ghsa-gm59-gv97-mpp4
Vulnerability from github
Published
2025-12-16 15:30
Modified
2025-12-16 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD

On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks.

[86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-68244"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T15:15:53Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD\n\nOn completion of i915_vma_pin_ww(), a synchronous variant of\ndma_fence_work_commit() is called.  When pinning a VMA to GGTT address\nspace on a Cherry View family processor, or on a Broxton generation SoC\nwith VTD enabled, i.e., when stop_machine() is then called from\nintel_ggtt_bind_vma(), that can potentially lead to lock inversion among\nreservation_ww and cpu_hotplug locks.\n\n[86.861179] ======================================================\n[86.861193] WARNING: possible circular locking dependency detected\n[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G     U\n[86.861226] ------------------------------------------------------\n[86.861238] i915_module_loa/1432 is trying to acquire lock:\n[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50\n[86.861290]\nbut task is already holding lock:\n[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]\n[86.862233]\nwhich lock already depends on the new lock.\n[86.862251]\nthe existing dependency chain (in reverse order) is:\n[86.862265]\n-\u003e #5 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[86.862292]        dma_resv_lockdep+0x19a/0x390\n[86.862315]        do_one_initcall+0x60/0x3f0\n[86.862334]        kernel_init_freeable+0x3cd/0x680\n[86.862353]        kernel_init+0x1b/0x200\n[86.862369]        ret_from_fork+0x47/0x70\n[86.862383]        ret_from_fork_asm+0x1a/0x30\n[86.862399]\n-\u003e #4 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[86.862425]        dma_resv_lockdep+0x178/0x390\n[86.862440]        do_one_initcall+0x60/0x3f0\n[86.862454]        kernel_init_freeable+0x3cd/0x680\n[86.862470]        kernel_init+0x1b/0x200\n[86.862482]        ret_from_fork+0x47/0x70\n[86.862495]        ret_from_fork_asm+0x1a/0x30\n[86.862509]\n-\u003e #3 (\u0026mm-\u003emmap_lock){++++}-{3:3}:\n[86.862531]        down_read_killable+0x46/0x1e0\n[86.862546]        lock_mm_and_find_vma+0xa2/0x280\n[86.862561]        do_user_addr_fault+0x266/0x8e0\n[86.862578]        exc_page_fault+0x8a/0x2f0\n[86.862593]        asm_exc_page_fault+0x27/0x30\n[86.862607]        filldir64+0xeb/0x180\n[86.862620]        kernfs_fop_readdir+0x118/0x480\n[86.862635]        iterate_dir+0xcf/0x2b0\n[86.862648]        __x64_sys_getdents64+0x84/0x140\n[86.862661]        x64_sys_call+0x1058/0x2660\n[86.862675]        do_syscall_64+0x91/0xe90\n[86.862689]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[86.862703]\n-\u003e #2 (\u0026root-\u003ekernfs_rwsem){++++}-{3:3}:\n[86.862725]        down_write+0x3e/0xf0\n[86.862738]        kernfs_add_one+0x30/0x3c0\n[86.862751]        kernfs_create_dir_ns+0x53/0xb0\n[86.862765]        internal_create_group+0x134/0x4c0\n[86.862779]        sysfs_create_group+0x13/0x20\n[86.862792]        topology_add_dev+0x1d/0x30\n[86.862806]        cpuhp_invoke_callback+0x4b5/0x850\n[86.862822]        cpuhp_issue_call+0xbf/0x1f0\n[86.862836]        __cpuhp_setup_state_cpuslocked+0x111/0x320\n[86.862852]        __cpuhp_setup_state+0xb0/0x220\n[86.862866]        topology_sysfs_init+0x30/0x50\n[86.862879]        do_one_initcall+0x60/0x3f0\n[86.862893]        kernel_init_freeable+0x3cd/0x680\n[86.862908]        kernel_init+0x1b/0x200\n[86.862921]        ret_from_fork+0x47/0x70\n[86.862934]        ret_from_fork_asm+0x1a/0x30\n[86.862947]\n-\u003e #1 (cpuhp_state_mutex){+.+.}-{3:3}:\n[86.862969]        __mutex_lock+0xaa/0xed0\n[86.862982]        mutex_lock_nested+0x1b/0x30\n[86.862995]        __cpuhp_setup_state_cpuslocked+0x67/0x320\n[86.863012]        __cpuhp_setup_state+0xb0/0x220\n[86.863026]        page_alloc_init_cpuhp+0x2d/0x60\n[86.863041]        mm_core_init+0x22/0x2d0\n[86.863054]        start_kernel+0x576/0xbd0\n[86.863068]        x86_64_start_reservations+0x18/0x30\n[86.863084]        x86_64_start_kernel+0xbf/0x110\n[86.863098]        common_startup_64+0x13e/0x141\n[86.863114]\n-\u003e #0 (cpu_hotplug_lock){++++}-{0:0}:\n[86.863135]        __lock_acquire+0x16\n---truncated---",
  "id": "GHSA-gm59-gv97-mpp4",
  "modified": "2025-12-16T15:30:47Z",
  "published": "2025-12-16T15:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68244"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.