CVE-2025-38355

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38355
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38355.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38355
Downstream
Related
Published
2025-07-25T12:47:26.994Z
Modified
2026-03-12T23:53:32.726433Z
Summary
drm/xe: Process deferred GGTT node removals on device unwind
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Process deferred GGTT node removals on device unwind

While we are indirectly draining our dedicated workqueue ggtt->wq that we use to complete asynchronous removal of some GGTT nodes, this happends as part of the managed-drm unwinding (ggttfiniearly), which could be later then manage-device unwinding, where we could already unmap our MMIO/GMS mapping (mmio_fini).

This was recently observed during unsuccessful VF initialization:

[ ] xe 0000:00:02.1: probe with driver xe failed with error -62 [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 __xebounpin_mapnovm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 __xebounpin_mapnovm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 __xebounpinmapnovm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tilesfini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmiofini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xebopinnedfini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devmdrmdevinitrelease (16 bytes) [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] drmres release begin [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] REL ffff88810ef81640 __finirelay (8 bytes) [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] REL ffff88810ef80d40 gucctfini (8 bytes) [ ] xe 0000:00:02.1: [drm:drmmanaged_release] REL ffff88810ef80040 __drmmmutexrelease (8 bytes) [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] REL ffff88810ef80140 ggttfiniearly (8 bytes)

and this was leading to:

[ ] BUG: unable to handle page fault for address: ffffc900058162a0 [ ] #PF: supervisor write access in kernel mode [ ] #PF: errorcode(0x0002) - not-present page [ ] Oops: Oops: 0002 [#1] SMP NOPTI [ ] Tainted: [W]=WARN [ ] Workqueue: xe-ggtt-wq ggttnoderemoveworkfunc [xe] [ ] RIP: 0010:xeggttsetpte+0x6d/0x350 [xe] [ ] Call Trace: [ ] <TASK> [ ] xeggttclear+0xb0/0x270 [xe] [ ] ggttnoderemove+0xbb/0x120 [xe] [ ] ggttnoderemoveworkfunc+0x30/0x50 [xe] [ ] processonework+0x22b/0x6f0 [ ] worker_thread+0x1e8/0x3d

Add managed-device action that will explicitly drain the workqueue with all pending node removals prior to releasing MMIO/GSM mapping.

(cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391)

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38355.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
919bb54e989c1edef87e9797be125c94c450fc65
Fixed
1b12f8dabbb8fd7d5a2611dd7bc5982ffbc2e5df
Fixed
5ab4eba9b26a93605b4f2f2b688d6ba818d7331d
Fixed
af2b588abe006bd55ddd358c4c3b87523349c475

Affected versions

v6.*
v6.11
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.16-rc1
v6.16-rc2
v6.16-rc3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38355.json"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "target": {
            "file": "drivers/gpu/drm/xe/xe_ggtt.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@af2b588abe006bd55ddd358c4c3b87523349c475",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "295177655665725633170357159158902790355",
                "336673590086021051726966769637023179650",
                "207231565624150831007337556411052259956",
                "53756765938848325554004731046062317590",
                "285205593278208128456090975790636271286",
                "223227390271160031851061255249450883578"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-38355-1cff2c7a",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "drivers/gpu/drm/xe/xe_ggtt.c",
            "function": "xe_ggtt_init_early"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@af2b588abe006bd55ddd358c4c3b87523349c475",
        "deprecated": false,
        "digest": {
            "function_hash": "20068412872657286044848881337965949396",
            "length": 1295.0
        },
        "id": "CVE-2025-38355-3930f3ad",
        "signature_type": "Function"
    }
]