{"id":"CVE-2025-40329","summary":"drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb\n\nThe Mesa issue referenced below pointed out a possible deadlock:\n\n[ 1231.611031]  Possible interrupt unsafe locking scenario:\n\n[ 1231.611033]        CPU0                    CPU1\n[ 1231.611034]        ----                    ----\n[ 1231.611035]   lock(&xa-\u003exa_lock#17);\n[ 1231.611038]                                local_irq_disable();\n[ 1231.611039]                                lock(&fence-\u003elock);\n[ 1231.611041]                                lock(&xa-\u003exa_lock#17);\n[ 1231.611044]   \u003cInterrupt\u003e\n[ 1231.611045]     lock(&fence-\u003elock);\n[ 1231.611047]\n                *** DEADLOCK ***\n\nIn this example, CPU0 would be any function accessing job-\u003edependencies\nthrough the xa_* functions that don't disable interrupts (eg:\ndrm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).\n\nCPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling\ncallback so in an interrupt context. It will deadlock when trying to\ngrab the xa_lock which is already held by CPU0.\n\nReplacing all xa_* usage by their xa_*_irq counterparts would fix\nthis issue, but Christian pointed out another issue: dma_fence_signal\ntakes fence.lock and so does dma_fence_add_callback.\n\n  dma_fence_signal() // locks f1.lock\n  -\u003e drm_sched_entity_kill_jobs_cb()\n  -\u003e foreach dependencies\n     -\u003e dma_fence_add_callback() // locks f2.lock\n\nThis will deadlock if f1 and f2 share the same spinlock.\n\nTo fix both issues, the code iterating on dependencies and re-arming them\nis moved out to drm_sched_entity_kill_jobs_work().\n\n[phasta: commit message nits]","modified":"2026-04-16T04:32:08.566023837Z","published":"2025-12-09T04:09:46.156Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20145-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40329.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0d63031ee4a57be0252cb9a4e09ae921c75cece9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3e8ada4fd838e3fd2cca94000dac054f3a347c01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/487df8b698345dd5a91346335f05170ed5f29d4e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/70150b9443dddf02157d821c68abf438f55a2e8e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40329.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40329"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2fdb8a8f07c2f1353770a324fd19b8114e4329ac"},{"fixed":"70150b9443dddf02157d821c68abf438f55a2e8e"},{"fixed":"0d63031ee4a57be0252cb9a4e09ae921c75cece9"},{"fixed":"3e8ada4fd838e3fd2cca94000dac054f3a347c01"},{"fixed":"487df8b698345dd5a91346335f05170ed5f29d4e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40329.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.58"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40329.json"}}],"schema_version":"1.7.5"}