[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025050958-CVE-2025-37868-0fc6@gregkh>
Date: Fri, 9 May 2025 08:44:02 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-37868: drm/xe/userptr: fix notifier vs folio deadlock
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/userptr: fix notifier vs folio deadlock
User is reporting what smells like notifier vs folio deadlock, where
migrate_pages_batch() on core kernel side is holding folio lock(s) and
then interacting with the mappings of it, however those mappings are
tied to some userptr, which means calling into the notifier callback and
grabbing the notifier lock. With perfect timing it looks possible that
the pages we pulled from the hmm fault can get sniped by
migrate_pages_batch() at the same time that we are holding the notifier
lock to mark the pages as accessed/dirty, but at this point we also want
to grab the folio locks(s) to mark them as dirty, but if they are
contended from notifier/migrate_pages_batch side then we deadlock since
folio lock won't be dropped until we drop the notifier lock.
Fortunately the mark_page_accessed/dirty is not really needed in the
first place it seems and should have already been done by hmm fault, so
just remove it.
(cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)
The Linux kernel CVE team has assigned CVE-2025-37868 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.12.19 with commit 2a24c98f0e4cc994334598d4f3a851972064809d and fixed in 6.12.25 with commit 65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5
Issue introduced in 6.14 with commit 0a98219bcc961edd3388960576e4353e123b4a51 and fixed in 6.14.4 with commit 90574ecf6052be83971d91d16600c5cf07003bbb
Issue introduced in 6.14 with commit 0a98219bcc961edd3388960576e4353e123b4a51 and fixed in 6.15-rc3 with commit 2577b202458cddff85cc154b1fe7f313e0d1f418
Issue introduced in 6.13.7 with commit f9326f529da7298a95643c3267f1c0fdb0db55eb
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-37868
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/gpu/drm/xe/xe_hmm.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5
https://git.kernel.org/stable/c/90574ecf6052be83971d91d16600c5cf07003bbb
https://git.kernel.org/stable/c/2577b202458cddff85cc154b1fe7f313e0d1f418
Powered by blists - more mailing lists