2420424 – (CVE-2025-40340) CVE-2025-40340 kernel: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test

Bug 2420424 (CVE-2025-40340) - CVE-2025-40340 kernel: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test

Summary: CVE-2025-40340 kernel: drm/xe: Fix oops in xe_gem_fault when running core_hot...

Keywords:
Status:	NEW
Alias:	CVE-2025-40340
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-09 05:02 UTC by OSIDB Bzimport
Modified:	2025-12-09 23:10 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-09 05:02:27 UTC

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.

I saw an oops in xe_gem_fault when running the xe-fast-feedback
testlist against the realtime kernel without debug options enabled.

The panic happens after core_hotunplug unbind-rebind finishes.
Presumably what happens is that a process mmaps, unlocks because
of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,
causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since
there was nothing left to populate, and then oopses in
"mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource
is NULL.

It's convoluted, but fits the data and explains the oops after
the test exits.

Comment 1 Alexander B 2025-12-09 12:41:06 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120912-CVE-2025-40340-4d41@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.