CVE-2025-38389 (GCVE-0-2025-38389)

Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2025-11-03 17:37
VLAI?
Title
drm/i915/gt: Fix timeline left held on VMA alloc error
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: <4> [239.330153] ------------[ cut here ]------------ <4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count) <4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915] ... <4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915] ... <4> [239.330942] Call Trace: <4> [239.330944] <TASK> <4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915] <4> [239.331202] i915_driver_release+0x86/0xa0 [i915] <4> [239.331482] devm_drm_dev_init_release+0x61/0x90 <4> [239.331494] devm_action_release+0x15/0x30 <4> [239.331504] release_nodes+0x3d/0x120 <4> [239.331517] devres_release_all+0x96/0xd0 <4> [239.331533] device_unbind_cleanup+0x12/0x80 <4> [239.331543] device_release_driver_internal+0x23a/0x280 <4> [239.331550] ? bus_find_device+0xa5/0xe0 <4> [239.331563] device_driver_detach+0x14/0x20 ... <4> [357.719679] ---[ end trace 0000000000000000 ]--- If the test also unloads the i915 module then that's followed with: <3> [357.787478] ============================================================================= <3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown() <3> [357.788031] ----------------------------------------------------------------------------- <3> [357.788204] Object 0xffff888109e7f480 @offset=29824 <3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244 <4> [357.788994] i915_vma_instance+0xee/0xc10 [i915] <4> [357.789290] init_status_page+0x7b/0x420 [i915] <4> [357.789532] intel_engines_init+0x1d8/0x980 [i915] <4> [357.789772] intel_gt_init+0x175/0x450 [i915] <4> [357.790014] i915_gem_init+0x113/0x340 [i915] <4> [357.790281] i915_driver_probe+0x847/0xed0 [i915] <4> [357.790504] i915_pci_probe+0xe6/0x220 [i915] ... Closer analysis of CI results history has revealed a dependency of the error on a few IGT tests, namely: - igt@api_intel_allocator@fork-simple-stress-signal, - igt@api_intel_allocator@two-level-inception-interruptible, - igt@gem_linear_blits@interruptible, - igt@prime_mmap_coherency@ioctl-errors, which invisibly trigger the issue, then exhibited with first driver unbind attempt. All of the above tests perform actions which are actively interrupted with signals. Further debugging has allowed to narrow that scope down to DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring submission, in particular. If successful then that function, or its execlists or GuC submission equivalent, is supposed to be called only once per GEM context engine, followed by raise of a flag that prevents the function from being called again. The function is expected to unwind its internal errors itself, so it may be safely called once more after it returns an error. In case of ring submission, the function first gets a reference to the engine's legacy timeline and then allocates a VMA. If the VMA allocation fails, e.g. when i915_vma_instance() called from inside is interrupted with a signal, then ring_context_alloc() fails, leaving the timeline held referenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the timeline is got, and only that last one is put on successful completion. As a consequence, the legacy timeline, with its underlying engine status page's VMA object, is still held and not released on driver unbind. Get the legacy timeline only after successful allocation of the context engine's VMA. v2: Add a note on other submission methods (Krzysztof Karas): Both execlists and GuC submission use lrc_alloc() which seems free from a similar issue. (cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < 60b757730884e4a223152a68d9b5f625dac94119 (git)
Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < e47d7d6edc40a6ace7cc04e5893759fee68569f5 (git)
Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < f10af34261448610d4048ac6e6af87f80e3881a4 (git)
Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < 4c778c96e469fb719b11683e0a3be8ea68052fa2 (git)
Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < 40e09506aea1fde1f3e0e04eca531bbb23404baf (git)
Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < 5a7ae7bebdc4c2ecd48a2c061319956f65c09473 (git)
Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < c542d62883f62ececafcb630a1c5010133826bea (git)
Affected: 75d0a7f31eec8ec4a53b4485905800e09dc5091f , < a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6 (git)
Create a notification for this product.
