CVE-2025-37907: 
Linux Kernel vulnerability analysis and mitigation

A deadlock vulnerability (CVE-2025-37907) was identified in the Linux kernel's accel/ivpu component, specifically in the ivpujobsubmit function. The vulnerability was discovered and disclosed on May 20, 2025, affecting the job submission and abort handling processes in the Linux kernel (NVD, Wiz).

The vulnerability stems from a race condition in the locking mechanism between job submission and abort handling threads. When a thread aborts executing jobs due to a fault, it locks the global lock protecting submittedjobs (#1) first, then releases the context and locks filepriv (#2). Simultaneously, the job submission thread takes the filepriv lock (#2) first, followed by the submittedjobs lock (#1) when adding a job to the submitted jobs list. This inconsistent locking order creates a deadlock scenario. The vulnerability has been assigned a CVSS 3.1 score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Red Hat).

The deadlock condition can cause the affected system to become unresponsive during job submission and abort handling processes, potentially impacting system stability and availability (Wiz).

The issue has been resolved by changing the order of locking in the ivpujobsubmit function. Users are advised to update to the patched version of the Linux kernel that includes this fix (NVD).