_nosemaphore+0x16e/0x1b0\n  ? bad_area_nosemaphore+0x16/0x20\n  ? do_kern_addr_fault+0x77/0x90\n  ? exc_page_fault+0x22b/0x230\n  ? asm_exc_page_fault+0x2b/0x30\n  ? validate_page_before_insert+0x5/0xb0\n  ? vm_insert_pages+0x151/0x400\n  __rb_map_vma+0x21f/0x3f0\n  ring_buffer_map+0x21b/0x2f0\n  tracing_buffers_mmap+0x70/0xd0\n  __mmap_region+0x6f0/0xbd0\n  mmap_region+0x7f/0x130\n  do_mmap+0x475/0x610\n  vm_mmap_pgoff+0xf2/0x1d0\n  ksys_mmap_pgoff+0x166/0x200\n  __x64_sys_mmap+0x37/0x50\n  x64_sys_call+0x1670/0x1d70\n  do_syscall_64+0xbb/0x1d0\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe reason was that the code that maps the ring buffer pages to user space\nhas:\n\n\tpage = virt_to_page((void *)cpu_buffer->subbuf_ids[s]);\n\nAnd uses that in:\n\n\tvm_insert_pages(vma, vma->vm_start, pages, &nr_pages);\n\nBut virt_to_page() does not work with vmap()'d memory which is what the\npersistent ring buffer has. It is rather trivial to allow this, but for\nnow just disable mmap() of instances that have their ring buffer from the\nreserve_mem option.\n\nIf an mmap() is performed on a persistent buffer it will return -ENODEV\njust like it would if the .mmap field wasn't defined in the\nfile_operations structure.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -29,7 +34,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2025-02-27T03:15:18Z"