Bug 2429059 (CVE-2025-71099)

Summary: CVE-2025-71099 kernel: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A use-after-free flaw was found in the Intel Xe graphics driver's observability architecture (OA) configuration interface. In xe_oa_add_config_ioctl(), the oa_config->id is accessed after dropping the metrics_lock. An attacker could race to remove the configuration via xe_oa_remove_config_ioctl(), freeing the structure before the id is read.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-01-13 16:03:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()

In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping
metrics_lock. Since this lock protects the lifetime of oa_config, an
attacker could guess the id and call xe_oa_remove_config_ioctl() with
perfect timing, freeing oa_config before we dereference it, leading to
a potential use-after-free.

Fix this by caching the id in a local variable while holding the lock.

v2: (Matt A)
- Dropped mutex_unlock(&oa->metrics_lock) ordering change from
  xe_oa_remove_config_ioctl()

(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
Comment 1 Jon Moroney 2026-01-15 02:54:49 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026011345-CVE-2025-71099-b6f8@gregkh/T