| From bippy-1.2.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-37868: drm/xe/userptr: fix notifier vs folio deadlock |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| drm/xe/userptr: fix notifier vs folio deadlock |
| |
| User is reporting what smells like notifier vs folio deadlock, where |
| migrate_pages_batch() on core kernel side is holding folio lock(s) and |
| then interacting with the mappings of it, however those mappings are |
| tied to some userptr, which means calling into the notifier callback and |
| grabbing the notifier lock. With perfect timing it looks possible that |
| the pages we pulled from the hmm fault can get sniped by |
| migrate_pages_batch() at the same time that we are holding the notifier |
| lock to mark the pages as accessed/dirty, but at this point we also want |
| to grab the folio locks(s) to mark them as dirty, but if they are |
| contended from notifier/migrate_pages_batch side then we deadlock since |
| folio lock won't be dropped until we drop the notifier lock. |
| |
| Fortunately the mark_page_accessed/dirty is not really needed in the |
| first place it seems and should have already been done by hmm fault, so |
| just remove it. |
| |
| (cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85) |
| |
| The Linux kernel CVE team has assigned CVE-2025-37868 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.12.19 with commit 2a24c98f0e4cc994334598d4f3a851972064809d and fixed in 6.12.25 with commit 65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5 |
| Issue introduced in 6.14 with commit 0a98219bcc961edd3388960576e4353e123b4a51 and fixed in 6.14.4 with commit 90574ecf6052be83971d91d16600c5cf07003bbb |
| Issue introduced in 6.14 with commit 0a98219bcc961edd3388960576e4353e123b4a51 and fixed in 6.15 with commit 2577b202458cddff85cc154b1fe7f313e0d1f418 |
| Issue introduced in 6.13.7 with commit f9326f529da7298a95643c3267f1c0fdb0db55eb |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-37868 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/gpu/drm/xe/xe_hmm.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5 |
| https://git.kernel.org/stable/c/90574ecf6052be83971d91d16600c5cf07003bbb |
| https://git.kernel.org/stable/c/2577b202458cddff85cc154b1fe7f313e0d1f418 |
