CVE-2025-40340
- Source
- https://cve.org/CVERecord?id=CVE-2025-40340
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40340.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-40340
- Downstream
- Published
- 2025-12-09T04:09:57.059Z
- Modified
- 2025-12-20T19:54:35.016768Z
- Summary
- drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix oops in xegemfault when running core_hotunplug test.
I saw an oops in xegemfault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled.
The panic happens after corehotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULTFLAGRETRYNOWAIT logic, has no process memory left, causing ttmbovmdummypage() to return VMFAULTNOPAGE, since there was nothing left to populate, and then oopses in "memtypeisvram(tbo->resource->memtype)" because tbo->resource is NULL.
It's convoluted, but fits the data and explains the oops after the test exits.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40340.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6
- https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d
- https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40340.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40340
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceddd08ebf6c3525a7ea2186e636df064ea47281987Fixed99428bd6123d5676209dfb1d7a8f176cc830b665Fixed29a3064f9c5a908aaf0b39cd6ed30374db11840dFixed1cda3c755bb7770be07d75949bb0f45fb88651f6
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.53
v6.12.54
v6.12.55
v6.12.56
v6.12.57
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.2
v6.17.3
v6.17.4
v6.17.5
v6.17.6
v6.17.7
v6.7
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7