Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-38355

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/07/2025
Last modified:
18/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: Process deferred GGTT node removals on device unwind<br /> <br /> While we are indirectly draining our dedicated workqueue ggtt-&gt;wq<br /> that we use to complete asynchronous removal of some GGTT nodes,<br /> this happends as part of the managed-drm unwinding (ggtt_fini_early),<br /> which could be later then manage-device unwinding, where we could<br /> already unmap our MMIO/GMS mapping (mmio_fini).<br /> <br /> This was recently observed during unsuccessful VF initialization:<br /> <br /> [ ] xe 0000:00:02.1: probe with driver xe failed with error -62<br /> [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 __xe_bo_unpin_map_no_vm (16 bytes)<br /> [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 __xe_bo_unpin_map_no_vm (16 bytes)<br /> [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 __xe_bo_unpin_map_no_vm (16 bytes)<br /> [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tiles_fini (16 bytes)<br /> [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmio_fini (16 bytes)<br /> [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xe_bo_pinned_fini (16 bytes)<br /> [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devm_drm_dev_init_release (16 bytes)<br /> [ ] xe 0000:00:02.1: [drm:drm_managed_release] drmres release begin<br /> [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef81640 __fini_relay (8 bytes)<br /> [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80d40 guc_ct_fini (8 bytes)<br /> [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80040 __drmm_mutex_release (8 bytes)<br /> [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80140 ggtt_fini_early (8 bytes)<br /> <br /> and this was leading to:<br /> <br /> [ ] BUG: unable to handle page fault for address: ffffc900058162a0<br /> [ ] #PF: supervisor write access in kernel mode<br /> [ ] #PF: error_code(0x0002) - not-present page<br /> [ ] Oops: Oops: 0002 [#1] SMP NOPTI<br /> [ ] Tainted: [W]=WARN<br /> [ ] Workqueue: xe-ggtt-wq ggtt_node_remove_work_func [xe]<br /> [ ] RIP: 0010:xe_ggtt_set_pte+0x6d/0x350 [xe]<br /> [ ] Call Trace:<br /> [ ] <br /> [ ] xe_ggtt_clear+0xb0/0x270 [xe]<br /> [ ] ggtt_node_remove+0xbb/0x120 [xe]<br /> [ ] ggtt_node_remove_work_func+0x30/0x50 [xe]<br /> [ ] process_one_work+0x22b/0x6f0<br /> [ ] worker_thread+0x1e8/0x3d<br /> <br /> Add managed-device action that will explicitly drain the workqueue<br /> with all pending node removals prior to releasing MMIO/GSM mapping.<br /> <br /> (cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391)

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12 (including) 6.12.36 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.15.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools