ghsa-v9hw-4wx3-7mqf
Vulnerability from github
Published
2025-11-12 12:30
Modified
2025-11-12 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/guc: Check GuC running state before deregistering exec queue

In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled.

In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running.

Here is the failure dmesg log: " [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] ERROR GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] "

v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration.

(cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40166"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T11:15:46Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Check GuC running state before deregistering exec queue\n\nIn normal operation, a registered exec queue is disabled and\nderegistered through the GuC, and freed only after the GuC confirms\ncompletion. However, if the driver is forced to unbind while the exec\nqueue is still running, the user may call exec_destroy() after the GuC\nhas already been stopped and CT communication disabled.\n\nIn this case, the driver cannot receive a response from the GuC,\npreventing proper cleanup of exec queue resources. Fix this by directly\nreleasing the resources when GuC is not running.\n\nHere is the failure dmesg log:\n\"\n[  468.089581] ---[ end trace 0000000000000000 ]---\n[  468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535)\n[  468.090558] pci 0000:03:00.0: [drm] GT0:     total 65535\n[  468.090562] pci 0000:03:00.0: [drm] GT0:     used 1\n[  468.090564] pci 0000:03:00.0: [drm] GT0:     range 1..1 (1)\n[  468.092716] ------------[ cut here ]------------\n[  468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe]\n\"\n\nv2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled().\n    As CT may go down and come back during VF migration.\n\n(cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)",
  "id": "GHSA-v9hw-4wx3-7mqf",
  "modified": "2025-11-12T12:30:28Z",
  "published": "2025-11-12T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40166"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c6e5904c5bdbac8e0eadee40f70c42bb83f6dc6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f64b3cd051b825de0a2a9f145c8e003200cedd5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa708415566bbe5361c935645107319f8edc8dc1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.