{ "threat_severity" : "Moderate", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: drm/i915/gvt: fix vgpu debugfs clean in remove", "id" : "2402211", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402211" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/i915/gvt: fix vgpu debugfs clean in remove\nCheck carefully on root debugfs available when destroying vgpu,\ne.g in remove case drm minor's debugfs root might already be destroyed,\nwhich led to kernel oops like below.\nConsole: switching to colour dummy device 80x25\ni915 0000:00:02.0: MDEV: Unregistering\nintel_vgpu_mdev b1338b2d-a709-4c23-b766-cc436c36cdf0: Removing from iommu group 14\nBUG: kernel NULL pointer dereference, address: 0000000000000150\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP\nCPU: 3 PID: 1046 Comm: driverctl Not tainted 6.1.0-rc2+ #6\nHardware name: HP HP ProDesk 600 G3 MT/829D, BIOS P02 Ver. 02.44 09/13/2022\nRIP: 0010:__lock_acquire+0x5e2/0x1f90\nCode: 87 ad 09 00 00 39 05 e1 1e cc 02 0f 82 f1 09 00 00 ba 01 00 00 00 48 83 c4 48 89 d0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ff <48> 81 3f 60 9e c2 b6 45 0f 45 f8 83 fe 01 0f 87 55 fa ff ff 89 f0\nRSP: 0018:ffff9f770274f948 EFLAGS: 00010046\nRAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000150\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8895d1173300 R11: 0000000000000001 R12: 0000000000000000\nR13: 0000000000000150 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007fc9b2ba0740(0000) GS:ffff889cdfcc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000150 CR3: 000000010fd93005 CR4: 00000000003706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nlock_acquire+0xbf/0x2b0\n? simple_recursive_removal+0xa5/0x2b0\n? lock_release+0x13d/0x2d0\ndown_write+0x2a/0xd0\n? simple_recursive_removal+0xa5/0x2b0\nsimple_recursive_removal+0xa5/0x2b0\n? start_creating.part.0+0x110/0x110\n? _raw_spin_unlock+0x29/0x40\ndebugfs_remove+0x40/0x60\nintel_gvt_debugfs_remove_vgpu+0x15/0x30 [kvmgt]\nintel_gvt_destroy_vgpu+0x60/0x100 [kvmgt]\nintel_vgpu_release_dev+0xe/0x20 [kvmgt]\ndevice_release+0x30/0x80\nkobject_put+0x79/0x1b0\ndevice_release_driver_internal+0x1b8/0x230\nbus_remove_device+0xec/0x160\ndevice_del+0x189/0x400\n? up_write+0x9c/0x1b0\n? mdev_device_remove_common+0x60/0x60 [mdev]\nmdev_device_remove_common+0x22/0x60 [mdev]\nmdev_device_remove_cb+0x17/0x20 [mdev]\ndevice_for_each_child+0x56/0x80\nmdev_unregister_parent+0x5a/0x81 [mdev]\nintel_gvt_clean_device+0x2d/0xe0 [kvmgt]\nintel_gvt_driver_remove+0x2e/0xb0 [i915]\ni915_driver_remove+0xac/0x100 [i915]\ni915_pci_remove+0x1a/0x30 [i915]\npci_device_remove+0x31/0xa0\ndevice_release_driver_internal+0x1b8/0x230\nunbind_store+0xd8/0x100\nkernfs_fop_write_iter+0x156/0x210\nvfs_write+0x236/0x4a0\nksys_write+0x61/0xd0\ndo_syscall_64+0x55/0x80\n? find_held_lock+0x2b/0x80\n? lock_release+0x13d/0x2d0\n? up_read+0x17/0x20\n? lock_is_held_type+0xe3/0x140\n? asm_exc_page_fault+0x22/0x30\n? lockdep_hardirqs_on+0x7d/0x100\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7fc9b2c9e0c4\nCode: 15 71 7d 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 3d 05 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48\nRSP: 002b:00007ffec29c81c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc9b2c9e0c4\nRDX: 000000000000000d RSI: 0000559f8b5f48a0 RDI: 0000000000000001\nRBP: 0000559f8b5f48a0 R08: 0000559f8b5f3540 R09: 00007fc9b2d76d30\nR10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000d\nR13: 00007fc9b2d77780 R14: 000000000000000d R15: 00007fc9b2d72a00\n\nModules linked in: sunrpc intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ee1004 igbvf rapl vfat fat intel_cstate intel_uncore pktcdvd i2c_i801 pcspkr wmi_bmof i2c_smbus acpi_pad vfio_pci vfio_pci_core vfio_virqfd zram fuse dm\n---truncated---", "A NULL pointer dereference was found in the Linux kernel Intel i915 graphics driver's virtual GPU debugfs cleanup handling. \nA local user with privileges to unbind the i915 driver can trigger driver removal on systems with active virtual GPU instances, causing the cleanup path to attempt removing debugfs entries after the debugfs root has already been destroyed, which results in a NULL pointer dereference and denial of service through kernel crash." ], "statement" : "The issue arises because of incorrect ordering in the driver removal sequence. When the i915 driver with GVT-g (GPU virtualization) support is unbound, the cleanup proceeds through multiple stages: driver removal, MDEV (mediated device) unregistration, and vGPU destruction. During vGPU destruction, the code unconditionally calls intel_gvt_debugfs_remove_vgpu() to clean up debugfs entries. However, at this point in the removal sequence, the DRM minor's debugfs root may have already been torn down. When debugfs_remove() attempts to lock the inode semaphore to recursively remove entries, it dereferences a NULL pointer (address 0x150, an offset into the destroyed debugfs inode structure), causing an immediate kernel oops. This occurs reliably on any system using GVT-g when the driver is unbound while virtual GPUs exist. The impact is strictly availability—the system crashes during driver removal. There is no memory corruption, information disclosure, or path to privilege escalation; the NULL dereference happens in lock acquisition code before any potentially dangerous operations could occur.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHSA-2023:6583", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-362.8.1.el9_3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53625\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53625\nhttps://lore.kernel.org/linux-cve-announce/2025100711-CVE-2023-53625-3f41@gregkh/T" ], "name" : "CVE-2023-53625", "mitigation" : { "value" : "To mitigate this issue, prevent the kvmgt module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.", "lang" : "en:us" }, "csaw" : false }