CVE-2025-68244

In the Linux kernel, the following vulnerability has been resolved:

drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD

On completion of i915vmapinww(), a synchronous variant of dmafenceworkcommit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stopmachine() is then called from intelggttbindvma(), that can potentially lead to lock inversion among reservationww and cpuhotplug locks.

[86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CIDRM16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915moduleloa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpuhotpluglock){++++}-{0:0}, at: stopmachine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservationwwclassmutex){+.+.}-{3:3}, at: i915vmapin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservationwwclassmutex){+.+.}-{3:3}: [86.862292] dmaresvlockdep+0x19a/0x390 [86.862315] dooneinitcall+0x60/0x3f0 [86.862334] kernelinitfreeable+0x3cd/0x680 [86.862353] kernelinit+0x1b/0x200 [86.862369] retfromfork+0x47/0x70 [86.862383] retfromforkasm+0x1a/0x30 [86.862399] -> #4 (reservationwwclassacquire){+.+.}-{0:0}: [86.862425] dmaresvlockdep+0x178/0x390 [86.862440] dooneinitcall+0x60/0x3f0 [86.862454] kernelinitfreeable+0x3cd/0x680 [86.862470] kernelinit+0x1b/0x200 [86.862482] retfromfork+0x47/0x70 [86.862495] retfromforkasm+0x1a/0x30 [86.862509] -> #3 (&mm->mmaplock){++++}-{3:3}: [86.862531] downreadkillable+0x46/0x1e0 [86.862546] lockmmandfindvma+0xa2/0x280 [86.862561] douseraddrfault+0x266/0x8e0 [86.862578] excpagefault+0x8a/0x2f0 [86.862593] asmexcpagefault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfsfopreaddir+0x118/0x480 [86.862635] iteratedir+0xcf/0x2b0 [86.862648] __x64sysgetdents64+0x84/0x140 [86.862661] x64_syscall+0x1058/0x2660 [86.862675] dosyscall64+0x91/0xe90 [86.862689] entrySYSCALL64afterhwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfsrwsem){++++}-{3:3}: [86.862725] downwrite+0x3e/0xf0 [86.862738] kernfsaddone+0x30/0x3c0 [86.862751] kernfscreatedirns+0x53/0xb0 [86.862765] internalcreategroup+0x134/0x4c0 [86.862779] sysfscreategroup+0x13/0x20 [86.862792] topologyadddev+0x1d/0x30 [86.862806] cpuhpinvokecallback+0x4b5/0x850 [86.862822] cpuhpissuecall+0xbf/0x1f0 [86.862836] __cpuhpsetupstate_cpuslocked+0x111/0x320 [86.862852] __cpuhpsetupstate+0xb0/0x220 [86.862866] topologysysfsinit+0x30/0x50 [86.862879] dooneinitcall+0x60/0x3f0 [86.862893] kernelinitfreeable+0x3cd/0x680 [86.862908] kernelinit+0x1b/0x200 [86.862921] retfromfork+0x47/0x70 [86.862934] retfromforkasm+0x1a/0x30 [86.862947] -> #1 (cpuhpstatemutex){+.+.}-{3:3}: [86.862969] __mutexlock+0xaa/0xed0 [86.862982] mutexlock_nested+0x1b/0x30 [86.862995] __cpuhpsetupstate_cpuslocked+0x67/0x320 [86.863012] __cpuhpsetupstate+0xb0/0x220 [86.863026] pageallocinitcpuhp+0x2d/0x60 [86.863041] mmcoreinit+0x22/0x2d0 [86.863054] startkernel+0x576/0xbd0 [86.863068] x8664startreservations+0x18/0x30 [86.863084] x8664startkernel+0xbf/0x110 [86.863098] commonstartup64+0x13e/0x141 [86.863114] -> #0 (cpuhotpluglock){++++}-{0:0}: [86.863135] _lockacquire+0x16 ---truncated---