{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-37868", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.959Z", "datePublished": "2025-05-09T06:43:57.383Z", "dateUpdated": "2025-05-26T05:22:39.786Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-26T05:22:39.786Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/userptr: fix notifier vs folio deadlock\n\nUser is reporting what smells like notifier vs folio deadlock, where\nmigrate_pages_batch() on core kernel side is holding folio lock(s) and\nthen interacting with the mappings of it, however those mappings are\ntied to some userptr, which means calling into the notifier callback and\ngrabbing the notifier lock. With perfect timing it looks possible that\nthe pages we pulled from the hmm fault can get sniped by\nmigrate_pages_batch() at the same time that we are holding the notifier\nlock to mark the pages as accessed/dirty, but at this point we also want\nto grab the folio locks(s) to mark them as dirty, but if they are\ncontended from notifier/migrate_pages_batch side then we deadlock since\nfolio lock won't be dropped until we drop the notifier lock.\n\nFortunately the mark_page_accessed/dirty is not really needed in the\nfirst place it seems and should have already been done by hmm fault, so\njust remove it.\n\n(cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_hmm.c"], "versions": [{"version": "2a24c98f0e4cc994334598d4f3a851972064809d", "lessThan": "65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5", "status": "affected", "versionType": "git"}, {"version": "0a98219bcc961edd3388960576e4353e123b4a51", "lessThan": "90574ecf6052be83971d91d16600c5cf07003bbb", "status": "affected", "versionType": "git"}, {"version": "0a98219bcc961edd3388960576e4353e123b4a51", "lessThan": "2577b202458cddff85cc154b1fe7f313e0d1f418", "status": "affected", "versionType": "git"}, {"version": "f9326f529da7298a95643c3267f1c0fdb0db55eb", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_hmm.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.25", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.4", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.19", "versionEndExcluding": "6.12.25"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.14.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.7"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5"}, {"url": "https://git.kernel.org/stable/c/90574ecf6052be83971d91d16600c5cf07003bbb"}, {"url": "https://git.kernel.org/stable/c/2577b202458cddff85cc154b1fe7f313e0d1f418"}], "title": "drm/xe/userptr: fix notifier vs folio deadlock", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E18BED3-0115-482C-861A-9ECA8B05EEB2", "versionEndExcluding": "6.12.25", "versionStartIncluding": "6.12.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "87A94BBB-C489-4F0E-AC35-A6E9E1316FCE", "versionEndExcluding": "6.14", "versionStartIncluding": "6.13.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "26175852-4D93-410C-BC8C-C405F2A9D737", "versionEndExcluding": "6.14.4", "versionStartIncluding": "6.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*", "matchCriteriaId": "7DE421BA-0600-4401-A175-73CAB6A6FB4E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*", "matchCriteriaId": "1759FFB7-531C-41B1-9AE1-FD3D80E0D920", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc7:*:*:*:*:*:*", "matchCriteriaId": "AD948719-8628-4421-A340-1066314BBD4A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/userptr: fix notifier vs folio deadlock\n\nUser is reporting what smells like notifier vs folio deadlock, where\nmigrate_pages_batch() on core kernel side is holding folio lock(s) and\nthen interacting with the mappings of it, however those mappings are\ntied to some userptr, which means calling into the notifier callback and\ngrabbing the notifier lock. With perfect timing it looks possible that\nthe pages we pulled from the hmm fault can get sniped by\nmigrate_pages_batch() at the same time that we are holding the notifier\nlock to mark the pages as accessed/dirty, but at this point we also want\nto grab the folio locks(s) to mark them as dirty, but if they are\ncontended from notifier/migrate_pages_batch side then we deadlock since\nfolio lock won't be dropped until we drop the notifier lock.\n\nFortunately the mark_page_accessed/dirty is not really needed in the\nfirst place it seems and should have already been done by hmm fault, so\njust remove it.\n\n(cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe/userptr: fix notifier vs folio deadlock El usuario informa lo que parece ser un deadlock entre notifier y folio, donde migration_pages_batch() en el lado del n\u00facleo central mantiene el bloqueo de folio y luego interact\u00faa con las asignaciones de este, sin embargo, esas asignaciones est\u00e1n vinculadas a alg\u00fan userptr, lo que significa llamar a la devoluci\u00f3n de llamada del notificador y tomar el bloqueo del notificador. Con una sincronizaci\u00f3n perfecta, parece posible que las p\u00e1ginas que extrajimos de la falla hmm puedan ser atacadas por migration_pages_batch() al mismo tiempo que mantenemos el bloqueo del notificador para marcar las p\u00e1ginas como accedidas/sucias, pero en este punto tambi\u00e9n queremos tomar el bloqueo de folio para marcarlos como sucios, pero si se disputan desde el lado de notifier/migrate_pages_batch, entonces nos bloqueamos ya que el bloqueo de folio no se eliminar\u00e1 hasta que eliminemos el bloqueo del notificador. Afortunadamente, mark_page_accessed/dirty no es realmente necesario en primer lugar, al parecer, y ya deber\u00eda haber sido realizado por hmm fault, as\u00ed que simplemente elim\u00ednelo. (seleccionado del commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)"}], "id": "CVE-2025-37868", "lastModified": "2025-11-12T20:37:04.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-09T07:16:07.880", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2577b202458cddff85cc154b1fe7f313e0d1f418"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/90574ecf6052be83971d91d16600c5cf07003bbb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/xe/userptr: fix notifier vs folio deadlock", "id": "2365283", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365283"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/xe/userptr: fix notifier vs folio deadlock\nUser is reporting what smells like notifier vs folio deadlock, where\nmigrate_pages_batch() on core kernel side is holding folio lock(s) and\nthen interacting with the mappings of it, however those mappings are\ntied to some userptr, which means calling into the notifier callback and\ngrabbing the notifier lock. With perfect timing it looks possible that\nthe pages we pulled from the hmm fault can get sniped by\nmigrate_pages_batch() at the same time that we are holding the notifier\nlock to mark the pages as accessed/dirty, but at this point we also want\nto grab the folio locks(s) to mark them as dirty, but if they are\ncontended from notifier/migrate_pages_batch side then we deadlock since\nfolio lock won't be dropped until we drop the notifier lock.\nFortunately the mark_page_accessed/dirty is not really needed in the\nfirst place it seems and should have already been done by hmm fault, so\njust remove it.\n(cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)"], "name": "CVE-2025-37868", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-37868\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37868\nhttps://lore.kernel.org/linux-cve-announce/2025050958-CVE-2025-37868-0fc6@gregkh/T"], "threat_severity": "Moderate"}

{}