CVE-2025-38102 Information
Description
In the Linux kernel the following vulnerability has been resolved:
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
During our test it is found that a warning can be trigger in try_grab_folio as follow:
————[ cut here ]————
WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130
Modules linked in:
CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 163 PREEMPT(undef)
RIP: 0010:try_grab_folio+0x106/0x130
Call Trace:
Digging into the source context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow:
cpu0 cpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva 1 FOLL_WRITE &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page vmci_host_do_set_notify vmci_ctx_unset_notify notify_page = context->notify_page; if (notify_page) put_page(notify_page); // page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here
To slove this use local variable page to make notify_page can be seen after finish get_user_pages_fast.
Reference
https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4 https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774 https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4 https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9 https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043
Related CNNVD
CNNVD-202507-191 (Published: 2025-07-03)
Share on: