CVE-2025-68757
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
05/01/2026
Last modified:
19/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/vgem-fence: Fix potential deadlock on release<br />
<br />
A timer that expires a vgem fence automatically in 10 seconds is now<br />
released with timer_delete_sync() from fence->ops.release() called on last<br />
dma_fence_put(). In some scenarios, it can run in IRQ context, which is<br />
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was<br />
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while<br />
working on new IGT subtests syncobj_timeline@stress-* as user space<br />
replacements of some problematic test cases of a dma-fence-chain selftest<br />
[1].<br />
<br />
[117.004338] ================================<br />
[117.004340] WARNING: inconsistent lock state<br />
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U<br />
[117.004346] --------------------------------<br />
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.<br />
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:<br />
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190<br />
[117.004361] {HARDIRQ-ON-W} state was registered at:<br />
[117.004363] lock_acquire+0xc4/0x2e0<br />
[117.004366] call_timer_fn+0x80/0x2a0<br />
[117.004368] __run_timers+0x231/0x310<br />
[117.004370] run_timer_softirq+0x76/0xe0<br />
[117.004372] handle_softirqs+0xd4/0x4d0<br />
[117.004375] __irq_exit_rcu+0x13f/0x160<br />
[117.004377] irq_exit_rcu+0xe/0x20<br />
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0<br />
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20<br />
[117.004385] cpuidle_enter_state+0x12b/0x8a0<br />
[117.004388] cpuidle_enter+0x2e/0x50<br />
[117.004393] call_cpuidle+0x22/0x60<br />
[117.004395] do_idle+0x1fd/0x260<br />
[117.004398] cpu_startup_entry+0x29/0x30<br />
[117.004401] start_secondary+0x12d/0x160<br />
[117.004404] common_startup_64+0x13e/0x141<br />
[117.004407] irq event stamp: 2282669<br />
[117.004409] hardirqs last enabled at (2282668): [] _raw_spin_unlock_irqrestore+0x51/0x80<br />
[117.004414] hardirqs last disabled at (2282669): [] sysvec_irq_work+0x11/0xc0<br />
[117.004419] softirqs last enabled at (2254702): [] __do_softirq+0x10/0x18<br />
[117.004423] softirqs last disabled at (2254725): [] __irq_exit_rcu+0x13f/0x160<br />
[117.004426]<br />
other info that might help us debug this:<br />
[117.004429] Possible unsafe locking scenario:<br />
[117.004432] CPU0<br />
[117.004433] ----<br />
[117.004434] lock((&fence->timer));<br />
[117.004436] <br />
[117.004438] lock((&fence->timer));<br />
[117.004440]<br />
*** DEADLOCK ***<br />
[117.004443] 1 lock held by swapper/0/0:<br />
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0<br />
[117.004450]<br />
stack backtrace:<br />
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)<br />
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER<br />
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023<br />
[117.004456] Call Trace:<br />
[117.004456] <br />
[117.004457] dump_stack_lvl+0x91/0xf0<br />
[117.004460] dump_stack+0x10/0x20<br />
[117.004461] print_usage_bug.part.0+0x260/0x360<br />
[117.004463] mark_lock+0x76e/0x9c0<br />
[117.004465] ? register_lock_class+0x48/0x4a0<br />
[117.004467] __lock_acquire+0xbc3/0x2860<br />
[117.004469] lock_acquire+0xc4/0x2e0<br />
[117.004470] ? __timer_delete_sync+0x4b/0x190<br />
[117.004472] ? __timer_delete_sync+0x4b/0x190<br />
[117.004473] __timer_delete_sync+0x68/0x190<br />
[117.004474] ? __timer_delete_sync+0x4b/0x190<br />
[117.004475] timer_delete_sync+0x10/0x20<br />
[117.004476] vgem_fence_release+0x19/0x30 [vgem]<br />
[117.004478] dma_fence_release+0xc1/0x3b0<br />
[117.004480] ? dma_fence_release+0xa1/0x3b0<br />
[117.004481] dma_fence_chain_release+0xe7/0x130<br />
[117.004483] dma_fence_release+0xc1/0x3b0<br />
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80<br />
[117.004485] dma_fence_chain_irq_work+0x59/0x80<br />
[117.004487] irq_work_single+0x75/0xa0<br />
[117.004490] irq_work_r<br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a
- https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54
- https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba
- https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3
- https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0
- https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e
- https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f
- https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0