CVE-2025-37868

drm/xe/userptr: fix notifier vs folio deadlock

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE

In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix notifier vs folio deadlock User is reporting what smells like notifier vs folio deadlock, where
migrate_pages_batch() on core kernel side is holding folio lock(s) and
then interacting with the mappings of it, however those mappings are
tied to some userptr, which means calling into the notifier callback and
grabbing the notifier lock. With perfect timing it looks possible that
the pages we pulled from the hmm fault can get sniped by
migrate_pages_batch() at the same time that we are holding the notifier
lock to mark the pages as accessed/dirty, but at this point we also want
to grab the folio locks(s) to mark them as dirty, but if they are
contended from notifier/migrate_pages_batch side then we deadlock since
folio lock won't be dropped until we drop the notifier lock. Fortunately the mark_page_accessed/dirty is not really needed in the
first place it seems and should have already been done by hmm fault, so
just remove it. (cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-05-09 CVE Published
2025-05-09 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/2a24c98f0e4cc994334598d4f3a851972064809d	Vuln. Introduced
https://git.kernel.org/stable/c/0a98219bcc961edd3388960576e4353e123b4a51	Vuln. Introduced
https://git.kernel.org/stable/c/f9326f529da7298a95643c3267f1c0fdb0db55eb	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/65dc4e3d5b01db0179fc95c1f0bdb87194c28ab5	2025-04-25
https://git.kernel.org/stable/c/90574ecf6052be83971d91d16600c5cf07003bbb	2025-04-25
https://git.kernel.org/stable/c/2577b202458cddff85cc154b1fe7f313e0d1f418	2025-04-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12.19 < 6.12.25 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.19 < 6.12.25"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.14 < 6.14.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.14 < 6.14.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.14 < 6.15-rc3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.14 < 6.15-rc3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.13.7 Search vendor "Linux" for product "Linux Kernel" and version "6.13.7"		en		Affected