CVE-2025-68757
- Source
- https://cve.org/CVERecord?id=CVE-2025-68757
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68757.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-68757
- Aliases
- Downstream
- Published
- 2026-01-05T09:32:30.496Z
- Modified
- 2026-02-10T02:11:56.272517Z
- Summary
- drm/vgem-fence: Fix potential deadlock on release
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
drm/vgem-fence: Fix potential deadlock on release
A timer that expires a vgem fence automatically in 10 seconds is now released with timerdeletesync() from fence->ops.release() called on last dmafenceput(). In some scenarios, it can run in IRQ context, which is not safe unless TIMERIRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobjtimeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1].
[117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CIDRM17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: _timerdeletesync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lockacquire+0xc4/0x2e0 [117.004366] calltimerfn+0x80/0x2a0 [117.004368] _runtimers+0x231/0x310 [117.004370] runtimersoftirq+0x76/0xe0 [117.004372] handlesoftirqs+0xd4/0x4d0 [117.004375] _irqexitrcu+0x13f/0x160 [117.004377] irqexitrcu+0xe/0x20 [117.004379] sysvecapictimerinterrupt+0xa0/0xc0 [117.004382] asmsysvecapictimerinterrupt+0x1b/0x20 [117.004385] cpuidleenterstate+0x12b/0x8a0 [117.004388] cpuidleenter+0x2e/0x50 [117.004393] callcpuidle+0x22/0x60 [117.004395] doidle+0x1fd/0x260 [117.004398] cpustartupentry+0x29/0x30 [117.004401] startsecondary+0x12d/0x160 [117.004404] commonstartup64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _rawspinunlockirqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvecirqwork+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] _dosoftirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] _irqexitrcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] <Interrupt> [117.004438] lock((&fence->timer)); [117.004440] * DEADLOCK * [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: calltimerfn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CIDRM17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPUOUTOFSPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] <IRQ> [117.004457] dumpstacklvl+0x91/0xf0 [117.004460] dumpstack+0x10/0x20 [117.004461] printusagebug.part.0+0x260/0x360 [117.004463] marklock+0x76e/0x9c0 [117.004465] ? registerlockclass+0x48/0x4a0 [117.004467] _lockacquire+0xbc3/0x2860 [117.004469] lockacquire+0xc4/0x2e0 [117.004470] ? _timerdeletesync+0x4b/0x190 [117.004472] ? _timerdeletesync+0x4b/0x190 [117.004473] _timerdeletesync+0x68/0x190 [117.004474] ? _timerdeletesync+0x4b/0x190 [117.004475] timerdeletesync+0x10/0x20 [117.004476] vgemfencerelease+0x19/0x30 [vgem] [117.004478] dmafencerelease+0xc1/0x3b0 [117.004480] ? dmafencerelease+0xa1/0x3b0 [117.004481] dmafencechainrelease+0xe7/0x130 [117.004483] dmafencerelease+0xc1/0x3b0 [117.004484] ? rawspinunlockirqrestore+0x27/0x80 [117.004485] dmafencechainirqwork+0x59/0x80 [117.004487] irqworksingle+0x75/0xa0 [117.004490] irqworkr ---truncated---
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68757.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a
- https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54
- https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba
- https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3
- https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0
- https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e
- https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f
- https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68757.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-68757
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4077798484459a2eced2050045099a466ecb618aFixed37289a18099fc7ce916933bd542926a7334791a3Fixed489b2158aec92a3fc256d70992416869f86e16e0Fixed1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25aFixed9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0Fixed338e388c0d80ffc04963b6b0ec702ffdfd2c4ebaFixed4f335cb8fad69b2be5accf0ebac3a8b345915f4eFixed1f0ca9d3e7c38a39f1f12377c24decf0bba46e54Fixed78b4d6463e9e69e5103f98b367f8984ad12cdc6f
Affected versions
v4.*
v5.*
v6.*
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced4.8.0Fixed5.10.248
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.198
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.160
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.120
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.63
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.17.13
- Type
- ECOSYSTEM
- Events
-
Introduced6.18.0Fixed6.18.2