2407335 – (CVE-2025-40086) CVE-2025-40086 kernel: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds

Bug 2407335 (CVE-2025-40086) - CVE-2025-40086 kernel: drm/xe: Don't allow evicting of BOs in same VM in array of VM binds

Summary: CVE-2025-40086 kernel: drm/xe: Don't allow evicting of BOs in same VM in arra...

Keywords:
Status:	NEW
Alias:	CVE-2025-40086
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-30 10:02 UTC by OSIDB Bzimport
Modified:	2025-10-30 16:38 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-30 10:02:16 UTC

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Don't allow evicting of BOs in same VM in array of VM binds

An array of VM binds can potentially evict other buffer objects (BOs)
within the same VM under certain conditions, which may lead to NULL
pointer dereferences later in the bind pipeline. To prevent this, clear
the allow_res_evict flag in the xe_bo_validate call.

v2:
 - Invert polarity of no_res_evict (Thomas)
 - Add comment in code explaining issue (Thomas)

(cherry picked from commit 8b9ba8d6d95fe75fed6b0480bb03da4b321bea08)

Comment 1 Jon Moroney 2025-10-30 16:36:07 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025103013-CVE-2025-40086-f0f7@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.