{"id":"CVE-2025-38102","summary":"VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n  RIP: 0010:try_grab_folio+0x106/0x130\n  Call Trace:\n   \u003cTASK\u003e\n   follow_huge_pmd+0x240/0x8e0\n   follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n   follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n   follow_page_mask+0x1c2/0x1f0\n   __get_user_pages+0x176/0x950\n   __gup_longterm_locked+0x15b/0x1060\n   ? gup_fast+0x120/0x1f0\n   gup_fast_fallback+0x17e/0x230\n   get_user_pages_fast+0x5f/0x80\n   vmci_host_unlocked_ioctl+0x21c/0xf80\n  RIP: 0033:0x54d2cd\n  ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context-\u003enotify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, &context-\u003enotify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd  // update &context-\u003enotify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context-\u003enotify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast.","modified":"2026-04-16T04:34:18.492974901Z","published":"2025-07-03T08:35:12.255Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:03204-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38102.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38102.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38102"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a1d88436d53a75e950db15834b3d2f8c0c358fdc"},{"fixed":"74095bbbb19ca74a0368d857603a2438c88ca86c"},{"fixed":"468aec888f838ce5174b96e0cb4396790d6f60ca"},{"fixed":"b4209e4b778e4e57d0636e1c9fc07a924dbc6043"},{"fixed":"58a90db70aa6616411e5f69d1982d9b1dd97d774"},{"fixed":"6e3af836805ed1d7a699f76ec798626198917aa4"},{"fixed":"00ddc7dad55b7bbb78df80d6e174d0c4764dea0c"},{"fixed":"75b5313c80c39a26d27cbb602f968a05576c36f9"},{"fixed":"1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38102.json"}}],"schema_version":"1.7.5"}