{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-21939", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.789Z", "datePublished": "2025-04-01T15:41:05.393Z", "dateUpdated": "2026-05-11T21:09:27.750Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:09:27.750Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hmm: Don't dereference struct page pointers without notifier lock\n\nThe pnfs that we obtain from hmm_range_fault() point to pages that\nwe don't have a reference on, and the guarantee that they are still\nin the cpu page-tables is that the notifier lock must be held and the\nnotifier seqno is still valid.\n\nSo while building the sg table and marking the pages accesses / dirty\nwe need to hold this lock with a validated seqno.\n\nHowever, the lock is reclaim tainted which makes\nsg_alloc_table_from_pages_segment() unusable, since it internally\nallocates memory.\n\nInstead build the sg-table manually. For the non-iommu case\nthis might lead to fewer coalesces, but if that's a problem it can\nbe fixed up later in the resource cursor code. For the iommu case,\nthe whole sg-table may still be coalesced to a single contigous\ndevice va region.\n\nThis avoids marking pages that we don't own dirty and accessed, and\nit also avoid dereferencing struct pages that we don't own.\n\nv2:\n- Use assert to check whether hmm pfns are valid (Matthew Auld)\n- Take into account that large pages may cross range boundaries\n (Matthew Auld)\n\nv3:\n- Don't unnecessarily check for a non-freed sg-table. (Matthew Auld)\n- Add a missing up_read() in an error path. (Matthew Auld)\n\n(cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_hmm.c"], "versions": [{"version": "81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3", "lessThan": "2a24c98f0e4cc994334598d4f3a851972064809d", "status": "affected", "versionType": "git"}, {"version": "81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3", "lessThan": "f9326f529da7298a95643c3267f1c0fdb0db55eb", "status": "affected", "versionType": "git"}, {"version": "81e058a3e7fd8593d076b4f26f7b8bb49f1d61e3", "lessThan": "0a98219bcc961edd3388960576e4353e123b4a51", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_hmm.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.19", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.7", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.13.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.14"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2a24c98f0e4cc994334598d4f3a851972064809d"}, {"url": "https://git.kernel.org/stable/c/f9326f529da7298a95643c3267f1c0fdb0db55eb"}, {"url": "https://git.kernel.org/stable/c/0a98219bcc961edd3388960576e4353e123b4a51"}], "title": "drm/xe/hmm: Don't dereference struct page pointers without notifier lock", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5EF0086-F7C3-45D5-9961-FB5D0F4B7678", "versionEndExcluding": "6.12.19", "versionStartIncluding": "6.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "842F5A44-3E71-4546-B4FD-43B0ACE3F32B", "versionEndExcluding": "6.13.7", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "0D3E781C-403A-498F-9DA9-ECEE50F41E75", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*", "matchCriteriaId": "66619FB8-0AAF-4166-B2CF-67B24143261D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*", "matchCriteriaId": "D3D6550E-6679-4560-902D-AF52DCFE905B", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*", "matchCriteriaId": "45B90F6B-BEC7-4D4E-883A-9DBADE021750", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/hmm: Don't dereference struct page pointers without notifier lock\n\nThe pnfs that we obtain from hmm_range_fault() point to pages that\nwe don't have a reference on, and the guarantee that they are still\nin the cpu page-tables is that the notifier lock must be held and the\nnotifier seqno is still valid.\n\nSo while building the sg table and marking the pages accesses / dirty\nwe need to hold this lock with a validated seqno.\n\nHowever, the lock is reclaim tainted which makes\nsg_alloc_table_from_pages_segment() unusable, since it internally\nallocates memory.\n\nInstead build the sg-table manually. For the non-iommu case\nthis might lead to fewer coalesces, but if that's a problem it can\nbe fixed up later in the resource cursor code. For the iommu case,\nthe whole sg-table may still be coalesced to a single contigous\ndevice va region.