CVE-2025-38520

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Don&amp;#39;t call mmput from MMU notifier callback<br /> <br /> If the process is exiting, the mmput inside mmu notifier callback from<br /> compactd or fork or numa balancing could release the last reference<br /> of mm struct to call exit_mmap and free_pgtable, this triggers deadlock<br /> with below backtrace.<br /> <br /> The deadlock will leak kfd process as mmu notifier release is not called<br /> and cause VRAM leaking.<br /> <br /> The fix is to take mm reference mmget_non_zero when adding prange to the<br /> deferred list to pair with mmput in deferred list work.<br /> <br /> If prange split and add into pchild list, the pchild work_item.mm is not<br /> used, so remove the mm parameter from svm_range_unmap_split and<br /> svm_range_add_child.<br /> <br /> The backtrace of hung task:<br /> <br /> INFO: task python:348105 blocked for more than 64512 seconds.<br /> Call Trace:<br /> __schedule+0x1c3/0x550<br /> schedule+0x46/0xb0<br /> rwsem_down_write_slowpath+0x24b/0x4c0<br /> unlink_anon_vmas+0xb1/0x1c0<br /> free_pgtables+0xa9/0x130<br /> exit_mmap+0xbc/0x1a0<br /> mmput+0x5a/0x140<br /> svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]<br /> mn_itree_invalidate+0x72/0xc0<br /> __mmu_notifier_invalidate_range_start+0x48/0x60<br /> try_to_unmap_one+0x10fa/0x1400<br /> rmap_walk_anon+0x196/0x460<br /> try_to_unmap+0xbb/0x210<br /> migrate_page_unmap+0x54d/0x7e0<br /> migrate_pages_batch+0x1c3/0xae0<br /> migrate_pages_sync+0x98/0x240<br /> migrate_pages+0x25c/0x520<br /> compact_zone+0x29d/0x590<br /> compact_zone_order+0xb6/0xf0<br /> try_to_compact_pages+0xbe/0x220<br /> __alloc_pages_direct_compact+0x96/0x1a0<br /> __alloc_pages_slowpath+0x410/0x930<br /> __alloc_pages_nodemask+0x3a9/0x3e0<br /> do_huge_pmd_anonymous_page+0xd7/0x3e0<br /> __handle_mm_fault+0x5e3/0x5f0<br /> handle_mm_fault+0xf7/0x2e0<br /> hmm_vma_fault.isra.0+0x4d/0xa0<br /> walk_pmd_range.isra.0+0xa8/0x310<br /> walk_pud_range+0x167/0x240<br /> walk_pgd_range+0x55/0x100<br /> __walk_page_range+0x87/0x90<br /> walk_page_range+0xf6/0x160<br /> hmm_range_fault+0x4f/0x90<br /> amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]<br /> amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]<br /> init_user_pages+0xb1/0x2a0 [amdgpu]<br /> amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]<br /> kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]<br /> kfd_ioctl+0x29d/0x500 [amdgpu]<br /> <br /> (cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)