CVE-2025-68802— drm/xe: Limit num_syncs to prevent oversized allocations
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-68802
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
drm/xe: Limit num_syncs to prevent oversized allocations
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Limit num_syncs to prevent oversized allocations The exec and vm_bind ioctl allow userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... " v2: Add "Reported-by" and Cc stable kernels. v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh) v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt) v5: Do the check at the top of the exec func. (Matt) (cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于未对num_syncs值进行边界检查,可能导致分配过大内存。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-68802
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-68802
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-01-13 · 93 CVEs total
| CVE-2025-71089 | 7.8 HIGH | iommu: disable SVA when CONFIG_X86 is set |
| CVE-2025-71069 | f2fs: invalidate dentry cache on failed whiteout creation | |
| CVE-2025-71068 | svcrdma: bound check rq_pages index in inline path | |
| CVE-2025-71065 | f2fs: fix to avoid potential deadlock | |
| CVE-2025-68821 | fuse: fix readahead reclaim deadlock | |
| CVE-2025-68820 | ext4: xattr: fix null pointer deref in ext4_raw_inode() | |
| CVE-2025-68819 | media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() | |
| CVE-2025-68818 | scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" | |
| CVE-2025-68817 | ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency | |
| CVE-2025-68823 | ublk: fix deadlock when reading partition table | |
| CVE-2025-71067 | ntfs: set dummy blocksize to read boot_block when mounting | |
| CVE-2025-71071 | iommu/mediatek: fix use-after-free on probe deferral | |
| CVE-2025-71070 | ublk: clean up user copy references on ublk server exit | |
| CVE-2025-71072 | shmem: fix recovery on rename failures | |
| CVE-2025-71073 | Input: lkkbd - disable pending work before freeing device | |
| CVE-2025-71074 | functionfs: fix the open/removal races | |
| CVE-2025-71075 | scsi: aic94xx: fix use-after-free in device removal path | |
| CVE-2025-71077 | tpm: Cap the number of PCR banks | |
| CVE-2025-71076 | drm/xe/oa: Limit num_syncs to prevent oversized allocations | |
| CVE-2025-71078 | powerpc/64s/slb: Fix SLB multihit issue during SLB preload |
Showing top 20 of 93 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-68802
No comments yet