VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 8, 2025· Updated Apr 15, 2026

CVE-2025-40310

CVE-2025-40310

Description

In the Linux kernel, the following vulnerability has been resolved:

amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw

There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated.

kernel panic log:

BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP

PGD d78c68067 P4D d78c68067

kfd kfd: amdgpu: Allocated 3969056 bytes on gart

PUD 1465b8067 PMD @

Oops: @002 [#1] SMP NOPTI

kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K

RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40

Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 OF b1 17 75 Ba 4c 89 e@ 41 Sc

89 c6 e8 07 38 5d

RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046

RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00

CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033

CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400

PKRU: 55555554

Call Trace:

kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu]

? amdgpu_fence_process+0xa4/0x150 [amdgpu]

kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace

amdgpu_irq_dispatch+0x165/0x210 [amdgpu]

amdgpu_ih_process+0x80/0x100 [amdgpu]

amdgpu: Virtual CRAT table created for GPU

amdgpu_irq_handler+0x1f/@x60 [amdgpu]

__handle_irq_event_percpu+0x3d/0x170

amdgpu: Topology: Add dGPU node [0x74a2:0x1002]

handle_irq_event+0x5a/@xcO

handle_edge_irq+0x93/0x240

kfd kfd: amdgpu: KFD node 1 partition @ size 49148M

asm_call_irq_on_stack+0xf/@x20

common_interrupt+0xb3/0x130

asm_common_interrupt+0x1le/0x40

5.10.134-010.a1i5000.a18.x86_64 #1

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in the Linux kernel's amdgpu/amdkfd driver can cause a NULL pointer dereference when device finalization and interrupt handling overlap.

Vulnerability

A race condition exists in the Linux kernel's AMD GPU driver (amdgpu/amdkfd) between the amdgpu_amdkfd_device_fini_sw function and interrupt handling. If the device finalization routine runs concurrently with a KGD (Kernel Graphics Driver) interrupt, the interrupt, the interrupt handler may attempt to access freed or uninitialized memory, leading to a NULL pointer dereference [1].

Exploitation

The vulnerability is triggered when amdgpu_amdkfd_device_fini_sw executes in the window between kfd_cleanup_nodes and kfree(kfd). During this window, an incoming interrupt can call kgd2kfd_interrupt, which tries to acquire a spinlock at offset 0x98 of a structure that has already been freed or not yet allocated [1]. The attacker does not require special privileges; the race can occur during normal driver shutdown or module removal, but a local user with access to AMD GPU devices could potentially trigger the condition to cause a denial of service (system crash).

Impact

A successful exploit results in a kernel panic due to a NULL pointer dereference, as shown in the crash log where _raw_spin_lock_irqsave attempts to lock memory at address 0x98 [1]. This leads to a denial of service, affecting system availability. The vulnerability is rated with a CVSS score that reflects the potential for local exploitation causing a high impact on availability.

Mitigation

The fix is included in the Linux kernel stable tree via commit bc9e789053abe463f8cf74eee5fc2f157c11a79f [1]. Users should apply the latest kernel updates from their distribution to ensure the race condition is properly serialized. No workaround is available other than updating the kernel.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

4
93f8d67ef8b5
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
bc9e789053ab
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
2f89a2d15550
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
99d7181bca34
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.