Description

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ execution thread, a new job starts to be executed. This results in a race condition where the IRQ execution thread sets the job pointer to NULL simultaneously as the `run_job()` function assigns a new job to the pointer. This race condition can lead to a NULL pointer dereference if the IRQ execution thread sets the job pointer to NULL after `run_job()` assigns it to the new job. When the new job completes and the GPU emits an interrupt, `v3d_irq()` is triggered, potentially causing a crash. [ 466.310099] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 466.318928] Mem abort info: [ 466.321723] ESR = 0x0000000096000005 [ 466.325479] EC = 0x25: DABT (current EL), IL = 32 bits [ 466.330807] SET = 0, FnV = 0 [ 466.333864] EA = 0, S1PTW = 0 [ 466.337010] FSC = 0x05: level 1 translation fault [ 466.341900] Data abort info: [ 466.344783] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 466.350285] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 466.355350] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 466.360677] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000089772000 [ 466.367140] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 466.375875] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 466.382163] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device algif_hash algif_skcipher af_alg bnep binfmt_misc vc4 snd_soc_hdmi_codec drm_display_helper cec brcmfmac_wcc spidev rpivid_hevc(C) drm_client_lib brcmfmac hci_uart drm_dma_helper pisp_be btbcm brcmutil snd_soc_core aes_ce_blk v4l2_mem2mem bluetooth aes_ce_cipher snd_compress videobuf2_dma_contig ghash_ce cfg80211 gf128mul snd_pcm_dmaengine videobuf2_memops ecdh_generic sha2_ce ecc videobuf2_v4l2 snd_pcm v3d sha256_arm64 rfkill videodev snd_timer sha1_ce libaes gpu_sched snd videobuf2_common sha1_generic drm_shmem_helper mc rp1_pio drm_kms_helper raspberrypi_hwmon spi_bcm2835 gpio_keys i2c_brcmstb rp1 raspberrypi_gpiomem rp1_mailbox rp1_adc nvmem_rmem uio_pdrv_genirq uio i2c_dev drm ledtrig_pattern drm_panel_orientation_quirks backlight fuse dm_mod ip_tables x_tables ipv6 [ 466.458429] CPU: 0 UID: 1000 PID: 2008 Comm: chromium Tainted: G C 6.13.0-v8+ #18 [ 466.467336] Tainted: [C]=CRAP [ 466.470306] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 466.476157] pstate: 404000c9 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 466.483143] pc : v3d_irq+0x118/0x2e0 [v3d] [ 466.487258] lr : __handle_irq_event_percpu+0x60/0x228 [ 466.492327] sp : ffffffc080003ea0 [ 466.495646] x29: ffffffc080003ea0 x28: ffffff80c0c94200 x27: 0000000000000000 [ 466.502807] x26: ffffffd08dd81d7b x25: ffffff80c0c94200 x24: ffffff8003bdc200 [ 466.509969] x23: 0000000000000001 x22: 00000000000000a7 x21: 0000000000000000 [ 466.517130] x20: ffffff8041bb0000 x19: 0000000000000001 x18: 0000000000000000 [ 466.524291] x17: ffffffafadfb0000 x16: ffffffc080000000 x15: 0000000000000000 [ 466.531452] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 466.538613] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffffd08c527eb0 [ 466.545777] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 [ 466.552941] x5 : ffffffd08c4100d0 x4 : ffffffafadfb0000 x3 : ffffffc080003f70 [ 466.560102] x2 : ffffffc0829e8058 x1 : 0000000000000001 x0 : 0000000000000000 [ 466.567263] Call trace: [ 466.569711] v3d_irq+0x118/0x2e0 [v3d] (P) [ 466. ---truncated---