    Linux Linux Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.144 , ≤ 6.1.* (semver)
Unaffected: 6.6.97 , ≤ 6.6.* (semver)
Unaffected: 6.12.37 , ≤ 6.12.* (semver)
Unaffected: 6.15.6 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:37:22.971Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/gt/intel_ring_submission.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "60b757730884e4a223152a68d9b5f625dac94119",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            },
            {
              "lessThan": "e47d7d6edc40a6ace7cc04e5893759fee68569f5",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            },
            {
              "lessThan": "f10af34261448610d4048ac6e6af87f80e3881a4",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            },
            {
              "lessThan": "4c778c96e469fb719b11683e0a3be8ea68052fa2",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            },
            {
              "lessThan": "40e09506aea1fde1f3e0e04eca531bbb23404baf",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            },
            {
              "lessThan": "5a7ae7bebdc4c2ecd48a2c061319956f65c09473",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            },
            {
              "lessThan": "c542d62883f62ececafcb630a1c5010133826bea",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            },
            {
              "lessThan": "a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6",
              "status": "affected",
              "version": "75d0a7f31eec8ec4a53b4485905800e09dc5091f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/gt/intel_ring_submission.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.144",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.97",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.37",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.144",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.97",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.37",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.6",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix timeline left held on VMA alloc error\n\nThe following error has been reported sporadically by CI when a test\nunbinds the i915 driver on a ring submission platform:\n\n\u003c4\u003e [239.330153] ------------[ cut here ]------------\n\u003c4\u003e [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv-\u003emm.shrink_count)\n\u003c4\u003e [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]\n...\n\u003c4\u003e [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]\n...\n\u003c4\u003e [239.330942] Call Trace:\n\u003c4\u003e [239.330944]  \u003cTASK\u003e\n\u003c4\u003e [239.330949]  i915_driver_late_release+0x2b/0xa0 [i915]\n\u003c4\u003e [239.331202]  i915_driver_release+0x86/0xa0 [i915]\n\u003c4\u003e [239.331482]  devm_drm_dev_init_release+0x61/0x90\n\u003c4\u003e [239.331494]  devm_action_release+0x15/0x30\n\u003c4\u003e [239.331504]  release_nodes+0x3d/0x120\n\u003c4\u003e [239.331517]  devres_release_all+0x96/0xd0\n\u003c4\u003e [239.331533]  device_unbind_cleanup+0x12/0x80\n\u003c4\u003e [239.331543]  device_release_driver_internal+0x23a/0x280\n\u003c4\u003e [239.331550]  ? bus_find_device+0xa5/0xe0\n\u003c4\u003e [239.331563]  device_driver_detach+0x14/0x20\n...\n\u003c4\u003e [357.719679] ---[ end trace 0000000000000000 ]---\n\nIf the test also unloads the i915 module then that\u0027s followed with:\n\n\u003c3\u003e [357.787478] =============================================================================\n\u003c3\u003e [357.788006] BUG i915_vma (Tainted: G     U  W        N ): Objects remaining on __kmem_cache_shutdown()\n\u003c3\u003e [357.788031] -----------------------------------------------------------------------------\n\u003c3\u003e [357.788204] Object 0xffff888109e7f480 @offset=29824\n\u003c3\u003e [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244\n\u003c4\u003e [357.788994]  i915_vma_instance+0xee/0xc10 [i915]\n\u003c4\u003e [357.789290]  init_status_page+0x7b/0x420 [i915]\n\u003c4\u003e [357.789532]  intel_engines_init+0x1d8/0x980 [i915]\n\u003c4\u003e [357.789772]  intel_gt_init+0x175/0x450 [i915]\n\u003c4\u003e [357.790014]  i915_gem_init+0x113/0x340 [i915]\n\u003c4\u003e [357.790281]  i915_driver_probe+0x847/0xed0 [i915]\n\u003c4\u003e [357.790504]  i915_pci_probe+0xe6/0x220 [i915]\n...