CVE-2025-40340
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.
I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled.
The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in "mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource is NULL.
It's convoluted, but fits the data and explains the oops after the test exits.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | dd08ebf6c3525a7ea2186e636df064ea47281987 < 99428bd6123d5676209dfb1d7a8f176cc830b665 | affected |
| Linux | Linux | dd08ebf6c3525a7ea2186e636df064ea47281987 < 29a3064f9c5a908aaf0b39cd6ed30374db11840d | affected |
| Linux | Linux | dd08ebf6c3525a7ea2186e636df064ea47281987 < 1cda3c755bb7770be07d75949bb0f45fb88651f6 | affected |
| Linux | Linux | 6.8 | affected |
| Linux | Linux | 0 < 6.8 | unaffected |
| Linux | Linux | 6.12.58 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.8 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665
- https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d
- https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.