CVE-2025-21880

Currently we treat EFAULT from hmmrangefault() as a non-fatal error when called from xevmuserptr_pin() with the idea that we want to avoid killing the entire vm and chucking an error, under the assumption that the user just did an unmap or something, and has no intention of actually touching that memory from the GPU. At this point we have already zapped the PTEs so any access should generate a page fault, and if the pin fails there also it will then become fatal.

However it looks like it's possible for the userptr vma to still be on the rebind list in preemptrebindwork_func(), if we had to retry the pin again due to something happening in the caller before we did the rebind step, but in the meantime needing to re-validate the userptr and this time hitting the EFAULT.

This explains an internal user report of hitting:

[ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xerescursor.h:158 xeptstagebind.constprop.0+0x60a/0x6b0 [xe] [ 191.738551] Workqueue: xe-ordered-wq preemptrebindworkfunc [xe] [ 191.738616] RIP: 0010:xeptstagebind.constprop.0+0x60a/0x6b0 [xe] [ 191.738690] Call Trace: [ 191.738692] <TASK> [ 191.738694] ? showregs+0x69/0x80 [ 191.738698] ? _warn+0x93/0x1a0 [ 191.738703] ? xeptstagebind.constprop.0+0x60a/0x6b0 [xe] [ 191.738759] ? reportbug+0x18f/0x1a0 [ 191.738764] ? handlebug+0x63/0xa0 [ 191.738767] ? excinvalidop+0x19/0x70 [ 191.738770] ? asmexcinvalidop+0x1b/0x20 [ 191.738777] ? xeptstagebind.constprop.0+0x60a/0x6b0 [xe] [ 191.738834] ? retfromforkasm+0x1a/0x30 [ 191.738849] bindopprepare+0x105/0x7b0 [xe] [ 191.738906] ? dmaresvreservefences+0x301/0x380 [ 191.738912] xeptupdateopsprepare+0x28c/0x4b0 [xe] [ 191.738966] ? kmemleakalloc+0x4b/0x80 [ 191.738973] opsexecute+0x188/0x9d0 [xe] [ 191.739036] xevmrebind+0x4ce/0x5a0 [xe] [ 191.739098] ? tracehardirqson+0x4d/0x60 [ 191.739112] preemptrebindwork_func+0x76f/0xd00 [xe]

Followed by NPD, when running some workload, since the sg was never actually populated but the vma is still marked for rebind when it should be skipped for this special EFAULT case. This is confirmed to fix the user report.

v2 (MattB): - Move earlier. v3 (MattB): - Update the commit message to make it clear that this indeed fixes the issue.

(cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

521db22a1d70dbc596a07544a738416025b1b63c

Fixed

daad16d0a538fa938e344fd83927bbcfcd8a66ec

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

521db22a1d70dbc596a07544a738416025b1b63c

Fixed

51cc278f8ffacd5f9dc7d13191b81b912829db59

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

521db22a1d70dbc596a07544a738416025b1b63c

Fixed

a9f4fa3a7efa65615ff7db13023ac84516e99e21

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.8

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.10.0

Fixed

6.12.18

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.6