\n\nCloser analysis of CI results history has revealed a dependency of the\nerror on a few IGT tests, namely:\n- igt@api_intel_allocator@fork-simple-stress-signal,\n- igt@api_intel_allocator@two-level-inception-interruptible,\n- igt@gem_linear_blits@interruptible,\n- igt@prime_mmap_coherency@ioctl-errors,\nwhich invisibly trigger the issue, then exhibited with first driver unbind\nattempt.\n\nAll of the above tests perform actions which are actively interrupted with\nsignals.  Further debugging has allowed to narrow that scope down to\nDRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring\nsubmission, in particular.\n\nIf successful then that function, or its execlists or GuC submission\nequivalent, is supposed to be called only once per GEM context engine,\nfollowed by raise of a flag that prevents the function from being called\nagain.  The function is expected to unwind its internal errors itself, so\nit may be safely called once more after it returns an error.\n\nIn case of ring submission, the function first gets a reference to the\nengine\u0027s legacy timeline and then allocates a VMA.  If the VMA allocation\nfails, e.g. when i915_vma_instance() called from inside is interrupted\nwith a signal, then ring_context_alloc() fails, leaving the timeline held\nreferenced.  On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the\ntimeline is got, and only that last one is put on successful completion.\nAs a consequence, the legacy timeline, with its underlying engine status\npage\u0027s VMA object, is still held and not released on driver unbind.\n\nGet the legacy timeline only after successful allocation of the context\nengine\u0027s VMA.\n\nv2: Add a note on other submission methods (Krzysztof Karas):\n    Both execlists and GuC submission use lrc_alloc() which seems free\n    from a similar issue.\n\n(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:20:51.661Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/60b757730884e4a223152a68d9b5f625dac94119"
        },
        {
          "url": "https://git.kernel.org/stable/c/e47d7d6edc40a6ace7cc04e5893759fee68569f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f10af34261448610d4048ac6e6af87f80e3881a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c778c96e469fb719b11683e0a3be8ea68052fa2"
        },
        {
          "url": "https://git.kernel.org/stable/c/40e09506aea1fde1f3e0e04eca531bbb23404baf"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a7ae7bebdc4c2ecd48a2c061319956f65c09473"
        },
        {
          "url": "https://git.kernel.org/stable/c/c542d62883f62ececafcb630a1c5010133826bea"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6"
        }
      ],
      "title": "drm/i915/gt: Fix timeline left held on VMA alloc error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38389",
    "datePublished": "2025-07-25T12:53:29.394Z",
    "dateReserved": "2025-04-16T04:51:24.011Z",
    "dateUpdated": "2025-11-03T17:37:22.971Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38389\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-25T13:15:28.240\",\"lastModified\":\"2025-12-16T20:13:12.260\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/i915/gt: Fix timeline left held on VMA alloc error\\n\\nThe following error has been reported sporadically by CI when a test\\nunbinds the i915 driver on a ring submission platform:\\n\\n\u003c4\u003e [239.330153] ------------[ cut here ]------------\\n\u003c4\u003e [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv-\u003emm.shrink_count)\\n\u003c4\u003e [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]\\n...\\n\u003c4\u003e [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]\\n...\\n\u003c4\u003e [239.330942] Call Trace:\\n\u003c4\u003e [239.330944]  \u003cTASK\u003e\\n\u003c4\u003e [239.330949]  i915_driver_late_release+0x2b/0xa0 [i915]\\n\u003c4\u003e [239.331202]  i915_driver_release+0x86/0xa0 [i915]\\n\u003c4\u003e [239.331482]  devm_drm_dev_init_release+0x61/0x90\\n\u003c4\u003e [239.331494]  devm_action_release+0x15/0x30\\n\u003c4\u003e [239.331504]  release_nodes+0x3d/0x120\\n\u003c4\u003e [239.331517]  devres_release_all+0x96/0xd0\\n\u003c4\u003e [239.331533]  device_unbind_cleanup+0x12/0x80\\n\u003c4\u003e [239.331543]  device_release_driver_internal+0x23a/0x280\\n\u003c4\u003e [239.331550]  ? bus_find_device+0xa5/0xe0\\n\u003c4\u003e [239.331563]  device_driver_detach+0x14/0x20\\n...