CVE-2025-40332

Vulnerability

The vulnerability resides in the Linux kernel's drm/amdkfd driver. When handling retry faults, the function svm_range_restore_pages takes the mmap write lock but, in the draining retry fault path, inadvertently calls mmap_read_unlock instead of releasing the write lock, leaving the lock held. This occurs because the write lock is not properly released before the function returns.

Exploitation

An attacker with local access and the ability to trigger GPU page faults can exploit this bug. The attack surface is limited to systems using AMD GPUs with the amdkfd driver. No authentication is required beyond local user access. By inducing retry faults, the attacker can cause the mmap write lock to be permanently held, preventing other threads from acquiring read or write locks.

Impact

Successful exploitation leads to a deadlock, causing the system to hang. This can result in a denial of service (DoS) as subsequent mmap operations cannot proceed. The vulnerability does not directly allow privilege escalation or data corruption.

Mitigation

The fix has been upstreamed in the Linux kernel commit 7574f30337e19045f03126b4c51f525b84e5049e [1]. Users should apply the latest kernel updates to their distributions. No known workarounds exist; updating the kernel is the recommended solution.