VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54098

CVE-2023-54098

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gvt: fix gvt debugfs destroy

When gvt debug fs is destroyed, need to have a sane check if drm minor's debugfs root is still available or not, otherwise in case like device remove through unbinding, drm minor's debugfs directory has already been removed, then intel_gvt_debugfs_clean() would act upon dangling pointer like below oops.

i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2 i915 0000:00:02.0: MDEV: Registered Console: switching to colour dummy device 80x25 i915 0000:00:02.0: MDEV: Unregistering BUG: kernel NULL pointer dereference, address: 00000000000000a0 PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15 Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020 RIP: 0010:down_write+0x1f/0x90 Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01 RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000 RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8 RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0 R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0 FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0 Call Trace:

simple_recursive_removal+0x9f/0x2a0 ? start_creating.part.0+0x120/0x120 ? _raw_spin_lock+0x13/0x40 debugfs_remove+0x40/0x60 intel_gvt_debugfs_clean+0x15/0x30 [kvmgt] intel_gvt_clean_device+0x49/0xe0 [kvmgt] intel_gvt_driver_remove+0x2f/0xb0 i915_driver_remove+0xa4/0xf0 i915_pci_remove+0x1a/0x30 pci_device_remove+0x33/0xa0 device_release_driver_internal+0x1b2/0x230 unbind_store+0xe0/0x110 kernfs_fop_write_iter+0x11b/0x1f0 vfs_write+0x203/0x3d0 ksys_write+0x63/0xe0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f6947cb5190 Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89 RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190 RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001 RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001 R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0

Modules linked in: kvmgt CR2: 00000000000000a0 ---[ end trace 0000000000000000 ]---

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a NULL pointer dereference in drm/i915/gvt debugfs cleanup occurs when debugfs is destroyed after the DRM minor's debugfs root is already removed.

Vulnerability

CVE-2023-54098 is a NULL pointer dereference vulnerability in the Linux kernel's drm/i915/gvt subsystem. The root cause is that when the GVT debugfs is destroyed via intel_gvt_debugfs_clean(), the code does not check whether the DRM minor's debugfs root directory is still valid. During device removal through unbinding, the DRM minor's debugfs directory is removed first, leaving a dangling pointer that leads to a crash when debugfs_remove() is called.

Exploitation

The vulnerability is triggered during device removal, specifically when a user unbinds the i915 GPU device is unbound from the driver. The attack surface is local, requiring the ability to trigger a device unbind operation. No authentication is needed beyond normal user access to the system. The crash occurs in the kernel's debugfs removal path, as shown in the oops trace: down_write is called on a freed or invalid struct rw_semaphore at offset 0xa0, leading to a NULL pointer dereference [1][2].

Impact

An attacker with local access can trigger a kernel NULL pointer dereference, causing a reference, causing a system crash (denial of service). The oops shows a BUG: kernel NULL pointer dereference at address 00000000000000a0 in down_write, which is called from simple_recursive_removal during debugfs cleanup. This can lead to system instability or a complete hang.

Mitigation

The fix is available in the Linux kernel stable tree. The commit c4b850d1f448a901fbf4f7f36dec38c84009b489 adds a sanity check to ensure the debugfs root is still valid before attempting cleanup [1][2][3][4]. Users should apply the latest kernel updates from their distribution.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

5
bb7c7b2c89d2
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
ae9a61511736
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
b85c8536fda3
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
fe340500baf8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c4b850d1f448
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.