FKIE_CVE-2025-68793

Vulnerability from fkie_nvd - Published: 2026-01-13 16:16 - Updated: 2026-04-15 00:35
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drm_sched_stop() and later drm_sched_start(). drm_sched_start() restarts the tdr queue which will eventually free the job. If the tdr queue frees the job before time out callback completes, the job will be freed and we'll get a UAF when accessing the pasid. Cache it early to avoid the UAF. Example KASAN trace: [ 493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323 [ 493.074892] [ 493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G E 6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary) [ 493.076493] Tainted: [E]=UNSIGNED_MODULE [ 493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019 [ 493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched] [ 493.076512] Call Trace: [ 493.076515] <TASK> [ 493.076518] dump_stack_lvl+0x64/0x80 [ 493.076529] print_report+0xce/0x630 [ 493.076536] ? _raw_spin_lock_irqsave+0x86/0xd0 [ 493.076541] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 493.076545] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077253] kasan_report+0xb8/0xf0 [ 493.077258] ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.077965] amdgpu_device_gpu_recover+0x968/0x990 [amdgpu] [ 493.078672] ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu] [ 493.079378] ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu] [ 493.080111] amdgpu_job_timedout+0x642/0x1400 [amdgpu] [ 493.080903] ? pick_task_fair+0x24e/0x330 [ 493.080910] ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu] [ 493.081702] ? _raw_spin_lock+0x75/0xc0 [ 493.081708] ? __pfx__raw_spin_lock+0x10/0x10 [ 493.081712] drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched] [ 493.081721] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081725] process_one_work+0x679/0xff0 [ 493.081732] worker_thread+0x6ce/0xfd0 [ 493.081736] ? __pfx_worker_thread+0x10/0x10 [ 493.081739] kthread+0x376/0x730 [ 493.081744] ? __pfx_kthread+0x10/0x10 [ 493.081748] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 493.081751] ? __pfx_kthread+0x10/0x10 [ 493.081755] ret_from_fork+0x247/0x330 [ 493.081761] ? __pfx_kthread+0x10/0x10 [ 493.081764] ret_from_fork_asm+0x1a/0x30 [ 493.081771] </TASK> (cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix a job-\u003epasid access race in gpu recovery\n\nAvoid a possible UAF in GPU recovery due to a race between\nthe sched timeout callback and the tdr work queue.\n\nThe gpu recovery function calls drm_sched_stop() and\nlater drm_sched_start().  drm_sched_start() restarts\nthe tdr queue which will eventually free the job.  If\nthe tdr queue frees the job before time out callback\ncompletes, the job will be freed and we\u0027ll get a UAF\nwhen accessing the pasid.  Cache it early to avoid the\nUAF.\n\nExample KASAN trace:\n[  493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323\n[  493.074892]\n[  493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G            E       6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary)\n[  493.076493] Tainted: [E]=UNSIGNED_MODULE\n[  493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019\n[  493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]\n[  493.076512] Call Trace:\n[  493.076515]  \u003cTASK\u003e\n[  493.076518]  dump_stack_lvl+0x64/0x80\n[  493.076529]  print_report+0xce/0x630\n[  493.076536]  ? _raw_spin_lock_irqsave+0x86/0xd0\n[  493.076541]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[  493.076545]  ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.077253]  kasan_report+0xb8/0xf0\n[  493.077258]  ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.077965]  amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.078672]  ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]\n[  493.079378]  ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]\n[  493.080111]  amdgpu_job_timedout+0x642/0x1400 [amdgpu]\n[  493.080903]  ? pick_task_fair+0x24e/0x330\n[  493.080910]  ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]\n[  493.081702]  ? _raw_spin_lock+0x75/0xc0\n[  493.081708]  ? __pfx__raw_spin_lock+0x10/0x10\n[  493.081712]  drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]\n[  493.081721]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[  493.081725]  process_one_work+0x679/0xff0\n[  493.081732]  worker_thread+0x6ce/0xfd0\n[  493.081736]  ? __pfx_worker_thread+0x10/0x10\n[  493.081739]  kthread+0x376/0x730\n[  493.081744]  ? __pfx_kthread+0x10/0x10\n[  493.081748]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[  493.081751]  ? __pfx_kthread+0x10/0x10\n[  493.081755]  ret_from_fork+0x247/0x330\n[  493.081761]  ? __pfx_kthread+0x10/0x10\n[  493.081764]  ret_from_fork_asm+0x1a/0x30\n[  493.081771]  \u003c/TASK\u003e\n\n(cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/amdgpu: soluciona una condici\u00f3n de carrera de acceso a job-\u0026gt;pasid en la recuperaci\u00f3n de la GPU\n\nEvita un posible UAF en la recuperaci\u00f3n de la GPU debido a una condici\u00f3n de carrera entre el callback de tiempo de espera de sched y la cola de trabajo tdr.\n\nLa funci\u00f3n de recuperaci\u00f3n de la GPU llama a drm_sched_stop() y luego a drm_sched_start(). drm_sched_start() reinicia la cola tdr que eventualmente liberar\u00e1 el trabajo (job). Si la cola tdr libera el trabajo (job) antes de que el callback de tiempo de espera se complete, el trabajo (job) ser\u00e1 liberado y obtendremos un UAF al acceder al pasid. Almacenarlo en cach\u00e9 con antelaci\u00f3n para evitar el UAF.\n\nEjemplo de traza KASAN:\n[  493.058141] ERROR: KASAN: uso-despu\u00e9s-de-liberaci\u00f3n de slab en amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.067530] Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff88b0ce3f794c por la tarea kworker/u128:1/323\n[  493.074892]\n[  493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G            E       6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntario)\n[  493.076493] Tainted: [E]=UNSIGNED_MODULE\n[  493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019\n[  493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]\n[  493.076512] Traza de Llamada:\n[  493.076515]  \n[  493.076518]  dump_stack_lvl+0x64/0x80\n[  493.076529]  print_report+0xce/0x630\n[  493.076536]  ? _raw_spin_lock_irqsave+0x86/0xd0\n[  493.076541]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[  493.076545]  ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.077253]  kasan_report+0xb8/0xf0\n[  493.077258]  ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.077965]  amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.078672]  ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]\n[  493.079378]  ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]\n[  493.080111]  amdgpu_job_timedout+0x642/0x1400 [amdgpu]\n[  493.080903]  ? pick_task_fair+0x24e/0x330\n[  493.080910]  ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]\n[  493.081702]  ? _raw_spin_lock+0x75/0xc0\n[  493.081708]  ? __pfx__raw_spin_lock+0x10/0x10\n[  493.081712]  drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]\n[  493.081721]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[  493.081725]  process_one_work+0x679/0xff0\n[  493.081732]  worker_thread+0x6ce/0xfd0\n[  493.081736]  ? __pfx_worker_thread+0x10/0x10\n[  493.081739]  kthread+0x376/0x730\n[  493.081744]  ? __pfx_kthread+0x10/0x10\n[  493.081748]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[  493.081751]  ? __pfx_kthread+0x10/0x10\n[  493.081755]  ret_from_fork+0x247/0x330\n[  493.081761]  ? __pfx_kthread+0x10/0x10\n[  493.081764]  ret_from_fork_asm+0x1a/0x30\n[  493.081771]  \n\n(seleccionado de la confirmaci\u00f3n 20880a3fd5dd7bca1a079534cf6596bda92e107d)"
    }
  ],
  "id": "CVE-2025-68793",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2026-01-13T16:16:01.197",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.