{"id":68255,"date":"2025-08-16T15:31:51","date_gmt":"2025-08-16T12:01:51","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2025-38520-amdgpu-linux-kernel-deadlock-vulnerability\/"},"modified":"2025-08-16T15:31:51","modified_gmt":"2025-08-16T12:01:51","slug":"cve-2025-38520-amdgpu-linux-kernel-deadlock-vulnerability","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2025-38520-amdgpu-linux-kernel-deadlock-vulnerability\/","title":{"rendered":"CVE-2025-38520 &#8211; AMDGPU Linux Kernel Deadlock Vulnerability"},"content":{"rendered":"<p><strong>CVE ID : <\/strong>CVE-2025-38520<br \/>\n<br \/>\n<strong>Published : <\/strong> Aug. 16, 2025, 11:15 a.m. | 45\u00a0minutes ago<br \/>\n<br \/>\n<strong>Description : <\/strong>In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>drm\/amdkfd: Don&#8217;t call mmput from MMU notifier callback<\/p>\n<p>If the process is exiting, the mmput inside mmu notifier callback from<br \/>\ncompactd or fork or numa balancing could release the last reference<br \/>\nof mm struct to call exit_mmap and free_pgtable, this triggers deadlock<br \/>\nwith below backtrace.<\/p>\n<p>The deadlock will leak kfd process as mmu notifier release is not called<br \/>\nand cause VRAM leaking.<\/p>\n<p>The fix is to take mm reference mmget_non_zero when adding prange to the<br \/>\ndeferred list to pair with mmput in deferred list work.<\/p>\n<p>If prange split and add into pchild list, the pchild work_item.mm is not<br \/>\nused, so remove the mm parameter from svm_range_unmap_split and<br \/>\nsvm_range_add_child.<\/p>\n<p>The backtrace of hung task:<\/p>\n<p> INFO: task python:348105 blocked for more than 64512 seconds.<br \/>\n Call Trace:<br \/>\n  __schedule+0x1c3\/0x550<br \/>\n  schedule+0x46\/0xb0<br \/>\n  rwsem_down_write_slowpath+0x24b\/0x4c0<br \/>\n  unlink_anon_vmas+0xb1\/0x1c0<br \/>\n  free_pgtables+0xa9\/0x130<br \/>\n  exit_mmap+0xbc\/0x1a0<br \/>\n  mmput+0x5a\/0x140<br \/>\n  svm_range_cpu_invalidate_pagetables+0x2b\/0x40 [amdgpu]\n  mn_itree_invalidate+0x72\/0xc0<br \/>\n  __mmu_notifier_invalidate_range_start+0x48\/0x60<br \/>\n  try_to_unmap_one+0x10fa\/0x1400<br \/>\n  rmap_walk_anon+0x196\/0x460<br \/>\n  try_to_unmap+0xbb\/0x210<br \/>\n  migrate_page_unmap+0x54d\/0x7e0<br \/>\n  migrate_pages_batch+0x1c3\/0xae0<br \/>\n  migrate_pages_sync+0x98\/0x240<br \/>\n  migrate_pages+0x25c\/0x520<br \/>\n  compact_zone+0x29d\/0x590<br \/>\n  compact_zone_order+0xb6\/0xf0<br \/>\n  try_to_compact_pages+0xbe\/0x220<br \/>\n  __alloc_pages_direct_compact+0x96\/0x1a0<br \/>\n  __alloc_pages_slowpath+0x410\/0x930<br \/>\n  __alloc_pages_nodemask+0x3a9\/0x3e0<br \/>\n  do_huge_pmd_anonymous_page+0xd7\/0x3e0<br \/>\n  __handle_mm_fault+0x5e3\/0x5f0<br \/>\n  handle_mm_fault+0xf7\/0x2e0<br \/>\n  hmm_vma_fault.isra.0+0x4d\/0xa0<br \/>\n  walk_pmd_range.isra.0+0xa8\/0x310<br \/>\n  walk_pud_range+0x167\/0x240<br \/>\n  walk_pgd_range+0x55\/0x100<br \/>\n  __walk_page_range+0x87\/0x90<br \/>\n  walk_page_range+0xf6\/0x160<br \/>\n  hmm_range_fault+0x4f\/0x90<br \/>\n  amdgpu_hmm_range_get_pages+0x123\/0x230 [amdgpu]\n  amdgpu_ttm_tt_get_user_pages+0xb1\/0x150 [amdgpu]\n  init_user_pages+0xb1\/0x2a0 [amdgpu]\n  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543\/0x7d0 [amdgpu]\n  kfd_ioctl_alloc_memory_of_gpu+0x24c\/0x4e0 [amdgpu]\n  kfd_ioctl+0x29d\/0x500 [amdgpu]\n<p>(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)<br \/>\n<br \/>\n<strong>Severity:<\/strong> 0.0 | NA<br \/>\n<br \/>\nVisit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2025-38520 Published : Aug. 16, 2025, 11:15 a.m. | 45\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: drm\/amdkfd: Don&#8217;t call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-68255","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/68255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=68255"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/68255\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=68255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=68255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=68255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}