CVE-2025-38102

In the Linux kernel, the following vulnerability has been resolved:

VMCI: fix race between vmcihostsetupnotify and vmcictxunsetnotify

During our test, it is found that a warning can be trigger in trygrabfolio as follow:

------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 trygrabfolio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:trygrabfolio+0x106/0x130 Call Trace: <TASK> followhugepmd+0x240/0x8e0 followpmdmask.constprop.0.isra.0+0x40b/0x5c0 followpudmask.constprop.0.isra.0+0x14a/0x170 followpagemask+0x1c2/0x1f0 _getuserpages+0x176/0x950 _guplongtermlocked+0x15b/0x1060 ? gupfast+0x120/0x1f0 gupfastfallback+0x17e/0x230 getuserpagesfast+0x5f/0x80 vmcihostunlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]---

Digging into the source, context->notifypage may init by getuserpagesfast and can be seen in vmcictxunsetnotify which will try to putpage. However getuserpagesfast is not finished here and lead to following trygrab_folio warning. The race condition is shown as follow:

cpu0 cpu1 vmcihostdosetnotify vmcihostsetupnotify getuserpagesfast(uva, 1, FOLLWRITE, &context->notifypage); locklesspagesfrommm guppgdrange guphugepmd // update &context->notifypage vmcihostdosetnotify vmcictxunsetnotify notifypage = context->notifypage; if (notifypage) putpage(notifypage); // page is freed _guplongtermlocked _getuserpages followtranshugepmd trygrab_folio // warn here

To slove this, use local variable page to make notifypage can be seen after finish getuserpagesfast.