Wind River Support Network

HomeDefectsLIN1022-16299
Acknowledged

LIN1022-16299 : Security Advisory - linux - CVE-2025-38102

Created: Jul 3, 2025    Updated: Jul 8, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify[EOL][EOL]During our test, it is found that a warning can be trigger in try_grab_folio[EOL]as follow:[EOL][EOL]  ------------[ cut here ]------------[EOL]  WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130[EOL]  Modules linked in:[EOL]  CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)[EOL]  RIP: 0010:try_grab_folio+0x106/0x130[EOL]  Call Trace:[EOL]   <TASK>[EOL]   follow_huge_pmd+0x240/0x8e0[EOL]   follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0[EOL]   follow_pud_mask.constprop.0.isra.0+0x14a/0x170[EOL]   follow_page_mask+0x1c2/0x1f0[EOL]   __get_user_pages+0x176/0x950[EOL]   __gup_longterm_locked+0x15b/0x1060[EOL]   ? gup_fast+0x120/0x1f0[EOL]   gup_fast_fallback+0x17e/0x230[EOL]   get_user_pages_fast+0x5f/0x80[EOL]   vmci_host_unlocked_ioctl+0x21c/0xf80[EOL]  RIP: 0033:0x54d2cd[EOL]  ---[ end trace 0000000000000000 ]---[EOL][EOL]Digging into the source, context->notify_page may init by get_user_pages_fast[EOL]and can be seen in vmci_ctx_unset_notify which will try to put_page. However[EOL]get_user_pages_fast is not finished here and lead to following[EOL]try_grab_folio warning. The race condition is shown as follow:[EOL][EOL]cpu0\t\t\tcpu1[EOL]vmci_host_do_set_notify[EOL]vmci_host_setup_notify[EOL]get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);[EOL]lockless_pages_from_mm[EOL]gup_pgd_range[EOL]gup_huge_pmd  // update &context->notify_page[EOL]\t\t\tvmci_host_do_set_notify[EOL]\t\t\tvmci_ctx_unset_notify[EOL]\t\t\tnotify_page = context->notify_page;[EOL]\t\t\tif (notify_page)[EOL]\t\t\tput_page(notify_page);\t// page is freed[EOL]__gup_longterm_locked[EOL]__get_user_pages[EOL]follow_trans_huge_pmd[EOL]try_grab_folio // warn here[EOL][EOL]To slove this, use local variable page to make notify_page can be seen[EOL]after finish get_user_pages_fast.

CREATE(Triage):(User=lchen-cn) [CVE-2025-38102 (https://nvd.nist.gov/vuln/detail/CVE-2025-38102)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube