CVE-2025-40340

09.12.2025, 16:17

In the Linux kernel, the following vulnerability has been resolved:

drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.

I saw an oops in xe_gem_fault when running the xe-fast-feedback
testlist against the realtime kernel without debug options enabled.

The panic happens after core_hotunplug unbind-rebind finishes.
Presumably what happens is that a process mmaps, unlocks because
of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,
causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since
there was nothing left to populate, and then oopses in
"mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource
is NULL.

It's convoluted, but fits the data and explains the oops after
the test exits.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

linux

bullseye	vulnerable
bullseye (security)	vulnerable
bookworm	vulnerable
bookworm (security)	vulnerable
trixie	vulnerable
trixie (security)	vulnerable
forky	6.17.9-1 fixed
sid	6.17.11-1 fixed

References

https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6

https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d

https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665