\n\nThis avoids marking pages that we don't own dirty and accessed, and\nit also avoid dereferencing struct pages that we don't own.\n\nv2:\n- Use assert to check whether hmm pfns are valid (Matthew Auld)\n- Take into account that large pages may cross range boundaries\n (Matthew Auld)\n\nv3:\n- Don't unnecessarily check for a non-freed sg-table. (Matthew Auld)\n- Add a missing up_read() in an error path. (Matthew Auld)\n\n(cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe/hmm: No desreferenciar punteros de p\u00e1gina de estructura sin bloqueo de notificador Los pnfs que obtenemos de hmm_range_fault() apuntan a p\u00e1ginas en las que no tenemos una referencia, y la garant\u00eda de que a\u00fan est\u00e1n en las tablas de p\u00e1ginas de la CPU es que el bloqueo del notificador debe mantenerse y el seqno del notificador a\u00fan es v\u00e1lido. Entonces, mientras construimos la tabla sg y marcamos las p\u00e1ginas como accedidas/sucias, necesitamos mantener este bloqueo con un seqno validado. Sin embargo, el bloqueo est\u00e1 contaminado por recuperaci\u00f3n, lo que hace que sg_alloc_table_from_pages_segment() sea inutilizable, ya que asigna memoria internamente. En su lugar, construya la tabla sg manualmente. Para el caso que no es iommu, esto podr\u00eda llevar a menos coalescencias, pero si eso es un problema, se puede arreglar m\u00e1s adelante en el c\u00f3digo del cursor de recursos. En el caso de iommu, toda la tabla sg puede fusionarse en una \u00fanica regi\u00f3n va de dispositivo contiguo. Esto evita marcar p\u00e1ginas que no son de nuestra propiedad como sucias y accedidas, y tambi\u00e9n evita desreferenciar p\u00e1ginas de estructura que no son de nuestra propiedad. v2: - Usar assert para comprobar si las funciones de funci\u00f3n de enlace de hmm son v\u00e1lidas (Matthew Auld). - Tener en cuenta que las p\u00e1ginas grandes pueden cruzar los l\u00edmites de rango (Matthew Auld). v3: - No comprobar innecesariamente si hay una tabla sg no liberada (Matthew Auld). - A\u00f1adir una funci\u00f3n up_read() faltante en una ruta de error (Matthew Auld). (Seleccionado de el commit ea3e66d280ce2576664a862693d1da8fd324c317)."}], "id": "CVE-2025-21939", "lastModified": "2025-10-30T19:44:02.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-01T16:15:24.773", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0a98219bcc961edd3388960576e4353e123b4a51"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2a24c98f0e4cc994334598d4f3a851972064809d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f9326f529da7298a95643c3267f1c0fdb0db55eb"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/xe/hmm: Don't dereference struct page pointers without notifier lock", "id": "2356586", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356586"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-667", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/xe/hmm: Don't dereference struct page pointers without notifier lock\nThe pnfs that we obtain from hmm_range_fault() point to pages that\nwe don't have a reference on, and the guarantee that they are still\nin the cpu page-tables is that the notifier lock must be held and the\nnotifier seqno is still valid.\nSo while building the sg table and marking the pages accesses / dirty\nwe need to hold this lock with a validated seqno.\nHowever, the lock is reclaim tainted which makes\nsg_alloc_table_from_pages_segment() unusable, since it internally\nallocates memory.\nInstead build the sg-table manually. For the non-iommu case\nthis might lead to fewer coalesces, but if that's a problem it can\nbe fixed up later in the resource cursor code. For the iommu case,\nthe whole sg-table may still be coalesced to a single contigous\ndevice va region.\nThis avoids marking pages that we don't own dirty and accessed, and\nit also avoid dereferencing struct pages that we don't own.\nv2:\n- Use assert to check whether hmm pfns are valid (Matthew Auld)\n- Take into account that large pages may cross range boundaries\n(Matthew Auld)\nv3:\n- Don't unnecessarily check for a non-freed sg-table. (Matthew Auld)\n- Add a missing up_read() in an error path. (Matthew Auld)\n(cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)"], "name": "CVE-2025-21939", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21939\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21939\nhttps://lore.kernel.org/linux-cve-announce/2025040135-CVE-2025-21939-b7d7@gregkh/T"], "threat_severity": "Moderate"}

{}