CVE-2025-38355

While we are indirectly draining our dedicated workqueue ggtt->wq that we use to complete asynchronous removal of some GGTT nodes, this happends as part of the managed-drm unwinding (ggttfiniearly), which could be later then manage-device unwinding, where we could already unmap our MMIO/GMS mapping (mmio_fini).

This was recently observed during unsuccessful VF initialization:

[ ] xe 0000:00:02.1: probe with driver xe failed with error -62 [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 _xebounpinmapnovm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 _xebounpinmapnovm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 _xebounpinmapnovm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tilesfini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmiofini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xebopinnedfini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devmdrmdevinitrelease (16 bytes) [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] drmres release begin [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] REL ffff88810ef81640 _finirelay (8 bytes) [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] REL ffff88810ef80d40 gucctfini (8 bytes) [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] REL ffff88810ef80040 _drmmmutexrelease (8 bytes) [ ] xe 0000:00:02.1: [drm:drmmanagedrelease] REL ffff88810ef80140 ggttfiniearly (8 bytes)

and this was leading to:

[ ] BUG: unable to handle page fault for address: ffffc900058162a0 [ ] #PF: supervisor write access in kernel mode [ ] #PF: errorcode(0x0002) - not-present page [ ] Oops: Oops: 0002 [#1] SMP NOPTI [ ] Tainted: [W]=WARN [ ] Workqueue: xe-ggtt-wq ggttnoderemoveworkfunc [xe] [ ] RIP: 0010:xeggttsetpte+0x6d/0x350 [xe] [ ] Call Trace: [ ] <TASK> [ ] xeggttclear+0xb0/0x270 [xe] [ ] ggttnoderemove+0xbb/0x120 [xe] [ ] ggttnoderemoveworkfunc+0x30/0x50 [xe] [ ] processonework+0x22b/0x6f0 [ ] worker_thread+0x1e8/0x3d

Add managed-device action that will explicitly drain the workqueue with all pending node removals prior to releasing MMIO/GSM mapping.

(cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

919bb54e989c1edef87e9797be125c94c450fc65

Fixed

1b12f8dabbb8fd7d5a2611dd7bc5982ffbc2e5df

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

919bb54e989c1edef87e9797be125c94c450fc65

Fixed

5ab4eba9b26a93605b4f2f2b688d6ba818d7331d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

919bb54e989c1edef87e9797be125c94c450fc65

Fixed

af2b588abe006bd55ddd358c4c3b87523349c475

Affected versions

v6.*

v6.11

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.15.4

v6.16-rc1

v6.16-rc2

v6.16-rc3

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.12.0

Fixed

6.12.36

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.5