CVE-2025-40340

Vulnerability

Overview

In the Linux kernel's Xe Direct Rendering DRM driver (drm/xe), a NULL pointer dereference occurs in the xe_gem_fault function when handling a page fault after a GPU hot-unplug operation. The root cause is that after the unbind-rebind cycle of the core_hotunplug test, a test, a process may have mmap'd memory and then unlocked it via the FAULT_FLAG_RETRY_NOWAIT logic. When no process memory remains, ttm_bo_vm_dummy_page() returns VM_FAULT_NOPAGE, and the subsequent access to tbo->resource->mem_type crashes because tbo->resource is NULL [1].

Exploitation

Conditions

Exploitation requires a specific sequence: a process must have mmap'd GPU memory, the GPU device must be hot-unplugged (unbind-rebind), and then a page fault must occur on the stale mapping. The vulnerability is triggered during the core_hotunplug test, but could potentially be reached by an attacker with local access who can trigger a GPU hot-unplug while a process holds a mmap to GPU memory. No special privileges beyond local user access are needed to trigger the fault, but the hot-unplug operation itself typically requires root or physical access.

Impact

An attacker who can cause a GPU hot-unplug while a process has an active mmap to Xe GPU memory can trigger a NULL pointer dereference in the kernel, leading to a system crash (oops). This results in a denial of service (DoS) on the affected system. The vulnerability does not appear to allow privilege escalation or arbitrary code execution based on the available information.

Mitigation

The fix is included in Linux kernel stable commit 99428bd6123d5676209dfb1d7a8f176cc830b665 [1]. Users should update to a kernel version containing this commit. No workaround is documented; the vulnerability is patched in the upstream kernel.