cve/published/2025/CVE-2025-37930.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37930: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

 Nouveau is mostly designed in a way that it's expected that fences only
 ever get signaled through nouveau_fence_signal(). However, in at least
 one other place, nouveau_fence_done(), can signal fences, too. If that
 happens (race) a signaled fence remains in the pending list for a while,
 until it gets removed by nouveau_fence_update().

 Should nouveau_fence_context_kill() run in the meantime, this would be
 a bug because the function would attempt to set an error code on an
 already signaled fence.

 Have nouveau_fence_context_kill() check for a fence being signaled.

 The Linux kernel CVE team has assigned CVE-2025-37930 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 5.10.238 with commit 39d6e889c0b19a2c79e1c74c843ea7c2d0f99c28
 	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 5.15.182 with commit 2ec0f5f6d4768f292c8406ed92fa699f184577e5
 	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.1.138 with commit 47ca11836c35c5698088fd87f7fb4b0ffa217e17
 	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.6.90 with commit 126f5c6e0cb84e5c6f7a3a856d799d85668fb38e
 	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.12.28 with commit b771b2017260ffc3a8d4e81266619649bffcb242
 	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.14.6 with commit 0453825167ecc816ec15c736e52316f69db0deb9
 	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.15 with commit bbe5679f30d7690a9b6838a583b9690ea73fe0e9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37930
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/nouveau/nouveau_fence.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/39d6e889c0b19a2c79e1c74c843ea7c2d0f99c28
 	https://git.kernel.org/stable/c/2ec0f5f6d4768f292c8406ed92fa699f184577e5
 	https://git.kernel.org/stable/c/47ca11836c35c5698088fd87f7fb4b0ffa217e17
 	https://git.kernel.org/stable/c/126f5c6e0cb84e5c6f7a3a856d799d85668fb38e
 	https://git.kernel.org/stable/c/b771b2017260ffc3a8d4e81266619649bffcb242
 	https://git.kernel.org/stable/c/0453825167ecc816ec15c736e52316f69db0deb9
 	https://git.kernel.org/stable/c/bbe5679f30d7690a9b6838a583b9690ea73fe0e9
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37930: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

	Nouveau is mostly designed in a way that it's expected that fences only
	ever get signaled through nouveau_fence_signal(). However, in at least
	one other place, nouveau_fence_done(), can signal fences, too. If that
	happens (race) a signaled fence remains in the pending list for a while,
	until it gets removed by nouveau_fence_update().

	Should nouveau_fence_context_kill() run in the meantime, this would be
	a bug because the function would attempt to set an error code on an
	already signaled fence.

	Have nouveau_fence_context_kill() check for a fence being signaled.

	The Linux kernel CVE team has assigned CVE-2025-37930 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 5.10.238 with commit 39d6e889c0b19a2c79e1c74c843ea7c2d0f99c28
	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 5.15.182 with commit 2ec0f5f6d4768f292c8406ed92fa699f184577e5
	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.1.138 with commit 47ca11836c35c5698088fd87f7fb4b0ffa217e17
	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.6.90 with commit 126f5c6e0cb84e5c6f7a3a856d799d85668fb38e
	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.12.28 with commit b771b2017260ffc3a8d4e81266619649bffcb242
	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.14.6 with commit 0453825167ecc816ec15c736e52316f69db0deb9
	Issue introduced in 5.6 with commit ea13e5abf807ea912ce84eef6a1946b9a38c6508 and fixed in 6.15 with commit bbe5679f30d7690a9b6838a583b9690ea73fe0e9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37930
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/nouveau/nouveau_fence.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/39d6e889c0b19a2c79e1c74c843ea7c2d0f99c28
	https://git.kernel.org/stable/c/2ec0f5f6d4768f292c8406ed92fa699f184577e5
	https://git.kernel.org/stable/c/47ca11836c35c5698088fd87f7fb4b0ffa217e17
	https://git.kernel.org/stable/c/126f5c6e0cb84e5c6f7a3a856d799d85668fb38e
	https://git.kernel.org/stable/c/b771b2017260ffc3a8d4e81266619649bffcb242
	https://git.kernel.org/stable/c/0453825167ecc816ec15c736e52316f69db0deb9
	https://git.kernel.org/stable/c/bbe5679f30d7690a9b6838a583b9690ea73fe0e9