Bug 2373359 (CVE-2025-38036)

Summary: CVE-2025-38036 kernel: Linux kernel: Denial of Service due to null pointer dereference in GT MMIO initialization for VFs
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel. Improper initialization of the Graphics Translation (GT) Memory-Mapped Input/Output (MMIO) during early setup for Virtual Functions (VFs) can lead to a null pointer dereference. A local attacker with low privileges could exploit this by attempting to use Graphics micro-controller (GuC) functions, causing a system crash and resulting in a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-06-18 10:03:26 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/xe/vf: Perform early GT MMIO initialization to read GMDID

VFs need to communicate with the GuC to obtain the GMDID value
and existing GuC functions used for that assume that the GT has
it's MMIO members already setup. However, due to recent refactoring
the gt->mmio is initialized later, and any attempt by the VF to use
xe_mmio_read|write() from GuC functions will lead to NPD crash due
to unset MMIO register address:

[] xe 0000:00:02.1: [drm] Running in SR-IOV VF mode
[] xe 0000:00:02.1: [drm] GT0: sending H2G MMIO 0x5507
[] BUG: unable to handle page fault for address: 0000000000190240

Since we are already tweaking the id and type of the primary GT to
mimic it's a Media GT before initializing the GuC communication,
we can also call xe_gt_mmio_init() to perform early setup of the
gt->mmio which will make those GuC functions work again.
Comment 1 Avinash Hanwate 2025-06-20 18:40:30 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061826-CVE-2025-38036-0063@gregkh/T