CVE-2025-21939

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21939
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21939.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-21939
Downstream
Published
2025-04-01T15:41:05.393Z
Modified
2025-11-20T08:35:37.617613Z
Summary
drm/xe/hmm: Don't dereference struct page pointers without notifier lock
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/hmm: Don't dereference struct page pointers without notifier lock

The pnfs that we obtain from hmmrangefault() point to pages that we don't have a reference on, and the guarantee that they are still in the cpu page-tables is that the notifier lock must be held and the notifier seqno is still valid.

So while building the sg table and marking the pages accesses / dirty we need to hold this lock with a validated seqno.

However, the lock is reclaim tainted which makes sgalloctablefrompages_segment() unusable, since it internally allocates memory.

Instead build the sg-table manually. For the non-iommu case this might lead to fewer coalesces, but if that's a problem it can be fixed up later in the resource cursor code. For the iommu case, the whole sg-table may still be coalesced to a single contigous device va region.

This avoids marking pages that we don't own dirty and accessed, and it also avoid dereferencing struct pages that we don't own.

v2: - Use assert to check whether hmm pfns are valid (Matthew Auld) - Take into account that large pages may cross range boundaries (Matthew Auld)

v3: - Don't unnecessarily check for a non-freed sg-table. (Matthew Auld) - Add a missing up_read() in an error path. (Matthew Auld)

(cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3
Fixed
2a24c98f0e4cc994334598d4f3a851972064809d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3
Fixed
f9326f529da7298a95643c3267f1c0fdb0db55eb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3
Fixed
0a98219bcc961edd3388960576e4353e123b4a51

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.8
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "144246867016007271157467175929885237716",
                "182139917080190223379193916638780176265",
                "300808436805985996210189394882137764418",
                "315004829374670423050078359176465033472",
                "66862054156088167905023490866697797502",
                "247164550105428630900461370453803798757",
                "172267156668201323554898850095251687387",
                "155555054279675626741924436450062923920",
                "33235169774241163139266791477847548437",
                "169834278035766091734528420660187039411",
                "173978878094935946121851488767342265657",
                "196373022456100048958063368293754407396",
                "108743299193843946015432390420222730243",
                "191593137153351054765965826638300151867",
                "214424299510948303848212986903964149780",
                "24292337837853481825787858173686146860",
                "139872626176097575972977316362282095284",
                "198471934233042978393443697477478171298",
                "162696592038182249446163739989288186037",
                "253255962608036685896477801695662717273",
                "233453223518150441468874669181221127921",
                "10636443019527070715700501144440450080",
                "197907566393012576699167829910149643386",
                "48366170329605933723819929104525477468",
                "5671785619420983121032386563057208590",
                "239619016971611677171580311022038068392",
                "158736955721425071975050551025909285124",
                "134961006695079553542907371434751230172",
                "19127432826052092988740047712370433522",
                "74482796013162192332667469225465155732",
                "191971037318217282451035894826572601432",
                "116905337379799719298333664007942512137",
                "131676704769796965136901950596197706360",
                "252382754913879588549996575422605262782",
                "189193680038922613675494130860129801512",
                "298206077085181828574305392022303302976",
                "291608389655234325686474412319797099225",
                "138466939679591053353449160191465696965",
                "302294214182319831200878453778974711557",
                "191002047133672266489202940941878438492",
                "192413561389653625715427897951746310271"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a24c98f0e4cc994334598d4f3a851972064809d",
        "target": {
            "file": "drivers/gpu/drm/xe/xe_hmm.c"
        },
        "id": "CVE-2025-21939-6a4a96b8"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 1618.0,
            "function_hash": "334705986316072189302157785557248013513"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a24c98f0e4cc994334598d4f3a851972064809d",
        "target": {
            "file": "drivers/gpu/drm/xe/xe_hmm.c",
            "function": "xe_hmm_userptr_populate_range"
        },
        "id": "CVE-2025-21939-90b0e83d"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 806.0,
            "function_hash": "113913861816494103672790579521768127627"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2a24c98f0e4cc994334598d4f3a851972064809d",
        "target": {
            "file": "drivers/gpu/drm/xe/xe_hmm.c",
            "function": "xe_build_sg"
        },
        "id": "CVE-2025-21939-9af5de95"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.10.0
Fixed
6.12.19
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.7