Acknowledged
Created: Aug 17, 2025
Updated: Aug 18, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]drm/amdkfd: Don't call mmput from MMU notifier callback[EOL][EOL]If the process is exiting, the mmput inside mmu notifier callback from[EOL]compactd or fork or numa balancing could release the last reference[EOL]of mm struct to call exit_mmap and free_pgtable, this triggers deadlock[EOL]with below backtrace.[EOL][EOL]The deadlock will leak kfd process as mmu notifier release is not called[EOL]and cause VRAM leaking.[EOL][EOL]The fix is to take mm reference mmget_non_zero when adding prange to the[EOL]deferred list to pair with mmput in deferred list work.[EOL][EOL]If prange split and add into pchild list, the pchild work_item.mm is not[EOL]used, so remove the mm parameter from svm_range_unmap_split and[EOL]svm_range_add_child.[EOL][EOL]The backtrace of hung task:[EOL][EOL] INFO: task python:348105 blocked for more than 64512 seconds.[EOL] Call Trace:[EOL] __schedule+0x1c3/0x550[EOL] schedule+0x46/0xb0[EOL] rwsem_down_write_slowpath+0x24b/0x4c0[EOL] unlink_anon_vmas+0xb1/0x1c0[EOL] free_pgtables+0xa9/0x130[EOL] exit_mmap+0xbc/0x1a0[EOL] mmput+0x5a/0x140[EOL] svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu][EOL] mn_itree_invalidate+0x72/0xc0[EOL] __mmu_notifier_invalidate_range_start+0x48/0x60[EOL] try_to_unmap_one+0x10fa/0x1400[EOL] rmap_walk_anon+0x196/0x460[EOL] try_to_unmap+0xbb/0x210[EOL] migrate_page_unmap+0x54d/0x7e0[EOL] migrate_pages_batch+0x1c3/0xae0[EOL] migrate_pages_sync+0x98/0x240[EOL] migrate_pages+0x25c/0x520[EOL] compact_zone+0x29d/0x590[EOL] compact_zone_order+0xb6/0xf0[EOL] try_to_compact_pages+0xbe/0x220[EOL] __alloc_pages_direct_compact+0x96/0x1a0[EOL] __alloc_pages_slowpath+0x410/0x930[EOL] __alloc_pages_nodemask+0x3a9/0x3e0[EOL] do_huge_pmd_anonymous_page+0xd7/0x3e0[EOL] __handle_mm_fault+0x5e3/0x5f0[EOL] handle_mm_fault+0xf7/0x2e0[EOL] hmm_vma_fault.isra.0+0x4d/0xa0[EOL] walk_pmd_range.isra.0+0xa8/0x310[EOL] walk_pud_range+0x167/0x240[EOL] walk_pgd_range+0x55/0x100[EOL] __walk_page_range+0x87/0x90[EOL] walk_page_range+0xf6/0x160[EOL] hmm_range_fault+0x4f/0x90[EOL] amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu][EOL] amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu][EOL] init_user_pages+0xb1/0x2a0 [amdgpu][EOL] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu][EOL] kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu][EOL] kfd_ioctl+0x29d/0x500 [amdgpu][EOL][EOL](cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)
CREATE(Triage):(User=pbi-cn) [CVE-2025-38520 (https://nvd.nist.gov/vuln/detail/CVE-2025-38520)
