CVE-2023-54098 (GCVE-0-2023-54098)
Vulnerability from cvelistv5
Published
2025-12-24 13:06
Modified
2025-12-24 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gvt: fix gvt debugfs destroy
When gvt debug fs is destroyed, need to have a sane check if drm
minor's debugfs root is still available or not, otherwise in case like
device remove through unbinding, drm minor's debugfs directory has
already been removed, then intel_gvt_debugfs_clean() would act upon
dangling pointer like below oops.
i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2
i915 0000:00:02.0: MDEV: Registered
Console: switching to colour dummy device 80x25
i915 0000:00:02.0: MDEV: Unregistering
BUG: kernel NULL pointer dereference, address: 00000000000000a0
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15
Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020
RIP: 0010:down_write+0x1f/0x90
Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01
RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000
RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8
RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0
R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000
R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0
FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0
Call Trace:
<TASK>
simple_recursive_removal+0x9f/0x2a0
? start_creating.part.0+0x120/0x120
? _raw_spin_lock+0x13/0x40
debugfs_remove+0x40/0x60
intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]
intel_gvt_clean_device+0x49/0xe0 [kvmgt]
intel_gvt_driver_remove+0x2f/0xb0
i915_driver_remove+0xa4/0xf0
i915_pci_remove+0x1a/0x30
pci_device_remove+0x33/0xa0
device_release_driver_internal+0x1b2/0x230
unbind_store+0xe0/0x110
kernfs_fop_write_iter+0x11b/0x1f0
vfs_write+0x203/0x3d0
ksys_write+0x63/0xe0
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6947cb5190
Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190
RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001
RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001
R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0
</TASK>
Modules linked in: kvmgt
CR2: 00000000000000a0
---[ end trace 0000000000000000 ]---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bb7c7b2c89d2feb347b6f9bffc1c75987adb1048",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "ae9a61511736cc71a99f01e8b7b90f6fb6128ed8",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "b85c8536fda3d1ed07c6d87a661ffe18d6eb214b",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "fe340500baf84b6531c9fc508b167525b9bf6446",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
},
{
"lessThan": "c4b850d1f448a901fbf4f7f36dec38c84009b489",
"status": "affected",
"version": "bc7b0be316aebac42eb9e8e54c984609555944da",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gvt/debugfs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.163",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.87",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.19",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.5",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gvt: fix gvt debugfs destroy\n\nWhen gvt debug fs is destroyed, need to have a sane check if drm\nminor\u0027s debugfs root is still available or not, otherwise in case like\ndevice remove through unbinding, drm minor\u0027s debugfs directory has\nalready been removed, then intel_gvt_debugfs_clean() would act upon\ndangling pointer like below oops.\n\ni915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2\ni915 0000:00:02.0: MDEV: Registered\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nBUG: kernel NULL pointer dereference, address: 00000000000000a0\nPGD 0 P4D 0\nOops: 0002 [#1] PREEMPT SMP PTI\nCPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15\nHardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020\nRIP: 0010:down_write+0x1f/0x90\nCode: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 \u003cf0\u003e 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01\nRSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000\nRDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8\nRBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0\nR10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0\nFS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0\nCall Trace:\n \u003cTASK\u003e\n simple_recursive_removal+0x9f/0x2a0\n ? start_creating.part.0+0x120/0x120\n ? _raw_spin_lock+0x13/0x40\n debugfs_remove+0x40/0x60\n intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]\n intel_gvt_clean_device+0x49/0xe0 [kvmgt]\n intel_gvt_driver_remove+0x2f/0xb0\n i915_driver_remove+0xa4/0xf0\n i915_pci_remove+0x1a/0x30\n pci_device_remove+0x33/0xa0\n device_release_driver_internal+0x1b2/0x230\n