\\n\u003c4\u003e [357.719679] ---[ end trace 0000000000000000 ]---\\n\\nIf the test also unloads the i915 module then that\u0027s followed with:\\n\\n\u003c3\u003e [357.787478] =============================================================================\\n\u003c3\u003e [357.788006] BUG i915_vma (Tainted: G     U  W        N ): Objects remaining on __kmem_cache_shutdown()\\n\u003c3\u003e [357.788031] -----------------------------------------------------------------------------\\n\u003c3\u003e [357.788204] Object 0xffff888109e7f480 @offset=29824\\n\u003c3\u003e [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244\\n\u003c4\u003e [357.788994]  i915_vma_instance+0xee/0xc10 [i915]\\n\u003c4\u003e [357.789290]  init_status_page+0x7b/0x420 [i915]\\n\u003c4\u003e [357.789532]  intel_engines_init+0x1d8/0x980 [i915]\\n\u003c4\u003e [357.789772]  intel_gt_init+0x175/0x450 [i915]\\n\u003c4\u003e [357.790014]  i915_gem_init+0x113/0x340 [i915]\\n\u003c4\u003e [357.790281]  i915_driver_probe+0x847/0xed0 [i915]\\n\u003c4\u003e [357.790504]  i915_pci_probe+0xe6/0x220 [i915]\\n...\\n\\nCloser analysis of CI results history has revealed a dependency of the\\nerror on a few IGT tests, namely:\\n- igt@api_intel_allocator@fork-simple-stress-signal,\\n- igt@api_intel_allocator@two-level-inception-interruptible,\\n- igt@gem_linear_blits@interruptible,\\n- igt@prime_mmap_coherency@ioctl-errors,\\nwhich invisibly trigger the issue, then exhibited with first driver unbind\\nattempt.\\n\\nAll of the above tests perform actions which are actively interrupted with\\nsignals.  Further debugging has allowed to narrow that scope down to\\nDRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring\\nsubmission, in particular.\\n\\nIf successful then that function, or its execlists or GuC submission\\nequivalent, is supposed to be called only once per GEM context engine,\\nfollowed by raise of a flag that prevents the function from being called\\nagain.  The function is expected to unwind its internal errors itself, so\\nit may be safely called once more after it returns an error.\\n\\nIn case of ring submission, the function first gets a reference to the\\nengine\u0027s legacy timeline and then allocates a VMA.  If the VMA allocation\\nfails, e.g. when i915_vma_instance() called from inside is interrupted\\nwith a signal, then ring_context_alloc() fails, leaving the timeline held\\nreferenced.  On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the\\ntimeline is got, and only that last one is put on successful completion.\\nAs a consequence, the legacy timeline, with its underlying engine status\\npage\u0027s VMA object, is still held and not released on driver unbind.\\n\\nGet the legacy timeline only after successful allocation of the context\\nengine\u0027s VMA.\\n\\nv2: Add a note on other submission methods (Krzysztof Karas):\\n    Both execlists and GuC submission use lrc_alloc() which seems free\\n    from a similar issue.\\n\\n(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/i915/gt: Se corrige el error de l\u00ednea de tiempo retenida en la asignaci\u00f3n de VMA. CI ha informado espor\u00e1dicamente del siguiente error cuando una prueba desvincula el controlador i915 en una plataforma de env\u00edo de anillo: \u0026lt;4\u0026gt; [239.330153] ------------[ cut here ]------------ \u0026lt;4\u0026gt; [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv-\u0026gt;mm.shrink_count) \u0026lt;4\u0026gt; [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915] ... \u0026lt;4\u0026gt; [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915] ... \u0026lt;4\u0026gt; [239.330942] Call Trace: \u0026lt;4\u0026gt; [239.330944]  \u0026lt;4\u0026gt; [239.330949] i915_driver_late_release+0x2b/0xa0 [i915] \u0026lt;4\u0026gt; [239.331202] i915_driver_release+0x86/0xa0 [i915] \u0026lt;4\u0026gt; [239.331482] devm_drm_dev_init_release+0x61/0x90 \u0026lt;4\u0026gt; [239.331494] devm_action_release+0x15/0x30 \u0026lt;4\u0026gt; [239.331504] release_nodes+0x3d/0x120 \u0026lt;4\u0026gt; [239.331517] devres_release_all+0x96/0xd0 \u0026lt;4\u0026gt; [239.331533] device_unbind_cleanup+0x12/0x80 \u0026lt;4\u0026gt; [239.331543] device_release_driver_internal+0x23a/0x280 \u0026lt;4\u0026gt; [239.331550] ? bus_find_device+0xa5/0xe0 \u0026lt;4\u0026gt; [239.331563] device_driver_detach+0x14/0x20 ... \u0026lt;4\u0026gt; [357.719679] ---[ end trace 0000000000000000 ]--- If the test also unloads the i915 module then that\u0027s followed with: \u0026lt;3\u0026gt; [357.787478] ============================================================================= \u0026lt;3\u0026gt; [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown() \u0026lt;3\u0026gt; [357.788031] ----------------------------------------------------------------------------- \u0026lt;3\u0026gt; [357.788204] Object 