{"id":"AZL-73551","summary":"CVE-2025-38520 affecting package kernel 5.15.200.1-1","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Don't call mmput from MMU notifier callback\n\nIf the process is exiting, the mmput inside mmu notifier callback from\ncompactd or fork or numa balancing could release the last reference\nof mm struct to call exit_mmap and free_pgtable, this triggers deadlock\nwith below backtrace.\n\nThe deadlock will leak kfd process as mmu notifier release is not called\nand cause VRAM leaking.\n\nThe fix is to take mm reference mmget_non_zero when adding prange to the\ndeferred list to pair with mmput in deferred list work.\n\nIf prange split and add into pchild list, the pchild work_item.mm is not\nused, so remove the mm parameter from svm_range_unmap_split and\nsvm_range_add_child.\n\nThe backtrace of hung task:\n\n INFO: task python:348105 blocked for more than 64512 seconds.\n Call Trace:\n  __schedule+0x1c3/0x550\n  schedule+0x46/0xb0\n  rwsem_down_write_slowpath+0x24b/0x4c0\n  unlink_anon_vmas+0xb1/0x1c0\n  free_pgtables+0xa9/0x130\n  exit_mmap+0xbc/0x1a0\n  mmput+0x5a/0x140\n  svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu]\n  mn_itree_invalidate+0x72/0xc0\n  __mmu_notifier_invalidate_range_start+0x48/0x60\n  try_to_unmap_one+0x10fa/0x1400\n  rmap_walk_anon+0x196/0x460\n  try_to_unmap+0xbb/0x210\n  migrate_page_unmap+0x54d/0x7e0\n  migrate_pages_batch+0x1c3/0xae0\n  migrate_pages_sync+0x98/0x240\n  migrate_pages+0x25c/0x520\n  compact_zone+0x29d/0x590\n  compact_zone_order+0xb6/0xf0\n  try_to_compact_pages+0xbe/0x220\n  __alloc_pages_direct_compact+0x96/0x1a0\n  __alloc_pages_slowpath+0x410/0x930\n  __alloc_pages_nodemask+0x3a9/0x3e0\n  do_huge_pmd_anonymous_page+0xd7/0x3e0\n  __handle_mm_fault+0x5e3/0x5f0\n  handle_mm_fault+0xf7/0x2e0\n  hmm_vma_fault.isra.0+0x4d/0xa0\n  walk_pmd_range.isra.0+0xa8/0x310\n  walk_pud_range+0x167/0x240\n  walk_pgd_range+0x55/0x100\n  __walk_page_range+0x87/0x90\n  walk_page_range+0xf6/0x160\n  hmm_range_fault+0x4f/0x90\n  amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu]\n  amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu]\n  init_user_pages+0xb1/0x2a0 [amdgpu]\n  amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu]\n  kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu]\n  kfd_ioctl+0x29d/0x500 [amdgpu]\n\n(cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7)","modified":"2026-04-01T05:22:18.246859Z","published":"2025-08-16T11:15:45Z","upstream":["CVE-2025-38520"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38520"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"5.15.200.1-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-73551.json"}}],"schema_version":"1.7.5"}