unbind_store+0xe0/0x110\n kernfs_fop_write_iter+0x11b/0x1f0\n vfs_write+0x203/0x3d0\n ksys_write+0x63/0xe0\n do_syscall_64+0x37/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f6947cb5190\nCode: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\nRSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190\nRDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001\nRBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001\nR13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0\n \u003c/TASK\u003e\nModules linked in: kvmgt\nCR2: 00000000000000a0\n---[ end trace 0000000000000000 ]---"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:25.197Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bb7c7b2c89d2feb347b6f9bffc1c75987adb1048"
},
{
"url": "https://git.kernel.org/stable/c/ae9a61511736cc71a99f01e8b7b90f6fb6128ed8"
},
{
"url": "https://git.kernel.org/stable/c/b85c8536fda3d1ed07c6d87a661ffe18d6eb214b"
},
{
"url": "https://git.kernel.org/stable/c/fe340500baf84b6531c9fc508b167525b9bf6446"
},
{
"url": "https://git.kernel.org/stable/c/c4b850d1f448a901fbf4f7f36dec38c84009b489"
}
],
"title": "drm/i915/gvt: fix gvt debugfs destroy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54098",
"datePublished": "2025-12-24T13:06:25.197Z",
"dateReserved": "2025-12-24T13:02:52.516Z",
"dateUpdated": "2025-12-24T13:06:25.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54098\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:11.687\",\"lastModified\":\"2025-12-24T13:16:11.687\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gvt: fix gvt debugfs destroy\\n\\nWhen gvt debug fs is destroyed, need to have a sane check if drm\\nminor\u0027s debugfs root is still available or not, otherwise in case like\\ndevice remove through unbinding, drm minor\u0027s debugfs directory has\\nalready been removed, then intel_gvt_debugfs_clean() would act upon\\ndangling pointer like below oops.\\n\\ni915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2\\ni915 0000:00:02.0: MDEV: Registered\\nConsole: switching to colour dummy device 80x25\\ni915 0000:00:02.0: MDEV: Unregistering\\nBUG: kernel NULL pointer dereference, address: 00000000000000a0\\nPGD 0 P4D 0\\nOops: 0002 [#1] PREEMPT SMP PTI\\nCPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15\\nHardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020\\nRIP: 0010:down_write+0x1f/0x90\\nCode: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 \u003cf0\u003e 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01\\nRSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246\\nRAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000\\nRDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8\\nRBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0\\nR10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000\\nR13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0\\nFS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000\\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\nCR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0\\nCall Trace:\\n \u003cTASK\u003e\\n simple_recursive_removal+0x9f/0x2a0\\n ? start_creating.part.0+0x120/0x120\\n ? _raw_spin_lock+0x13/0x40\\n debugfs_remove+0x40/0x60\\n intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]\\n intel_gvt_clean_device+0x49/0xe0 [kvmgt]\\n intel_gvt_driver_remove+0x2f/0xb0\\n i915_driver_remove+0xa4/0xf0\\n i915_pci_remove+0x1a/0x30\\n pci_device_remove+0x33/0xa0\\n device_release_driver_internal+0x1b2/0x230\\n unbind_store+0xe0/0x110\\n kernfs_fop_write_iter+0x11b/0x1f0\\n vfs_write+0x203/0x3d0\\n ksys_write+0x63/0xe0\\n do_syscall_64+0x37/0x90\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\nRIP: 0033:0x7f6947cb5190\\nCode: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89\\nRSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190\\nRDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001\\nRBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c\\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001\\nR13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0\\n \u003c/TASK\u003e\\nModules linked in: kvmgt\\nCR2: 00000000000000a0\\n---[ end trace 0000000000000000 ]---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ae9a61511736cc71a99f01e8b7b90f6fb6128ed8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b85c8536fda3d1ed07c6d87a661ffe18d6eb214b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bb7c7b2c89d2feb347b6f9bffc1c75987adb1048\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c4b850d1f448a901fbf4f7f36dec38c84009b489\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fe340500baf84b6531c9fc508b167525b9bf6446\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…