CVE-2025-68802
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Limit num_syncs to prevent oversized allocations
The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below.
Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit.
" ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace:
alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... "
v2: Add "Reported-by" and Cc stable kernels. v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh) v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt) v5: Do the check at the top of the exec func. (Matt)
(cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing bounds check in the Linux kernel's drm/xe driver allowed userspace to specify an arbitrary num_syncs value, leading to oversized allocations and a kernel warning.
What the vulnerability is
In the Linux kernel's drm/xe driver, the exec and vm_bind ioctl handlers allowed userspace to specify an unbounded num_syncs value. Without proper validation, passing a very large number could force the kernel to attempt an excessively large memory allocation, triggering a warning from the page allocator. This is a denial-of-service condition caused by a missing upper bound on the number of synchronization objects requested by a user.[1]
How it's exploited
An attacker with access to the affected ioctl (either local or through a container/virtual machine with access to the DRM device) could craft a request with an arbitrarily high num_syncs value. The kernel would then try to allocate memory sized as num_syncs * sizeof(...), potentially exhausting memory or hitting allocator limits. The crash trace shows the failure occurring in xe_exec_ioctl at drivers/gpu/drm/xe/xe_exec.c:158, when kmalloc_array_noprof is called with the unchecked count.[1]
Impact
Successful exploitation causes a kernel warning and may destabilize the system, leading to denial of service. No privilege escalation or data corruption is reported. The commit message notes that the system displays a "cut here" warning and a call trace, indicating the allocation request exceeded the page allocator's maximum supported order.[1]
Mitigation
The fix introduces a constant DRM_XE_MAX_SYNCS set to 1024. Any ioctl request with num_syncs exceeding this limit is rejected early with an error code before any allocation is attempted. This patch has been applied to the stable kernel trees and should be backported to affected versions.[1]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.