GHSA-89G7-8Q6V-6WV8

Vulnerability from github – Published: 2026-01-05 12:30 – Updated: 2026-01-19 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/vgem-fence: Fix potential deadlock on release

A timer that expires a vgem fence automatically in 10 seconds is now released with timer_delete_sync() from fence->ops.release() called on last dma_fence_put(). In some scenarios, it can run in IRQ context, which is not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobj_timeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1].

[117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes: [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lock_acquire+0xc4/0x2e0 [117.004366] call_timer_fn+0x80/0x2a0 [117.004368] __run_timers+0x231/0x310 [117.004370] run_timer_softirq+0x76/0xe0 [117.004372] handle_softirqs+0xd4/0x4d0 [117.004375] __irq_exit_rcu+0x13f/0x160 [117.004377] irq_exit_rcu+0xe/0x20 [117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0 [117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [117.004385] cpuidle_enter_state+0x12b/0x8a0 [117.004388] cpuidle_enter+0x2e/0x50 [117.004393] call_cpuidle+0x22/0x60 [117.004395] do_idle+0x1fd/0x260 [117.004398] cpu_startup_entry+0x29/0x30 [117.004401] start_secondary+0x12d/0x160 [117.004404] common_startup_64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [] _raw_spin_unlock_irqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [] sysvec_irq_work+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [] __do_softirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [] __irq_exit_rcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] [117.004438] lock((&fence->timer)); [117.004440] *** DEADLOCK *** [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] [117.004457] dump_stack_lvl+0x91/0xf0 [117.004460] dump_stack+0x10/0x20 [117.004461] print_usage_bug.part.0+0x260/0x360 [117.004463] mark_lock+0x76e/0x9c0 [117.004465] ? register_lock_class+0x48/0x4a0 [117.004467] __lock_acquire+0xbc3/0x2860 [117.004469] lock_acquire+0xc4/0x2e0 [117.004470] ? __timer_delete_sync+0x4b/0x190 [117.004472] ? __timer_delete_sync+0x4b/0x190 [117.004473] __timer_delete_sync+0x68/0x190 [117.004474] ? __timer_delete_sync+0x4b/0x190 [117.004475] timer_delete_sync+0x10/0x20 [117.004476] vgem_fence_release+0x19/0x30 [vgem] [117.004478] dma_fence_release+0xc1/0x3b0 [117.004480] ? dma_fence_release+0xa1/0x3b0 [117.004481] dma_fence_chain_release+0xe7/0x130 [117.004483] dma_fence_release+0xc1/0x3b0 [117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80 [117.004485] dma_fence_chain_irq_work+0x59/0x80 [117.004487] irq_work_single+0x75/0xa0 [117.004490] irq_work_r ---truncated---

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-68757"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-05T10:15:56Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put().  In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used.  One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S   U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363]   lock_acquire+0xc4/0x2e0\n[117.004366]   call_timer_fn+0x80/0x2a0\n[117.004368]   __run_timers+0x231/0x310\n[117.004370]   run_timer_softirq+0x76/0xe0\n[117.004372]   handle_softirqs+0xd4/0x4d0\n[117.004375]   __irq_exit_rcu+0x13f/0x160\n[117.004377]   irq_exit_rcu+0xe/0x20\n[117.004379]   sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382]   asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385]   cpuidle_enter_state+0x12b/0x8a0\n[117.004388]   cpuidle_enter+0x2e/0x50\n[117.004393]   call_cpuidle+0x22/0x60\n[117.004395]   do_idle+0x1fd/0x260\n[117.004398]   cpu_startup_entry+0x29/0x30\n[117.004401]   start_secondary+0x12d/0x160\n[117.004404]   common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last  enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last  enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429]  Possible unsafe locking scenario:\n[117.004432]        CPU0\n[117.004433]        ----\n[117.004434]   lock((\u0026fence-\u003etimer));\n[117.004436]   \u003cInterrupt\u003e\n[117.004438]     lock((\u0026fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445]  #0: ffffc90000003d50 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S   U              6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456]  \u003cIRQ\u003e\n[117.004457]  dump_stack_lvl+0x91/0xf0\n[117.004460]  dump_stack+0x10/0x20\n[117.004461]  print_usage_bug.part.0+0x260/0x360\n[117.004463]  mark_lock+0x76e/0x9c0\n[117.004465]  ? register_lock_class+0x48/0x4a0\n[117.004467]  __lock_acquire+0xbc3/0x2860\n[117.004469]  lock_acquire+0xc4/0x2e0\n[117.004470]  ? __timer_delete_sync+0x4b/0x190\n[117.004472]  ? __timer_delete_sync+0x4b/0x190\n[117.004473]  __timer_delete_sync+0x68/0x190\n[117.004474]  ? __timer_delete_sync+0x4b/0x190\n[117.004475]  timer_delete_sync+0x10/0x20\n[117.004476]  vgem_fence_release+0x19/0x30 [vgem]\n[117.004478]  dma_fence_release+0xc1/0x3b0\n[117.004480]  ? dma_fence_release+0xa1/0x3b0\n[117.004481]  dma_fence_chain_release+0xe7/0x130\n[117.004483]  dma_fence_release+0xc1/0x3b0\n[117.004484]  ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485]  dma_fence_chain_irq_work+0x59/0x80\n[117.004487]  irq_work_single+0x75/0xa0\n[117.004490]  irq_work_r\n---truncated---",
  "id": "GHSA-89g7-8q6v-6wv8",
  "modified": "2026-01-19T15:30:34Z",
  "published": "2026-01-05T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68757"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.