{"id":"CVE-2025-68793","summary":"drm/amdgpu: fix a job-\u003epasid access race in gpu recovery","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix a job-\u003epasid access race in gpu recovery\n\nAvoid a possible UAF in GPU recovery due to a race between\nthe sched timeout callback and the tdr work queue.\n\nThe gpu recovery function calls drm_sched_stop() and\nlater drm_sched_start().  drm_sched_start() restarts\nthe tdr queue which will eventually free the job.  If\nthe tdr queue frees the job before time out callback\ncompletes, the job will be freed and we'll get a UAF\nwhen accessing the pasid.  Cache it early to avoid the\nUAF.\n\nExample KASAN trace:\n[  493.058141] BUG: KASAN: slab-use-after-free in amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.067530] Read of size 4 at addr ffff88b0ce3f794c by task kworker/u128:1/323\n[  493.074892]\n[  493.076485] CPU: 9 UID: 0 PID: 323 Comm: kworker/u128:1 Tainted: G            E       6.16.0-1289896.2.zuul.bf4f11df81c1410bbe901c4373305a31 #1 PREEMPT(voluntary)\n[  493.076493] Tainted: [E]=UNSIGNED_MODULE\n[  493.076495] Hardware name: TYAN B8021G88V2HR-2T/S8021GM2NR-2T, BIOS V1.03.B10 04/01/2019\n[  493.076500] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]\n[  493.076512] Call Trace:\n[  493.076515]  \u003cTASK\u003e\n[  493.076518]  dump_stack_lvl+0x64/0x80\n[  493.076529]  print_report+0xce/0x630\n[  493.076536]  ? _raw_spin_lock_irqsave+0x86/0xd0\n[  493.076541]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[  493.076545]  ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.077253]  kasan_report+0xb8/0xf0\n[  493.077258]  ? amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.077965]  amdgpu_device_gpu_recover+0x968/0x990 [amdgpu]\n[  493.078672]  ? __pfx_amdgpu_device_gpu_recover+0x10/0x10 [amdgpu]\n[  493.079378]  ? amdgpu_coredump+0x1fd/0x4c0 [amdgpu]\n[  493.080111]  amdgpu_job_timedout+0x642/0x1400 [amdgpu]\n[  493.080903]  ? pick_task_fair+0x24e/0x330\n[  493.080910]  ? __pfx_amdgpu_job_timedout+0x10/0x10 [amdgpu]\n[  493.081702]  ? _raw_spin_lock+0x75/0xc0\n[  493.081708]  ? __pfx__raw_spin_lock+0x10/0x10\n[  493.081712]  drm_sched_job_timedout+0x1b0/0x4b0 [gpu_sched]\n[  493.081721]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[  493.081725]  process_one_work+0x679/0xff0\n[  493.081732]  worker_thread+0x6ce/0xfd0\n[  493.081736]  ? __pfx_worker_thread+0x10/0x10\n[  493.081739]  kthread+0x376/0x730\n[  493.081744]  ? __pfx_kthread+0x10/0x10\n[  493.081748]  ? __pfx__raw_spin_lock_irq+0x10/0x10\n[  493.081751]  ? __pfx_kthread+0x10/0x10\n[  493.081755]  ret_from_fork+0x247/0x330\n[  493.081761]  ? __pfx_kthread+0x10/0x10\n[  493.081764]  ret_from_fork_asm+0x1a/0x30\n[  493.081771]  \u003c/TASK\u003e\n\n(cherry picked from commit 20880a3fd5dd7bca1a079534cf6596bda92e107d)","modified":"2026-03-20T12:46:28.961623Z","published":"2026-01-13T15:29:04.877Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68793.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/77f73253015cbc7893fca1821ac3eae9eb4bc943"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dac58c012c47cadf337a35eb05d44498c43e5cd0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68793.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68793"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a72002cb181f350734108228b24c5d10d358f95a"},{"fixed":"dac58c012c47cadf337a35eb05d44498c43e5cd0"},{"fixed":"77f73253015cbc7893fca1821ac3eae9eb4bc943"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68793.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68793.json"}}],"schema_version":"1.7.5"}