{"id":"CVE-2025-68757","summary":"drm/vgem-fence: Fix potential deadlock on release","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put().  In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used.  One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S   U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((&fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363]   lock_acquire+0xc4/0x2e0\n[117.004366]   call_timer_fn+0x80/0x2a0\n[117.004368]   __run_timers+0x231/0x310\n[117.004370]   run_timer_softirq+0x76/0xe0\n[117.004372]   handle_softirqs+0xd4/0x4d0\n[117.004375]   __irq_exit_rcu+0x13f/0x160\n[117.004377]   irq_exit_rcu+0xe/0x20\n[117.004379]   sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382]   asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385]   cpuidle_enter_state+0x12b/0x8a0\n[117.004388]   cpuidle_enter+0x2e/0x50\n[117.004393]   call_cpuidle+0x22/0x60\n[117.004395]   do_idle+0x1fd/0x260\n[117.004398]   cpu_startup_entry+0x29/0x30\n[117.004401]   start_secondary+0x12d/0x160\n[117.004404]   common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last  enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last  enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429]  Possible unsafe locking scenario:\n[117.004432]        CPU0\n[117.004433]        ----\n[117.004434]   lock((&fence-\u003etimer));\n[117.004436]   \u003cInterrupt\u003e\n[117.004438]     lock((&fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445]  #0: ffffc90000003d50 ((&fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S   U              6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456]  \u003cIRQ\u003e\n[117.004457]  dump_stack_lvl+0x91/0xf0\n[117.004460]  dump_stack+0x10/0x20\n[117.004461]  print_usage_bug.part.0+0x260/0x360\n[117.004463]  mark_lock+0x76e/0x9c0\n[117.004465]  ? register_lock_class+0x48/0x4a0\n[117.004467]  __lock_acquire+0xbc3/0x2860\n[117.004469]  lock_acquire+0xc4/0x2e0\n[117.004470]  ? __timer_delete_sync+0x4b/0x190\n[117.004472]  ? __timer_delete_sync+0x4b/0x190\n[117.004473]  __timer_delete_sync+0x68/0x190\n[117.004474]  ? __timer_delete_sync+0x4b/0x190\n[117.004475]  timer_delete_sync+0x10/0x20\n[117.004476]  vgem_fence_release+0x19/0x30 [vgem]\n[117.004478]  dma_fence_release+0xc1/0x3b0\n[117.004480]  ? dma_fence_release+0xa1/0x3b0\n[117.004481]  dma_fence_chain_release+0xe7/0x130\n[117.004483]  dma_fence_release+0xc1/0x3b0\n[117.004484]  ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485]  dma_fence_chain_irq_work+0x59/0x80\n[117.004487]  irq_work_single+0x75/0xa0\n[117.004490]  irq_work_r\n---truncated---","modified":"2026-03-31T17:29:58.401816Z","published":"2026-01-05T09:32:30.496Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0473-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:10039-1","openSUSE-SU-2026:10301-1","openSUSE-SU-2026:20145-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68757.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"},{"type":"WEB","url":"https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68757.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68757"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4077798484459a2eced2050045099a466ecb618a"},{"fixed":"37289a18099fc7ce916933bd542926a7334791a3"},{"fixed":"489b2158aec92a3fc256d70992416869f86e16e0"},{"fixed":"1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"},{"fixed":"9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"},{"fixed":"338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"},{"fixed":"4f335cb8fad69b2be5accf0ebac3a8b345915f4e"},{"fixed":"1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"},{"fixed":"78b4d6463e9e69e5103f98b367f8984ad12cdc6f"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68757.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.8.0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.63"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.13"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.18.0"},{"fixed":"6.18.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68757.json"}}],"schema_version":"1.7.5"}