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  4.7 MEDIUM

Vector:  CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/01a7e3a43ee2e6607169a75889412344c10b37fd	Patch
https://git.kernel.org/stable/c/1f66a3a1a516e4d545906916b3f3c8d1c5e909e6	Patch
https://git.kernel.org/stable/c/3059e7aaa280daea57bb069fbc65225e1bb95014	Patch
https://git.kernel.org/stable/c/431fb709db434565b5e7cee82a11bd681a794fd3	Patch
https://git.kernel.org/stable/c/6cfafcad46e95351c477da0ae7e3acb8f7550ada	Patch
https://git.kernel.org/stable/c/6e64d6b3a3c39655de56682ec83e894978d23412	Patch
https://git.kernel.org/stable/c/9793206fbf5293534c3a79d78f196e2cbb48c22d	Patch
https://git.kernel.org/stable/c/a9401cd5d1bb5a0b8d2bef09623ca43551cd6e8a	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Configuration 1 ( hide )

cpe:2.3:o:linux:linux_kernel:5.15.177:*:*:*:*:*:*:*    Show Matching CPE(s)

cpe:2.3:o:linux:linux_kernel:6.1.127:*:*:*:*:*:*:*    Show Matching CPE(s)

cpe:2.3:o:linux:linux_kernel:6.6.74:*:*:*:*:*:*:*    Show Matching CPE(s)

cpe:2.3:o:linux:linux_kernel:6.12.11:*:*:*:*:*:*:*    Show Matching CPE(s)

cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*    Show Matching CPE(s)

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 2/21/2025 11:41:20 AM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE		NIST CWE-362
Added	CPE Configuration		OR *cpe:2.3:o:linux:linux_kernel:5.15.177:*:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.1.127:*:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.6.74:*:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12.11:*:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*
Changed	Reference Type	https://git.kernel.org/stable/c/01a7e3a43ee2e6607169a75889412344c10b37fd No Types Assigned	https://git.kernel.org/stable/c/01a7e3a43ee2e6607169a75889412344c10b37fd Patch
Changed	Reference Type	https://git.kernel.org/stable/c/1f66a3a1a516e4d545906916b3f3c8d1c5e909e6 No Types Assigned	https://git.kernel.org/stable/c/1f66a3a1a516e4d545906916b3f3c8d1c5e909e6 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/3059e7aaa280daea57bb069fbc65225e1bb95014 No Types Assigned	https://git.kernel.org/stable/c/3059e7aaa280daea57bb069fbc65225e1bb95014 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/431fb709db434565b5e7cee82a11bd681a794fd3 No Types Assigned	https://git.kernel.org/stable/c/431fb709db434565b5e7cee82a11bd681a794fd3 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/6cfafcad46e95351c477da0ae7e3acb8f7550ada No Types Assigned	https://git.kernel.org/stable/c/6cfafcad46e95351c477da0ae7e3acb8f7550ada Patch
Changed	Reference Type	https://git.kernel.org/stable/c/6e64d6b3a3c39655de56682ec83e894978d23412 No Types Assigned	https://git.kernel.org/stable/c/6e64d6b3a3c39655de56682ec83e894978d23412 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/9793206fbf5293534c3a79d78f196e2cbb48c22d No Types Assigned	https://git.kernel.org/stable/c/9793206fbf5293534c3a79d78f196e2cbb48c22d Patch
Changed	Reference Type	https://git.kernel.org/stable/c/a9401cd5d1bb5a0b8d2bef09623ca43551cd6e8a No Types Assigned	https://git.kernel.org/stable/c/a9401cd5d1bb5a0b8d2bef09623ca43551cd6e8a Patch

New CVE Received from kernel.org 2/10/2025 11:15:38 AM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 3998 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race condition between the DRM scheduler workqueue and the IRQ execution thread. As soon as the fence is signaled in the IRQ executio
Added	Reference		https://git.kernel.org/stable/c/01a7e3a43ee2e6607169a75889412344c10b37fd
Added	Reference		https://git.kernel.org/stable/c/1f66a3a1a516e4d545906916b3f3c8d1c5e909e6
Added	Reference		https://git.kernel.org/stable/c/3059e7aaa280daea57bb069fbc65225e1bb95014
Added	Reference		https://git.kernel.org/stable/c/431fb709db434565b5e7cee82a11bd681a794fd3
Added	Reference		https://git.kernel.org/stable/c/6cfafcad46e95351c477da0ae7e3acb8f7550ada
Added	Reference		https://git.kernel.org/stable/c/6e64d6b3a3c39655de56682ec83e894978d23412
Added	Reference		https://git.kernel.org/stable/c/9793206fbf5293534c3a79d78f196e2cbb48c22d
Added	Reference		https://git.kernel.org/stable/c/a9401cd5d1bb5a0b8d2bef09623ca43551cd6e8a