CVE-2025-39992

In the Linux kernel, the following vulnerability has been resolved:

mm: swap: check for stable address space before operating on the VMA

It is possible to hit a zero entry while traversing the vmas in unuse_mm()
called from swapoff path and accessing it causes the OOPS:

Unable to handle kernel NULL pointer dereference at virtual address
0000000000000446–> Loading the memory from offset 0x40 on the
XA_ZERO_ENTRY as address.
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault

The issue is manifested from the below race between the fork() on a
process and swapoff:
fork(dup_mmap()) swapoff(unuse_mm)
————— —————–
1) Identical mtree is built using
__mt_dup().

2) copy_pte_range()–>
copy_nonpresent_pte():
The dst mm is added into the
mmlist to be visible to the
swapoff operation.

3) Fatal signal is sent to the parent
process(which is the current during the
fork) thus skip the duplication of the
vmas and mark the vma range with
XA_ZERO_ENTRY as a marker for this process
that helps during exit_mmap().

4) swapoff is tried on the
‘mm’ added to the ‘mmlist’ as
part of the 2.

5) unuse_mm(), that iterates
through the vma’s of this ‘mm’
will hit the non-NULL zero entry
and operating on this zero entry
as a vma is resulting into the
oops.

The proper fix would be around not exposing this partially-valid tree to
others when droping the mmap lock, which is being solved with [1]. A
simpler solution would be checking for MMF_UNSTABLE, as it is set if
mm_struct is not fully initialized in dup_mmap().

Thanks to Liam/Lorenzo/David for all the suggestions in fixing this
issue.