CVE-2025-40340

Linux Kernel 6.8-6.12.57 6.13-6.17.7 - Denial of Service via DRM/xe Fault Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in "mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.

References (3)

Core 3

Core References

Patch

https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665

Patch

https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d

Patch

https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6

Scores

EPSS 0.0003

EPSS Percentile 8.7%

Details

Status published

Products (10)

linux/Kernel 6.13.0 - 6.17.8linux

linux/Kernel 6.8.0 - 6.12.58linux

Linux/Linux < 6.8

Linux/Linux 6.12.58 - 6.12.*

Linux/Linux 6.17.8 - 6.17.*

Linux/Linux 6.18

Linux/Linux 6.8

Linux/Linux dd08ebf6c3525a7ea2186e636df064ea47281987 - 1cda3c755bb7770be07d75949bb0f45fb88651f6

Linux/Linux dd08ebf6c3525a7ea2186e636df064ea47281987 - 29a3064f9c5a908aaf0b39cd6ed30374db11840d

Linux/Linux dd08ebf6c3525a7ea2186e636df064ea47281987 - 99428bd6123d5676209dfb1d7a8f176cc830b665

Published Dec 09, 2025

Tracked Since Feb 18, 2026