{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38102", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.985Z", "datePublished": "2025-07-03T08:35:12.255Z", "dateUpdated": "2025-07-28T04:12:16.696Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-07-28T04:12:16.696Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n Modules linked in:\n CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n RIP: 0010:try_grab_folio+0x106/0x130\n Call Trace:\n <TASK>\n follow_huge_pmd+0x240/0x8e0\n follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n follow_page_mask+0x1c2/0x1f0\n __get_user_pages+0x176/0x950\n __gup_longterm_locked+0x15b/0x1060\n ? gup_fast+0x120/0x1f0\n gup_fast_fallback+0x17e/0x230\n get_user_pages_fast+0x5f/0x80\n vmci_host_unlocked_ioctl+0x21c/0xf80\n RIP: 0033:0x54d2cd\n ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context->notify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd // update &context->notify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context->notify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/vmw_vmci/vmci_host.c"], "versions": [{"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "74095bbbb19ca74a0368d857603a2438c88ca86c", "status": "affected", "versionType": "git"}, {"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "468aec888f838ce5174b96e0cb4396790d6f60ca", "status": "affected", "versionType": "git"}, {"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "b4209e4b778e4e57d0636e1c9fc07a924dbc6043", "status": "affected", "versionType": "git"}, {"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "58a90db70aa6616411e5f69d1982d9b1dd97d774", "status": "affected", "versionType": "git"}, {"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "6e3af836805ed1d7a699f76ec798626198917aa4", "status": "affected", "versionType": "git"}, {"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "00ddc7dad55b7bbb78df80d6e174d0c4764dea0c", "status": "affected", "versionType": "git"}, {"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "75b5313c80c39a26d27cbb602f968a05576c36f9", "status": "affected", "versionType": "git"}, {"version": "a1d88436d53a75e950db15834b3d2f8c0c358fdc", "lessThan": "1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/vmw_vmci/vmci_host.c"], "versions": [{"version": "4.0", "status": "affected"}, {"version": "0", "lessThan": "4.0", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.296", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.240", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.186", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.142", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.94", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.34", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.3", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "5.4.296"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "5.10.240"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "5.15.186"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.1.142"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.6.94"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.12.34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.15.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "6.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c"}, {"url": "https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca"}, {"url": "https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043"}, {"url": "https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774"}, {"url": "https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4"}, {"url": "https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c"}, {"url": "https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9"}, {"url": "https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4"}], "title": "VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\n Modules linked in:\n CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\n RIP: 0010:try_grab_folio+0x106/0x130\n Call Trace:\n <TASK>\n follow_huge_pmd+0x240/0x8e0\n follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\n follow_pud_mask.constprop.0.isra.0+0x14a/0x170\n follow_page_mask+0x1c2/0x1f0\n __get_user_pages+0x176/0x950\n __gup_longterm_locked+0x15b/0x1060\n ? gup_fast+0x120/0x1f0\n gup_fast_fallback+0x17e/0x230\n get_user_pages_fast+0x5f/0x80\n vmci_host_unlocked_ioctl+0x21c/0xf80\n RIP: 0033:0x54d2cd\n ---[ end trace 0000000000000000 ]---\n\nDigging into the source, context->notify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\n\ncpu0\t\t\tcpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd // update &context->notify_page\n\t\t\tvmci_host_do_set_notify\n\t\t\tvmci_ctx_unset_notify\n\t\t\tnotify_page = context->notify_page;\n\t\t\tif (notify_page)\n\t\t\tput_page(notify_page);\t// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\n\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: VMCI: corregir la ejecuci\u00f3n entre vmci_host_setup_notify y vmci_ctx_unset_notify Durante nuestra prueba, se encontr\u00f3 que se puede activar una advertencia en try_grab_folio de la siguiente manera: ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 0 PID: 1678 en mm/gup.c:147 try_grab_folio+0x106/0x130 M\u00f3dulos vinculados: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 No contaminado 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Rastreo de llamadas: follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ fin del seguimiento 000000000000000 ]--- Al analizar el c\u00f3digo fuente, es posible que context-&gt;notify_page se inicialice mediante get_user_pages_fast, lo que se puede observar en vmci_ctx_unset_notify, que intentar\u00e1 ejecutar put_page. Sin embargo, get_user_pages_fast no ha finalizado y genera la siguiente advertencia try_grab_folio. La condici\u00f3n de ejecuci\u00f3n se muestra de la siguiente manera: cpu0 cpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &amp;context-&gt;notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // actualizar &amp;context-&gt;notify_page vmci_host_do_set_notify vmci_ctx_unset_notify notify_page = context-&gt;notify_page; if (notify_page) put_page(notify_page); // la p\u00e1gina est\u00e1 liberada __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // advertir aqu\u00ed Para solucionar esto, use la variable local page para hacer que notify_page se pueda ver despu\u00e9s de finalizar get_user_pages_fast."}], "id": "CVE-2025-38102", "lastModified": "2025-07-17T17:15:36.687", "metrics": {}, "published": "2025-07-03T09:15:23.710", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/00ddc7dad55b7bbb78df80d6e174d0c4764dea0c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1bd6406fb5f36c2bb1e96e27d4c3e9f4d09edde4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/468aec888f838ce5174b96e0cb4396790d6f60ca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/58a90db70aa6616411e5f69d1982d9b1dd97d774"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e3af836805ed1d7a699f76ec798626198917aa4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/74095bbbb19ca74a0368d857603a2438c88ca86c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/75b5313c80c39a26d27cbb602f968a05576c36f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b4209e4b778e4e57d0636e1c9fc07a924dbc6043"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify", "id": "2376095", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376095"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nVMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\nDuring our test, it is found that a warning can be trigger in try_grab_folio\nas follow:\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130\nModules linked in:\nCPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef)\nRIP: 0010:try_grab_folio+0x106/0x130\nCall Trace:\n<TASK>\nfollow_huge_pmd+0x240/0x8e0\nfollow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0\nfollow_pud_mask.constprop.0.isra.0+0x14a/0x170\nfollow_page_mask+0x1c2/0x1f0\n__get_user_pages+0x176/0x950\n__gup_longterm_locked+0x15b/0x1060\n? gup_fast+0x120/0x1f0\ngup_fast_fallback+0x17e/0x230\nget_user_pages_fast+0x5f/0x80\nvmci_host_unlocked_ioctl+0x21c/0xf80\nRIP: 0033:0x54d2cd\n---[ end trace 0000000000000000 ]---\nDigging into the source, context->notify_page may init by get_user_pages_fast\nand can be seen in vmci_ctx_unset_notify which will try to put_page. However\nget_user_pages_fast is not finished here and lead to following\ntry_grab_folio warning. The race condition is shown as follow:\ncpu0cpu1\nvmci_host_do_set_notify\nvmci_host_setup_notify\nget_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page);\nlockless_pages_from_mm\ngup_pgd_range\ngup_huge_pmd // update &context->notify_page\nvmci_host_do_set_notify\nvmci_ctx_unset_notify\nnotify_page = context->notify_page;\nif (notify_page)\nput_page(notify_page);// page is freed\n__gup_longterm_locked\n__get_user_pages\nfollow_trans_huge_pmd\ntry_grab_folio // warn here\nTo slove this, use local variable page to make notify_page can be seen\nafter finish get_user_pages_fast."], "name": "CVE-2025-38102", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38102\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38102\nhttps://lore.kernel.org/linux-cve-announce/2025070321-CVE-2025-38102-d592@gregkh/T"], "threat_severity": "Moderate"}