CVE-2025-21939

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/hmm: Don&amp;#39;t dereference struct page pointers without notifier lock<br /> <br /> The pnfs that we obtain from hmm_range_fault() point to pages that<br /> we don&amp;#39;t have a reference on, and the guarantee that they are still<br /> in the cpu page-tables is that the notifier lock must be held and the<br /> notifier seqno is still valid.<br /> <br /> So while building the sg table and marking the pages accesses / dirty<br /> we need to hold this lock with a validated seqno.<br /> <br /> However, the lock is reclaim tainted which makes<br /> sg_alloc_table_from_pages_segment() unusable, since it internally<br /> allocates memory.<br /> <br /> Instead build the sg-table manually. For the non-iommu case<br /> this might lead to fewer coalesces, but if that&amp;#39;s a problem it can<br /> be fixed up later in the resource cursor code. For the iommu case,<br /> the whole sg-table may still be coalesced to a single contigous<br /> device va region.<br /> <br /> This avoids marking pages that we don&amp;#39;t own dirty and accessed, and<br /> it also avoid dereferencing struct pages that we don&amp;#39;t own.<br /> <br /> v2:<br /> - Use assert to check whether hmm pfns are valid (Matthew Auld)<br /> - Take into account that large pages may cross range boundaries<br /> (Matthew Auld)<br /> <br /> v3:<br /> - Don&amp;#39;t unnecessarily check for a non-freed sg-table. (Matthew Auld)<br /> - Add a missing up_read() in an error path. (Matthew Auld)<br /> <br /> (cherry picked from commit ea3e66d280ce2576664a862693d1da8fd324c317)