ghsa-3jgj-55q7-3rwv
Vulnerability from github
Published
2025-09-17 15:30
Modified
2025-09-17 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/sched: Check scheduler work queue before calling timeout handling

During an IGT GPU reset test we see again oops despite of commit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling timeout handling).

It uses ready condition whether to call drm_sched_fault which unwind the TDR leads to GPU reset. However it looks the ready condition is overloaded with other meanings, for example, for the following stack is related GPU reset :

0 gfx_v9_0_cp_gfx_start 1 gfx_v9_0_cp_gfx_resume 2 gfx_v9_0_cp_resume 3 gfx_v9_0_hw_init 4 gfx_v9_0_resume 5 amdgpu_device_ip_resume_phase2

does the following: / start the ring / gfx_v9_0_cp_gfx_start(adev); ring->sched.ready = true;

The same approach is for other ASICs as well : gfx_v8_0_cp_gfx_resume gfx_v10_0_kiq_resume, etc...

As a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault and then drm_sched_fault. However now it depends on whether the interrupt service routine drm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready field of the scheduler to true even for uninitialized schedulers and causes oops vs no fault or when ISR drm_sched_fault is completed prior gfx_v9_0_cp_gfx_start and NULL pointer dereference does not occur.

Use the field timeout_wq to prevent oops for uninitialized schedulers. The field could be initialized by the work queue of resetting the domain.

v1: Corrections to commit message (Luben)

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53351"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-17T15:15:39Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Check scheduler work queue before calling timeout handling\n\nDuring an IGT GPU reset test we see again oops despite of\ncommit 0c8c901aaaebc9 (drm/sched: Check scheduler ready before calling\ntimeout handling).\n\nIt uses ready condition whether to call drm_sched_fault which unwind\nthe TDR leads to GPU reset.\nHowever it looks the ready condition is overloaded with other meanings,\nfor example, for the following stack is related GPU reset :\n\n0  gfx_v9_0_cp_gfx_start\n1  gfx_v9_0_cp_gfx_resume\n2  gfx_v9_0_cp_resume\n3  gfx_v9_0_hw_init\n4  gfx_v9_0_resume\n5  amdgpu_device_ip_resume_phase2\n\ndoes the following:\n\t/* start the ring */\n\tgfx_v9_0_cp_gfx_start(adev);\n\tring-\u003esched.ready = true;\n\nThe same approach is for other ASICs as well :\ngfx_v8_0_cp_gfx_resume\ngfx_v10_0_kiq_resume, etc...\n\nAs a result, our GPU reset test causes GPU fault which calls unconditionally gfx_v9_0_fault\nand then drm_sched_fault. However now it depends on whether the interrupt service routine\ndrm_sched_fault is executed after gfx_v9_0_cp_gfx_start is completed which sets the ready\nfield of the scheduler to true even  for uninitialized schedulers and causes oops vs\nno fault or when ISR  drm_sched_fault is completed prior  gfx_v9_0_cp_gfx_start and\nNULL pointer dereference does not occur.\n\nUse the field timeout_wq  to prevent oops for uninitialized schedulers.\nThe field could be initialized by the work queue of resetting the domain.\n\nv1: Corrections to commit message (Luben)",
  "id": "GHSA-3jgj-55q7-3rwv",
  "modified": "2025-09-17T15:30:38Z",
  "published": "2025-09-17T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53351"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2da5bffe9eaa5819a868e8eaaa11b3fd0f16a691"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c43a96fc00b662cef1ef0eb22d40441ce2abae8f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.