Bug 2424894 (CVE-2025-68730)

Summary: CVE-2025-68730 kernel: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A use-after-free vulnerability was found in the Intel VPU (Vision Processing Unit) accelerator driver in the Linux kernel. When buffer object creation fails inside drm_gem_shmem_create(), the partially created buffer object is added to vdev->bo_list but the cleanup callback ivpu_gem_bo_free() is never called. This leaves a dangling pointer on the list, causing a page fault when ivpu_bo_unbind_all_bos_from_context() later traverses the list.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-24 11:04:18 UTC 
In the Linux kernel, the following vulnerability has been resolved:

accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context()

Don't add BO to the vdev->bo_list in ivpu_gem_create_object().
When failure happens inside drm_gem_shmem_create(), the BO is not
fully created and ivpu_gem_bo_free() callback will not be called
causing a deleted BO to be left on the list.
Comment 1 Vipul Nair 2025-12-24 12:10:09 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025122406-CVE-2025-68730-c272@gregkh/T