CVE-2025-37868

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/userptr: fix notifier vs folio deadlock<br /> <br /> User is reporting what smells like notifier vs folio deadlock, where<br /> migrate_pages_batch() on core kernel side is holding folio lock(s) and<br /> then interacting with the mappings of it, however those mappings are<br /> tied to some userptr, which means calling into the notifier callback and<br /> grabbing the notifier lock. With perfect timing it looks possible that<br /> the pages we pulled from the hmm fault can get sniped by<br /> migrate_pages_batch() at the same time that we are holding the notifier<br /> lock to mark the pages as accessed/dirty, but at this point we also want<br /> to grab the folio locks(s) to mark them as dirty, but if they are<br /> contended from notifier/migrate_pages_batch side then we deadlock since<br /> folio lock won&amp;#39;t be dropped until we drop the notifier lock.<br /> <br /> Fortunately the mark_page_accessed/dirty is not really needed in the<br /> first place it seems and should have already been done by hmm fault, so<br /> just remove it.<br /> <br /> (cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)