0xffff888109e7f480 @offset=29824 \u0026lt;3\u0026gt; [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244 \u0026lt;4\u0026gt; [357.788994] i915_vma_instance+0xee/0xc10 [i915] \u0026lt;4\u0026gt; [357.789290] init_status_page+0x7b/0x420 [i915] \u0026lt;4\u0026gt; [357.789532] intel_engines_init+0x1d8/0x980 [i915] \u0026lt;4\u0026gt; [357.789772] intel_gt_init+0x175/0x450 [i915] \u0026lt;4\u0026gt;  ---truncado--- Un an\u00e1lisis m\u00e1s detallado del historial de resultados de CI ha revelado una dependencia del error en algunas pruebas IGT, a saber: - igt@api_intel_allocator@fork-simple-stress-signal, - igt@api_intel_allocator@two-level-inception-interruptible, - igt@gem_linear_blits@interruptible, - igt@prime_mmap_coherency@ioctl-errors, que activan el problema de forma invisible y se muestran con el primer intento de desvinculaci\u00f3n del controlador. Todas las pruebas anteriores realizan acciones que se interrumpen activamente con se\u00f1ales. Una depuraci\u00f3n posterior ha permitido limitar este alcance a DRM_IOCTL_I915_GEM_EXECBUFFER2 y ring_context_alloc(), espec\u00edficos para el env\u00edo de anillos. Si la ejecuci\u00f3n es correcta, se supone que esa funci\u00f3n, o sus execlists o equivalentes de env\u00edo de GuC, se llamar\u00e1 solo una vez por motor de contexto GEM, seguido de la activaci\u00f3n de un indicador que impide que se vuelva a llamar. Se espera que la funci\u00f3n corrija sus errores internos por s\u00ed misma, por lo que puede volver a llamarse de forma segura despu\u00e9s de devolver un error. En caso de env\u00edo de anillo, la funci\u00f3n primero obtiene una referencia a la l\u00ednea de tiempo heredada del motor y luego asigna un VMA. Si la asignaci\u00f3n del VMA falla, por ejemplo, cuando i915_vma_instance() llamado desde dentro se interrumpe con una se\u00f1al, entonces ring_context_alloc() falla, dejando la l\u00ednea de tiempo referenciada. En la siguiente IOCTL I915_GEM_EXECBUFFER2, se obtiene otra referencia a la l\u00ednea de tiempo, y solo esta \u00faltima se coloca al completarse correctamente. Como consecuencia, la l\u00ednea de tiempo heredada, con el objeto VMA de su p\u00e1gina de estado del motor subyacente, a\u00fan se mantiene y no se libera al desvincular el controlador. Obtenga la l\u00ednea de tiempo heredada solo despu\u00e9s de la asignaci\u00f3n exitosa del VMA del motor de contexto. v2: Agregar una nota sobre otros m\u00e9todos de env\u00edo (Krzysztof Karas): Tanto los execlists como el env\u00edo GuC usan lrc_alloc(), que parec\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4\",\"versionEndExcluding\":\"5.4.296\",\"matchCriteriaId\":\"02FB3A90-2158-480C-8BBA-030211E19AD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.240\",\"matchCriteriaId\":\"0E73A49A-F9B2-470F-91B2-6FAB6239BDB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.187\",\"matchCriteriaId\":\"4BD28D29-423C-4173-9DB8-3BA14E9F665D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.144\",\"matchCriteriaId\":\"81CF08DB-B7A2-4556-8AE3-ED9144F50E31\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.97\",\"matchCriteriaId\":\"EB1BB991-B903-4718-966C-07C803CBEABC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.37\",\"matchCriteriaId\":\"6B4159AA-C70D-4DE5-9EE2-8F2728F13C5D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.6\",\"matchCriteriaId\":\"6E0BB4E0-44BC-4645-83A8-6EA232CE624C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D4894DB-CCFE-4602-B1BF-3960B2E19A01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"09709862-E348-4378-8632-5A7813EDDC86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"415BF58A-8197-43F5-B3D7-D1D63057A26E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0517869-312D-4429-80C2-561086E1421C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/40e09506aea1fde1f3e0e04eca531bbb23404baf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4c778c96e469fb719b11683e0a3be8ea68052fa2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5a7ae7bebdc4c2ecd48a2c061319956f65c09473\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/60b757730884e4a223152a68d9b5f625dac94119\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c542d62883f62ececafcb630a1c5010133826bea\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e47d7d6edc40a6ace7cc04e5893759fee68569f5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f10af34261448610d4048ac6e6af87f80e3881a4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}