CVE-2026-31479 (GCVE-0-2026-31479)

Vulnerability from cvelistv5 – Published: 2026-04-22 13:54 – Updated: 2026-04-22 13:54
VLAI?
Title
drm/xe: always keep track of remap prev/next
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/xe: always keep track of remap prev/next During 3D workload, user is reporting hitting: [ 413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925 [ 413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy) [ 413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe] [ 413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282 [ 413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000 [ 413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000 [ 413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380 [ 413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380 [ 413.362083] FS: 00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000 [ 413.362085] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 [ 413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0 [ 413.362088] PKRU: 55555554 [ 413.362089] Call Trace: [ 413.362092] <TASK> [ 413.362096] xe_vm_bind_ioctl+0xa9a/0xc60 [xe] Which seems to hint that the vma we are re-inserting for the ops unwind is either invalid or overlapping with something already inserted in the vm. It shouldn't be invalid since this is a re-insertion, so must have worked before. Leaving the likely culprit as something already placed where we want to insert the vma. Following from that, for the case where we do something like a rebind in the middle of a vma, and one or both mapped ends are already compatible, we skip doing the rebind of those vma and set next/prev to NULL. As well as then adjust the original unmap va range, to avoid unmapping the ends. However, if we trigger the unwind path, we end up with three va, with the two ends never being removed and the original va range in the middle still being the shrunken size. If this occurs, one failure mode is when another unwind op needs to interact with that range, which can happen with a vector of binds. For example, if we need to re-insert something in place of the original va. In this case the va is still the shrunken version, so when removing it and then doing a re-insert it can overlap with the ends, which were never removed, triggering a warning like above, plus leaving the vm in a bad state. With that, we need two things here: 1) Stop nuking the prev/next tracking for the skip cases. Instead relying on checking for skip prev/next, where needed. That way on the unwind path, we now correctly remove both ends. 2) Undo the unmap va shrinkage, on the unwind path. With the two ends now removed the unmap va should expand back to the original size again, before re-insertion. v2: - Update the explanation in the commit message, based on an actual IGT of triggering this issue, rather than conjecture. - Also undo the unmap shrinkage, for the skip case. With the two ends now removed, the original unmap va range should expand back to the original range. v3: - Track the old start/range separately. vma_size/start() uses the va info directly. (cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8f33b4f054fc29a4774d8d10116ef460faeb84a8 , < ccd41f110c608b3cc347b9be881c3e72cd634b2b (git)
Affected: 8f33b4f054fc29a4774d8d10116ef460faeb84a8 , < 5eda8001ebb5269755608d678dd1f3928ab077c9 (git)
Affected: 8f33b4f054fc29a4774d8d10116ef460faeb84a8 , < e6ba1749549e87b83c0c4885d84b543687c3740e (git)
Affected: 8f33b4f054fc29a4774d8d10116ef460faeb84a8 , < bfe9e314d7574d1c5c851972e7aee342733819d2 (git)
Create a notification for this product.
    Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.80 , ≤ 6.12.* (semver)
Unaffected: 6.18.21 , ≤ 6.18.* (semver)
Unaffected: 6.19.11 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_pt.c",
            "drivers/gpu/drm/xe/xe_vm.c",
            "drivers/gpu/drm/xe/xe_vm_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ccd41f110c608b3cc347b9be881c3e72cd634b2b",
              "status": "affected",
              "version": "8f33b4f054fc29a4774d8d10116ef460faeb84a8",
              "versionType": "git"
            },
            {
              "lessThan": "5eda8001ebb5269755608d678dd1f3928ab077c9",
              "status": "affected",
              "version": "8f33b4f054fc29a4774d8d10116ef460faeb84a8",
              "versionType": "git"
            },
            {
              "lessThan": "e6ba1749549e87b83c0c4885d84b543687c3740e",
              "status": "affected",
              "version": "8f33b4f054fc29a4774d8d10116ef460faeb84a8",
              "versionType": "git"
            },
            {
              "lessThan": "bfe9e314d7574d1c5c851972e7aee342733819d2",
              "status": "affected",
              "version": "8f33b4f054fc29a4774d8d10116ef460faeb84a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_pt.c",
            "drivers/gpu/drm/xe/xe_vm.c",
            "drivers/gpu/drm/xe/xe_vm_types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.80",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.21",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.11",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: always keep track of remap prev/next\n\nDuring 3D workload, user is reporting hitting:\n\n[  413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925\n[  413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)\n[  413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe]\n[  413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282\n[  413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000\n[  413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[  413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000\n[  413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380\n[  413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380\n[  413.362083] FS:  00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000\n[  413.362085] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033\n[  413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0\n[  413.362088] PKRU: 55555554\n[  413.362089] Call Trace:\n[  413.362092]  \u003cTASK\u003e\n[  413.362096]  xe_vm_bind_ioctl+0xa9a/0xc60 [xe]\n\nWhich seems to hint that the vma we are re-inserting for the ops unwind\nis either invalid or overlapping with something already inserted in the\nvm. It shouldn\u0027t be invalid since this is a re-insertion, so must have\nworked before. Leaving the likely culprit as something already placed\nwhere we want to insert the vma.