CVE-2025-21939

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/hmm: Don't dereference struct page pointers without notifier lock

The pnfs that we obtain from hmm_range_fault() point to pages that we don't have a reference on, and the guarantee that they are still in the cpu page-tables is that the notifier lock must be held and the notifier seqno is still valid.

So while building the sg table and marking the pages accesses / dirty we need to hold this lock with a validated seqno.

However, the lock is reclaim tainted which makes sg_alloc_table_from_pages_segment() unusable, since it internally allocates memory.

Instead build the sg-table manually. For the non-iommu case this might lead to fewer coalesces, but if that's a problem it can be fixed up later in the resource cursor code. For the iommu case, the whole sg-table may still be coalesced to a single contigous device va region.

This avoids marking pages that we don't own dirty and accessed, and it also avoid dereferencing struct pages that we don't own.

v2:

  • Use assert to check whether hmm pfns are valid (Matthew Auld)
  • Take into account that large pages may cross range boundaries (Matthew Auld)

v3:

  • Don't unnecessarily check for a non-freed sg-table. (Matthew Auld)
  • Add a missing up_read() in an error path. (Matthew Auld)

(cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)

Affected Software

VendorProductVersion RangeStatus
LinuxLinux81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3 < 2a24c98f0e4cc994334598d4f3a851972064809daffected
LinuxLinux81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3 < f9326f529da7298a95643c3267f1c0fdb0db55ebaffected
LinuxLinux81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3 < 0a98219bcc961edd3388960576e4353e123b4a51affected
LinuxLinux6.10affected
LinuxLinux0 < 6.10unaffected
LinuxLinux6.12.19 <= 6.12.*unaffected
LinuxLinux6.13.7 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

References