2391066 – (CVE-2025-38515) CVE-2025-38515 kernel: drm/sched: Increment job count before swapping tail spsc queue

Bug 2391066 (CVE-2025-38515) - CVE-2025-38515 kernel: drm/sched: Increment job count before swapping tail spsc queue

Summary: CVE-2025-38515 kernel: drm/sched: Increment job count before swapping tail sp...

Keywords:
Status:	NEW
Alias:	CVE-2025-38515
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-26 15:09 UTC by OSIDB Bzimport
Modified:	2025-08-26 15:52 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-26 15:09:41 UTC

In the Linux kernel, the following vulnerability has been resolved:

drm/sched: Increment job count before swapping tail spsc queue

A small race exists between spsc_queue_push and the run-job worker, in
which spsc_queue_push may return not-first while the run-job worker has
already idled due to the job count being zero. If this race occurs, job
scheduling stops, leading to hangs while waiting on the job’s DMA
fences.

Seal this race by incrementing the job count before appending to the
SPSC queue.

This race was observed on a drm-tip 6.16-rc1 build with the Xe driver in
an SVM test case.

Comment 1 Jon Moroney 2025-08-26 15:50:44 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025081652-CVE-2025-38515-7495@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.