Bug 2395800 (CVE-2025-39811)

Summary: CVE-2025-39811 kernel: Linux kernel: Denial of service in drm/xe/vm due to improper error handling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the xe/vm module. A local user could exploit improper error handling when clearing the scratch_pt pointer in the xe_vm_free_scratch() function. This could lead to a dereference of an error pointer during cleanup, potentially causing a system crash and resulting in a denial of service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-16 14:03:22 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/xe/vm: Clear the scratch_pt pointer on error

Avoid triggering a dereference of an error pointer on cleanup in
xe_vm_free_scratch() by clearing any scratch_pt error pointer.

(cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)
Comment 1 Keith Grant 2025-09-16 15:48:39 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091614-CVE-2025-39811-535b@gregkh/T