\n\nFollowing from that, for the case where we do something like a rebind in\nthe middle of a vma, and one or both mapped ends are already compatible,\nwe skip doing the rebind of those vma and set next/prev to NULL. As well\nas then adjust the original unmap va range, to avoid unmapping the ends.\nHowever, if we trigger the unwind path, we end up with three va, with\nthe two ends never being removed and the original va range in the middle\nstill being the shrunken size.\n\nIf this occurs, one failure mode is when another unwind op needs to\ninteract with that range, which can happen with a vector of binds. For\nexample, if we need to re-insert something in place of the original va.\nIn this case the va is still the shrunken version, so when removing it\nand then doing a re-insert it can overlap with the ends, which were\nnever removed, triggering a warning like above, plus leaving the vm in a\nbad state.\n\nWith that, we need two things here:\n\n 1) Stop nuking the prev/next tracking for the skip cases. Instead\n    relying on checking for skip prev/next, where needed. That way on the\n    unwind path, we now correctly remove both ends.\n\n 2) Undo the unmap va shrinkage, on the unwind path. With the two ends\n    now removed the unmap va should expand back to the original size again,\n    before re-insertion.\n\nv2:\n  - Update the explanation in the commit message, based on an actual IGT of\n    triggering this issue, rather than conjecture.\n  - Also undo the unmap shrinkage, for the skip case. With the two ends\n    now removed, the original unmap va range should expand back to the\n    original range.\nv3:\n  - Track the old start/range separately. vma_size/start() uses the va\n    info directly.\n\n(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-22T13:54:06.880Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ccd41f110c608b3cc347b9be881c3e72cd634b2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5eda8001ebb5269755608d678dd1f3928ab077c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6ba1749549e87b83c0c4885d84b543687c3740e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfe9e314d7574d1c5c851972e7aee342733819d2"
        }
      ],
      "title": "drm/xe: always keep track of remap prev/next",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31479",
    "datePublished": "2026-04-22T13:54:06.880Z",
    "dateReserved": "2026-03-09T15:48:24.100Z",
    "dateUpdated": "2026-04-22T13:54:06.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31479\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-22T14:16:44.993\",\"lastModified\":\"2026-04-22T14:16:44.993\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/xe: always keep track of remap prev/next\\n\\nDuring 3D workload, user is reporting hitting:\\n\\n[  413.361679] WARNING: drivers/gpu/drm/xe/xe_vm.c:1217 at vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe], CPU#7: vkd3d_queue/9925\\n[  413.361944] CPU: 7 UID: 1000 PID: 9925 Comm: vkd3d_queue Kdump: loaded Not tainted 7.0.0-070000rc3-generic #202603090038 PREEMPT(lazy)\\n[  413.361949] RIP: 0010:vm_bind_ioctl_ops_unwind+0x1e2/0x2e0 [xe]\\n[  413.362074] RSP: 0018:ffffd4c25c3df930 EFLAGS: 00010282\\n[  413.362077] RAX: 0000000000000000 RBX: ffff8f3ee817ed10 RCX: 0000000000000000\\n[  413.362078] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\\n[  413.362079] RBP: ffffd4c25c3df980 R08: 0000000000000000 R09: 0000000000000000\\n[  413.362081] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8f41fbf99380\\n[  413.362082] R13: ffff8f3ee817e968 R14: 00000000ffffffef R15: ffff8f43d00bd380\\n[  413.362083] FS:  00000001040ff6c0(0000) GS:ffff8f4696d89000(0000) knlGS:00000000330b0000\\n[  413.362085] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033\\n[  413.362086] CR2: 00007ddfc4747000 CR3: 00000002e6262005 CR4: 0000000000f72ef0\\n[  413.362088] PKRU: 55555554\\n[  413.362089] Call Trace:\\n[  413.362092]  \u003cTASK\u003e\\n[  413.362096]  xe_vm_bind_ioctl+0xa9a/0xc60 [xe]\\n\\nWhich seems to hint that the vma we are re-inserting for the ops unwind\\nis either invalid or overlapping with something already inserted in the\\nvm. It shouldn\u0027t be invalid since this is a re-insertion, so must have\\nworked before. Leaving the likely culprit as something already placed\\nwhere we want to insert the vma.\\n\\nFollowing from that, for the case where we do something like a rebind in\\nthe middle of a vma, and one or both mapped ends are already compatible,\\nwe skip doing the rebind of those vma and set next/prev to NULL. As well\\nas then adjust the original unmap va range, to avoid unmapping the ends.\\nHowever, if we trigger the unwind path, we end up with three va, with\\nthe two ends never being removed and the original va range in the middle\\nstill being the shrunken size.\\n\\nIf this occurs, one failure mode is when another unwind op needs to\\ninteract with that range, which can happen with a vector of binds. For\\nexample, if we need to re-insert something in place of the original va.\\nIn this case the va is still the shrunken version, so when removing it\\nand then doing a re-insert it can overlap with the ends, which were\\nnever removed, triggering a warning like above, plus leaving the vm in a\\nbad state.\\n\\nWith that, we need two things here:\\n\\n 1) Stop nuking the prev/next tracking for the skip cases. Instead\\n    relying on checking for skip prev/next, where needed. That way on the\\n    unwind path, we now correctly remove both ends.\\n\\n 2) Undo the unmap va shrinkage, on the unwind path. With the two ends\\n    now removed the unmap va should expand back to the original size again,\\n    before re-insertion.\\n\\nv2:\\n  - Update the explanation in the commit message, based on an actual IGT of\\n    triggering this issue, rather than conjecture.\\n  - Also undo the unmap shrinkage, for the skip case. With the two ends\\n    now removed, the original unmap va range should expand back to the\\n    original range.\\nv3:\\n  - Track the old start/range separately. vma_size/start() uses the va\\n    info directly.\\n\\n(cherry picked from commit aec6969f75afbf4e01fd5fb5850ed3e9c27043ac)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5eda8001ebb5269755608d678dd1f3928ab077c9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bfe9e314d7574d1c5c851972e7aee342733819d2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ccd41f110c608b3cc347b9be881c3e72cd634b2b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e6ba1749549e87b83c0c4885d84b543687c3740e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.