cve/published/2025/CVE-2025-21644.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21644: drm/xe: Fix tlb invalidation when wedging

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/xe: Fix tlb invalidation when wedging

 If GuC fails to load, the driver wedges, but in the process it tries to
 do stuff that may not be initialized yet. This moves the
 xe_gt_tlb_invalidation_init() to be done earlier: as its own doc says,
 it's a software-only initialization and should had been named with the
 _early() suffix.

 Move it to be called by xe_gt_init_early(), so the locks and seqno are
 initialized, avoiding a NULL ptr deref when wedging:

 	xe 0000:03:00.0: [drm] *ERROR* GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01
 	xe 0000:03:00.0: [drm] *ERROR* GT0: firmware signature verification failed
 	xe 0000:03:00.0: [drm] *ERROR* CRITICAL: Xe has declared device 0000:03:00.0 as wedged.
 	...
 	BUG: kernel NULL pointer dereference, address: 0000000000000000
 	#PF: supervisor read access in kernel mode
 	#PF: error_code(0x0000) - not-present page
 	PGD 0 P4D 0
 	Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
 	CPU: 9 UID: 0 PID: 3908 Comm: modprobe Tainted: G     U  W          6.13.0-rc4-xe+ #3
 	Tainted: [U]=USER, [W]=WARN
 	Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DDR5 UDIMM CRB, BIOS ADLSFWI1.R00.3275.A00.2207010640 07/01/2022
 	RIP: 0010:xe_gt_tlb_invalidation_reset+0x75/0x110 [xe]

 This can be easily triggered by poking the GuC binary to force a
 signature failure. There will still be an extra message,

 	xe 0000:03:00.0: [drm] *ERROR* GT0: GuC mmio request 0x4100: no reply 0x4100

 but that's better than a NULL ptr deref.

 (cherry picked from commit 5001ef3af8f2c972d6fd9c5221a8457556f8bea6)

 The Linux kernel CVE team has assigned CVE-2025-21644 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit c9474b726b932b5d555effd9ed0ae19f4da2367c and fixed in 6.12.10 with commit 09b94ddc58c6640cbbc7775a61a5387b8be71488
 	Issue introduced in 6.11 with commit c9474b726b932b5d555effd9ed0ae19f4da2367c and fixed in 6.13 with commit 9ab4981552930a9c45682d62424ba610edc3992d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21644
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/xe/xe_gt.c
 	drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c
 	drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/09b94ddc58c6640cbbc7775a61a5387b8be71488
 	https://git.kernel.org/stable/c/9ab4981552930a9c45682d62424ba610edc3992d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21644: drm/xe: Fix tlb invalidation when wedging

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/xe: Fix tlb invalidation when wedging

	If GuC fails to load, the driver wedges, but in the process it tries to
	do stuff that may not be initialized yet. This moves the
	xe_gt_tlb_invalidation_init() to be done earlier: as its own doc says,
	it's a software-only initialization and should had been named with the
	_early() suffix.

	Move it to be called by xe_gt_init_early(), so the locks and seqno are
	initialized, avoiding a NULL ptr deref when wedging:

	xe 0000:03:00.0: [drm] ERROR GT0: load failed: status: Reset = 0, BootROM = 0x50, UKernel = 0x00, MIA = 0x00, Auth = 0x01
	xe 0000:03:00.0: [drm] ERROR GT0: firmware signature verification failed
	xe 0000:03:00.0: [drm] ERROR CRITICAL: Xe has declared device 0000:03:00.0 as wedged.
	...
	BUG: kernel NULL pointer dereference, address: 0000000000000000
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 0 P4D 0
	Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 9 UID: 0 PID: 3908 Comm: modprobe Tainted: G U W 6.13.0-rc4-xe+ #3
	Tainted: [U]=USER, [W]=WARN
	Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DDR5 UDIMM CRB, BIOS ADLSFWI1.R00.3275.A00.2207010640 07/01/2022
	RIP: 0010:xe_gt_tlb_invalidation_reset+0x75/0x110 [xe]

	This can be easily triggered by poking the GuC binary to force a
	signature failure. There will still be an extra message,

	xe 0000:03:00.0: [drm] ERROR GT0: GuC mmio request 0x4100: no reply 0x4100

	but that's better than a NULL ptr deref.

	(cherry picked from commit 5001ef3af8f2c972d6fd9c5221a8457556f8bea6)

	The Linux kernel CVE team has assigned CVE-2025-21644 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit c9474b726b932b5d555effd9ed0ae19f4da2367c and fixed in 6.12.10 with commit 09b94ddc58c6640cbbc7775a61a5387b8be71488
	Issue introduced in 6.11 with commit c9474b726b932b5d555effd9ed0ae19f4da2367c and fixed in 6.13 with commit 9ab4981552930a9c45682d62424ba610edc3992d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21644
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/xe/xe_gt.c
	drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c
	drivers/gpu/drm/xe/xe_gt_tlb_invalidation.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/09b94ddc58c6640cbbc7775a61a5387b8be71488
	https://git.kernel.org/stable/c/9ab4981552930a9c45682d62424ba610edc3992d