CVE-2025-68757

In the Linux kernel, the following vulnerability has been resolved:

drm/vgem-fence: Fix potential deadlock on release

A timer that expires a vgem fence automatically in 10 seconds is now released with timerdeletesync() from fence->ops.release() called on last dmafenceput(). In some scenarios, it can run in IRQ context, which is not safe unless TIMERIRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobjtimeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1].

[117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CIDRM17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timerdeletesync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lock_acquire+0xc4/0x2e0 [117.004366] calltimerfn+0x80/0x2a0 [117.004368] __runtimers+0x231/0x310 [117.004370] runtimersoftirq+0x76/0xe0 [117.004372] handlesoftirqs+0xd4/0x4d0 [117.004375] __irqexitrcu+0x13f/0x160 [117.004377] irqexitrcu+0xe/0x20 [117.004379] sysvecapictimerinterrupt+0xa0/0xc0 [117.004382] asmsysvecapictimerinterrupt+0x1b/0x20 [117.004385] cpuidleenterstate+0x12b/0x8a0 [117.004388] cpuidleenter+0x2e/0x50 [117.004393] callcpuidle+0x22/0x60 [117.004395] doidle+0x1fd/0x260 [117.004398] cpustartupentry+0x29/0x30 [117.004401] startsecondary+0x12d/0x160 [117.004404] commonstartup64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] rawspinunlockirqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvecirq_work+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irqexitrcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] <Interrupt> [117.004438] lock((&fence->timer)); [117.004440] *** DEADLOCK *** [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: calltimerfn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CIDRM17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPUOUTOFSPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] <IRQ> [117.004457] dumpstacklvl+0x91/0xf0 [117.004460] dumpstack+0x10/0x20 [117.004461] printusagebug.part.0+0x260/0x360 [117.004463] marklock+0x76e/0x9c0 [117.004465] ? registerlock_class+0x48/0x4a0 [117.004467] __lockacquire+0xbc3/0x2860 [117.004469] lockacquire+0xc4/0x2e0 [117.004470] ? __timerdeletesync+0x4b/0x190 [117.004472] ? __timerdeletesync+0x4b/0x190 [117.004473] __timerdeletesync+0x68/0x190 [117.004474] ? _timerdeletesync+0x4b/0x190 [117.004475] timerdeletesync+0x10/0x20 [117.004476] vgemfencerelease+0x19/0x30 [vgem] [117.004478] dmafencerelease+0xc1/0x3b0 [117.004480] ? dmafencerelease+0xa1/0x3b0 [117.004481] dmafencechainrelease+0xe7/0x130 [117.004483] dmafencerelease+0xc1/0x3b0 [117.004484] ? rawspinunlockirqrestore+0x27/0x80 [117.004485] dmafencechainirqwork+0x59/0x80 [117.004487] irqworksingle+0x75/0xa0 [117.004490] irqworkr ---truncated---