CVE-2025-21880

{"id": "CVE-2025-21880", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-03-27T15:15:55.890", "references": [{"url": "https://git.kernel.org/stable/c/51cc278f8ffacd5f9dc7d13191b81b912829db59", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a9f4fa3a7efa65615ff7db13023ac84516e99e21", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/daad16d0a538fa938e344fd83927bbcfcd8a66ec", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/userptr: fix EFAULT handling\n\nCurrently we treat EFAULT from hmm_range_fault() as a non-fatal error\nwhen called from xe_vm_userptr_pin() with the idea that we want to avoid\nkilling the entire vm and chucking an error, under the assumption that\nthe user just did an unmap or something, and has no intention of\nactually touching that memory from the GPU. At this point we have\nalready zapped the PTEs so any access should generate a page fault, and\nif the pin fails there also it will then become fatal.\n\nHowever it looks like it's possible for the userptr vma to still be on\nthe rebind list in preempt_rebind_work_func(), if we had to retry the\npin again due to something happening in the caller before we did the\nrebind step, but in the meantime needing to re-validate the userptr and\nthis time hitting the EFAULT.\n\nThis explains an internal user report of hitting:\n\n[ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe]\n[ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738690] Call Trace:\n[ 191.738692] <TASK>\n[ 191.738694] ? show_regs+0x69/0x80\n[ 191.738698] ? __warn+0x93/0x1a0\n[ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738759] ? report_bug+0x18f/0x1a0\n[ 191.738764] ? handle_bug+0x63/0xa0\n[ 191.738767] ? exc_invalid_op+0x19/0x70\n[ 191.738770] ? asm_exc_invalid_op+0x1b/0x20\n[ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738834] ? ret_from_fork_asm+0x1a/0x30\n[ 191.738849] bind_op_prepare+0x105/0x7b0 [xe]\n[ 191.738906] ? dma_resv_reserve_fences+0x301/0x380\n[ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe]\n[ 191.738966] ? kmemleak_alloc+0x4b/0x80\n[ 191.738973] ops_execute+0x188/0x9d0 [xe]\n[ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe]\n[ 191.739098] ? trace_hardirqs_on+0x4d/0x60\n[ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe]\n\nFollowed by NPD, when running some workload, since the sg was never\nactually populated but the vma is still marked for rebind when it should\nbe skipped for this special EFAULT case. This is confirmed to fix the\nuser report.\n\nv2 (MattB):\n - Move earlier.\nv3 (MattB):\n - Update the commit message to make it clear that this indeed fixes the\n issue.\n\n(cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe/userptr: correcci\u00f3n de la gesti\u00f3n de EFAULT Actualmente tratamos EFAULT de hmm_range_fault() como un error no fatal cuando se llama desde xe_vm_userptr_pin() con la idea de que queremos evitar matar toda la m\u00e1quina virtual y arrojar un error, bajo el supuesto de que el usuario solo hizo una desasignaci\u00f3n o algo as\u00ed, y no tiene intenci\u00f3n de tocar esa memoria de la GPU. En este punto, ya hemos eliminado los PTE, por lo que cualquier acceso deber\u00eda generar un fallo de p\u00e1gina, y si el pin tambi\u00e9n falla all\u00ed, se volver\u00e1 fatal. Sin embargo, parece que es posible que la vma userptr a\u00fan est\u00e9 en la lista de revinculaci\u00f3n en preempt_rebind_work_func(), si tuvi\u00e9ramos que volver a intentar el pin debido a que algo sucede en el llamador antes de realizar el paso de revinculaci\u00f3n, pero mientras tanto necesitamos volver a validar el userptr y esta vez golpeando el EFAULT. Esto explica un informe interno de usuario sobre el resultado: [ 191.738349] ADVERTENCIA: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe] [ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738690] Call Trace: [ 191.738692] [ 191.738694] ? show_regs+0x69/0x80 [ 191.738698] ? __warn+0x93/0x1a0 [ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738759] ? report_bug+0x18f/0x1a0 [ 191.738764] ? handle_bug+0x63/0xa0 [ 191.738767] ? exc_invalid_op+0x19/0x70 [ 191.738770] ? asm_exc_invalid_op+0x1b/0x20 [ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe] [ 191.738834] ? ret_from_fork_asm+0x1a/0x30 [ 191.738849] bind_op_prepare+0x105/0x7b0 [xe] [ 191.738906] ? dma_resv_reserve_fences+0x301/0x380 [ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe] [ 191.738966] ? kmemleak_alloc+0x4b/0x80 [ 191.738973] ops_execute+0x188/0x9d0 [xe] [ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe] [ 191.739098] ? trace_hardirqs_on+0x4d/0x60 [ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe] Seguido de NPD, al ejecutar alguna carga de trabajo, ya que el grupo de secuencias nunca se rellen\u00f3, pero el administrador de m\u00e1quinas virtuales (VMMA) sigue marcado para revincular cuando deber\u00eda omitirse para este caso especial de EFAULT. Esto se ha confirmado para corregir el informe del usuario. v2 (MattB): - Se ha movido a una versi\u00f3n anterior. v3 (MattB): - Actualizar el mensaje de confirmaci\u00f3n para dejar claro que esto realmente soluciona el problema. (seleccionado del commit 6b93cb98910c826c2e2004942f8b060311e43618)"}], "lastModified": "2025-10-30T15:44:19.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3E726AB-924C-4BAA-9AD5-2EA4A154FEE8", "versionEndExcluding": "6.12.18", "versionStartIncluding": "6.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64F12D9B-71C2-4CD7-A288-0D5EF1709620", "versionEndExcluding": "6.13.6", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}