CVE-2025-38102

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify<br /> <br /> During our test, it is found that a warning can be trigger in try_grab_folio<br /> as follow:<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)<br /> RIP: 0010:try_grab_folio+0x106/0x130<br /> Call Trace:<br /> <br /> follow_huge_pmd+0x240/0x8e0<br /> follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0<br /> follow_pud_mask.constprop.0.isra.0+0x14a/0x170<br /> follow_page_mask+0x1c2/0x1f0<br /> __get_user_pages+0x176/0x950<br /> __gup_longterm_locked+0x15b/0x1060<br /> ? gup_fast+0x120/0x1f0<br /> gup_fast_fallback+0x17e/0x230<br /> get_user_pages_fast+0x5f/0x80<br /> vmci_host_unlocked_ioctl+0x21c/0xf80<br /> RIP: 0033:0x54d2cd<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Digging into the source, context-&gt;notify_page may init by get_user_pages_fast<br /> and can be seen in vmci_ctx_unset_notify which will try to put_page. However<br /> get_user_pages_fast is not finished here and lead to following<br /> try_grab_folio warning. The race condition is shown as follow:<br /> <br /> cpu0 cpu1<br /> vmci_host_do_set_notify<br /> vmci_host_setup_notify<br /> get_user_pages_fast(uva, 1, FOLL_WRITE, &amp;context-&gt;notify_page);<br /> lockless_pages_from_mm<br /> gup_pgd_range<br /> gup_huge_pmd // update &amp;context-&gt;notify_page<br /> vmci_host_do_set_notify<br /> vmci_ctx_unset_notify<br /> notify_page = context-&gt;notify_page;<br /> if (notify_page)<br /> put_page(notify_page); // page is freed<br /> __gup_longterm_locked<br /> __get_user_pages<br /> follow_trans_huge_pmd<br /> try_grab_folio // warn here<br /> <br /> To slove this, use local variable page to make notify_page can be seen<br /> after finish get_user_pages_fast.