Bug 2394631 (CVE-2025-39741) - CVE-2025-39741 kernel: drm/xe/migrate: don't overflow max copy size
Summary: CVE-2025-39741 kernel: drm/xe/migrate: don't overflow max copy size
Keywords:
Status: NEW
Alias: CVE-2025-39741
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-11 17:03 UTC by OSIDB Bzimport
Modified: 2025-11-26 08:26 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-11 17:03:34 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/xe/migrate: don't overflow max copy size

With non-page aligned copy, we need to use 4 byte aligned pitch, however
the size itself might still be close to our maximum of ~8M, and so the
dimensions of the copy can easily exceed the S16_MAX limit of the copy
command leading to the following assert:

xe 0000:03:00.0: [drm] Assertion `size / pitch <= ((s16)(((u16)~0U) >> 1))` failed!
platform: BATTLEMAGE subplatform: 1
graphics: Xe2_HPG 20.01 step A0
media: Xe2_HPM 13.01 step A1
tile: 0 VRAM 10.0 GiB
GT: 0 type 1

WARNING: CPU: 23 PID: 10605 at drivers/gpu/drm/xe/xe_migrate.c:673 emit_copy+0x4b5/0x4e0 [xe]

To fix this account for the pitch when calculating the number of current
bytes to copy.

(cherry picked from commit 8c2d61e0e916e077fda7e7b8e67f25ffe0f361fc)
Comment 1 Jon Moroney 2025-09-11 19:13:14 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091138-CVE-2025-39741-8730@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.