CVE-2025-40166
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/guc: Check GuC running state before deregistering exec queue
In normal operation, a registered exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled.
In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources. Fix this by directly releasing the resources when GuC is not running.
Here is the failure dmesg log: " [ 468.089581] ---[ end trace 0000000000000000 ]--- [ 468.089608] pci 0000:03:00.0: [drm] *ERROR* GT0: GUC ID manager unclean (1/65535) [ 468.090558] pci 0000:03:00.0: [drm] GT0: total 65535 [ 468.090562] pci 0000:03:00.0: [drm] GT0: used 1 [ 468.090564] pci 0000:03:00.0: [drm] GT0: range 1..1 (1) [ 468.092716] ------------[ cut here ]------------ [ 468.092719] WARNING: CPU: 14 PID: 4775 at drivers/gpu/drm/xe/xe_ttm_vram_mgr.c:298 ttm_vram_mgr_fini+0xf8/0x130 [xe] "
v2: use xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). As CT may go down and come back during VF migration.
(cherry picked from commit 9b42321a02c50a12b2beb6ae9469606257fbecea)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel drm/xe/guc vulnerability: improper cleanup of exec queue resources when driver unbinds while GuC is stopped.
Vulnerability
Overview
In the Linux kernel's drm subsystem for Xe GPUs, a vulnerability exists in the GuC (Graphics micro-controller) exec queue deregistration path. Normally, an exec queue is disabled and deregistered through the GuC, and freed only after the GuC confirms completion. However, if the driver is forced to unbind while the exec queue is still running, the user may call exec_destroy() after the GuC has already been stopped and CT communication disabled. In this case, the driver cannot receive a response from the GuC, preventing proper cleanup of exec queue resources and leading to resource leaks and warning messages [1].
Exploitation
Conditions
The vulnerability is triggered during an unexpected driver unbind while an exec queue is still active. An attacker with local access and the ability to force a driver unbind (e.g., by removing the PCI device) could cause this condition. No special privileges are required beyond the ability to manage GPU workloads and trigger a driver removal. The issue manifests with error logs showing "GUC ID manager unclean" and warnings in the TTM VRAM manager [1].
Impact
An attacker exploiting this vulnerability can cause a denial of service (DoS) by triggering resource leaks and kernel warnings. The leaked exec queue resources may exhaust the GuC ID space, preventing further GPU submissions. Additionally, the kernel warning indicates potential memory management inconsistencies that could lead to system instability or crashes [1].
Mitigation
The fix, included in Linux kernel stable updates, modifies the deregistration path to check the GuC running state using xe_uc_fw_is_running() instead of xe_guc_ct_enabled(). If the GuC is not running, resources are released directly without waiting for a GuC response [1]. Users should update their kernel to a version containing this commit to mitigate the vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
32c6e5904c5bdfa708415566b9f64b3cd051bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.