CVE-2025-40329
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb
The Mesa issue referenced below pointed out a possible deadlock:
[ 1231.611031] Possible interrupt unsafe locking scenario:
[ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] [ 1231.611045] lock(&fence->lock); [ 1231.611047] * DEADLOCK *
In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).
CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0.
Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback.
dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock
This will deadlock if f1 and f2 share the same spinlock.
To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work().
[phasta: commit message nits]
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A deadlock in the Linux kernel's DRM scheduler (drm_sched_entity_kill_jobs_cb) due to improper locking of xarray and fence spinlocks, fixed by moving dependency handling to a workqueue.
Vulnerability
Analysis
The Linux kernel's DRM scheduler contains a deadlock vulnerability in the function drm_sched_entity_kill_jobs_cb. The issue arises from a lock ordering conflict between the xarray lock (xa_lock) used for job dependencies and the fence lock (fence->lock) used in DMA fence operations. The function does not disable interrupts when accessing the xarray, creating a scenario where an interrupt context (CPU1) holding fence->lock attempts to acquire xa_lock, while another context (CPU0) already holds xa_lock and later attempts to acquire fence->lock in an interrupt, leading to a deadlock.
Exploitation
Context
The deadlock can be triggered when drm_sched_entity_kill_jobs_cb is invoked as a fence signaling callback, placing it in an interrupt context. Any code path that accesses job dependencies via xarray functions without disabling interrupts (e.g., drm_sched_job_add_dependency, drm_sched_entity_kill_jobs_cb) can participate in the deadlock. Additionally, a nested lock issue exists because dma_fence_signal locks the fence's lock, and dma_fence_add_callback also locks a fence lock; if the same spinlock is used for different fences, a deadlock occurs when iterating dependencies and re-arming callbacks.
Impact and
Mitigation
An attacker able to trigger the affected code path could cause a system hang or denial of service due to the deadlock. The fix, as described in the commit message, moves the dependency iteration and re-arming logic to a workqueue (drm_sched_entity_kill_jobs_work), separating it from the interrupt context and eliminating both locking issues. The patch has been applied to the Linux kernel stable tree, and users are advised to update to the latest kernel version.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
470150b9443dd0d63031ee4a53e8ada4fd838487df8b69834Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.