CVE-2025-21939 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/hmm: Don't dereference struct page pointers without notifier lock

The pnfs that we obtain from hmm_range_fault() point to pages that we don't have a reference on, and the guarantee that they are still in the cpu page-tables is that the notifier lock must be held and the notifier seqno is still valid.

So while building the sg table and marking the pages accesses / dirty we need to hold this lock with a validated seqno.

However, the lock is reclaim tainted which makes sg_alloc_table_from_pages_segment() unusable, since it internally allocates memory.

Instead build the sg-table manually. For the non-iommu case this might lead to fewer coalesces, but if that's a problem it can be fixed up later in the resource cursor code. For the iommu case, the whole sg-table may still be coalesced to a single contigous device va region.

This avoids marking pages that we don't own dirty and accessed, and it also avoid dereferencing struct pages that we don't own.

v2: - Use assert to check whether hmm pfns are valid (Matthew Auld) - Take into account that large pages may cross range boundaries (Matthew Auld)

v3: - Don't unnecessarily check for a non-freed sg-table. (Matthew Auld) - Add a missing up_read() in an error path. (Matthew Auld)

(cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/01/2026

This vulnerability exists within the Linux kernel's graphics subsystem, specifically in the x86 graphics driver implementation under the direct render manager framework. The issue manifests in the handling of memory management operations involving the hardware memory management unit and the page fault notification mechanisms. The flaw occurs when processing page fault notifications through the hmm_range_fault() function, which provides page number identifiers that lack proper reference counting and ownership guarantees. This vulnerability falls under the category of improper locking mechanisms and memory safety issues, aligning with CWE-362 for concurrent execution using lock and unlock operations and CWE-416 for use after free errors.

The technical implementation flaw stems from the improper handling of struct page pointers during scatter-gather table construction operations. When the driver attempts to build scatter-gather tables for memory regions, it directly dereferences page pointers without maintaining proper lock acquisition. The system relies on the notifier lock to ensure that pages remain valid and accessible within CPU page tables, but the current implementation fails to maintain this lock properly during the critical section where page access and dirty state modifications occur. This creates a race condition where pages can be freed or moved while the driver attempts to mark them as accessed or dirty, leading to potential memory corruption and system instability.

The operational impact of this vulnerability extends beyond simple memory corruption to potentially enable privilege escalation and denial of service conditions within graphics processing contexts. Attackers could exploit this flaw by triggering specific page fault sequences that cause the kernel to dereference freed or invalid page structures, potentially leading to kernel crashes or unauthorized memory access patterns. The vulnerability specifically affects systems utilizing the Intel graphics hardware management subsystem and could be leveraged in scenarios involving GPU memory management operations, making it particularly concerning for server and workstation environments where graphics processing is intensive. The issue also impacts the integrity of memory tracking mechanisms that are crucial for proper resource management in graphics drivers.

Mitigation strategies focus on implementing proper lock management and avoiding direct page pointer dereferencing without proper ownership validation. The patch resolves this by manually constructing scatter-gather tables instead of relying on the problematic sg_alloc_table_from_pages_segment() function that cannot operate correctly with reclaim-tainted locks. This approach ensures that proper lock acquisition occurs before any page manipulation operations, preventing the use of invalid page pointers. Additionally, the fix includes validation checks for page frame numbers and proper error handling with missing lock releases. The solution maintains compatibility with both iommu and non-iommu configurations while ensuring that memory management operations remain safe and consistent. Security best practices recommend applying this patch immediately to all systems running affected kernel versions, particularly those with graphics-intensive workloads. The fix aligns with ATT&CK technique T1068 for exploit for privilege escalation and addresses memory safety concerns that could be exploited in kernel exploitation frameworks.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00187

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!