CVE-2025-40310: Linux kernel race between AMDGPU and amdkfd causes local DoS

A recently disclosed Linux kernel vulnerability, tracked as CVE-2025-40310, stems from a race condition between the AMDGPU driver and the AMD Kernel Fusion Driver (amdkfd) during device teardown and VM cleanup. The flaw can allow redundant or concurrent release of a PASID (Process Address Space ID), producing deterministic kernel oopses and driver crashes that create a local denial-of-service for affected systems. Upstream maintainers issued a small, targeted fix that changes ownership and teardown ordering to guarantee consistent PASID handling; the remediation has been merged into upstream and stable kernel branches and is being carried forward by distribution maintainers and vendors.

---

Background​

What component is affected​

The vulnerability lives in the intersection of the AMDGPU DRM driver and the AMDKFD (Kernel Fusion Driver) compute support layer, specifically in the device finalize/teardown path implemented by the function amdgpu_amdkfd_device_fini_sw. This area coordinates GPU VM setup/teardown, PASID allocation, and cross-subsystem reference management between the graphics (DRM) and compute (KFD) subsystems. Systems that load the amdgpu driver and expose DRM device nodes (/dev/dri/*) are the population at risk.

Why PASIDs matter​

PASIDs (Process Address Space IDs) are numerical handles used by the GPU driver and KFD to track GPU process address spaces for features like GPU virtualization, device-mapped VMs, and multi-process compute. Correct ownership and reference accounting for PASIDs are essential: both subsystems must agree which side is responsible for releasing a PASID to avoid double-free or use-after-free behaviors that can crash the kernel. The race in CVE-2025-40310 breaks that contract in certain error and teardown sequences.

The operational impact​

This is an availability-focused vulnerability. Triggering the faulty code path leads to kernel oopses and driver crashes, taking down the graphics stack and often requiring a host reboot. That makes the issue particularly important for shared infrastructure — CI runners, VDI hosts, cloud tenants with GPU passthrough, and multi-user developer workstations — where a local crash affects other users or services. The vulnerability is not known to directly expose confidentiality or integrity; its practical threat is denial-of-service.

---

Technical overview: how the race occurs​

Sequence leading to the failure​

The defective sequence is best summarized as a mismatch in state transitions and reference ownership during VM initialization and eventual teardown:

• The driver path allocates a PASID and assigns it to vm->pasid as part of converting a VM for compute use.
• A subsequent initialization or acquisition step may fail, or the teardown path may run concurrently in another context (for example, the DRM file-close path invoked by descriptor release or process exit).
• Because the code that sets vm->pasid did not consistently transfer or acquire the reference semantics used by the other subsystem, both sides may attempt to release the same PASID.
• The allocator (IDA) detects an id free on a non-allocated id and logs an error such as “ida_free called for id=… which is not allocated”, often followed by call frames that include amdgpu_pasid_free_delayed and drm_close_helper, and ultimately a kernel oops.

Root cause explained​

At its core the defect is a classic race and ownership contract failure: state transitions (vm->pasid set) and reference acquisition were not atomic across the error and teardown paths. Without a single owner and consistent reference-counting semantics, the same PASID can be freed by the DRM close path while KFD still expects to release it later. The failure surfaces in kernel traces rooted in ida_free and amdgpu_pasid_free_delayed, and produces an operational kernel oops rather than a graceful error return.

---

The upstream fix — small, defensive, and surgical​

What changed​

Upstream maintainers introduced a small helper function (named amdgpu_amdkfd_gpuvm_set_vm_pasid in the upstream fix) and call it at the final step of VM initialization in kfd_process_device_init_vm. The helper ensures vm->pasid is set only after the owning subsystem has the correct reference semantics, removing the window where both sides think they own—or will free—the same PASID. In other words: the fix makes the PASID ownership transition atomic and consistent across success/failure and teardown paths.

Why the change is effective​

The remediation is intentionally minimal to reduce regression risk. Rather than reworking large sections of driver logic, the fix inserts a single helper and adjusts the sequence so VM state is left consistent when initialization completes or when an error path is taken. That surgical approach is well suited for backporting into stable kernel branches and distribution kernels. Multiple downstream trackers report the patch as merged into upstream and propagated to stable trees.

---

Who is affected and how to assess exposure​

Systems likely to be affected​

• Linux systems with AMD GPUs where the kernel’s amdgpu driver is present and loaded.
• Machines where unprivileged processes or containerized workloads have access to DRM device nodes (/dev/dri/*).
• Multi-tenant CI/CD runners, GPU-accelerated VDI hosts, cloud images with GPU passthrough, and developer workstations used for untrusted workloads.
• Embedded or OEM kernels where vendor trees lag upstream: these are the highest long-tail risk because backports are often slow or absent.

Quick triage checklist​

• Run uname -r and compare against your distro/vendor security advisory mapping to confirm whether your kernel contains the upstream fix.
• Confirm whether the AMD driver is loaded: lsmod | grep amdgpu.
• Inspect device node permissions: ls -l /dev/dri/*. If these nodes are world-accessible or mounted into containers, exposure is higher.
• Search kernel logs for indicative patterns (see next section).

---

Detection and forensic indicators​

The bug leaves several reliable traces operators can hunt for in log data.

• Kernel log lines containing “ida_free called for id=” are canonical indicators that the PASID allocator was freed incorrectly. These often appear with an oops stack including amdgpu_pasid_free_delayed and amdgpu_driver_postclose_kms.
• Call traces showing amdgpu_pasid_free_delayed, amdgpu_driver_postclose_kms, drm_file_free, drm_close_helper, drm_release and __fput/task_work_run/do_exit are consistent signatures of the problematic sequence.
• Symptom-level telemetry: repeated compositor crashes (Wayland/Xwayland), driver resets, frozen displays, and host reboots correlated with GPU workloads are practical signs that the vulnerable code path was hit.
• For multi-tenant hosts, a pattern of crashes tied to container workloads that mount /dev/dri is a strong operational signal that untrusted workloads are able to exercise driver paths.

Hunting commands and quick checks:

• journalctl -k | grep -i "ida_free"
• dmesg | grep -E "amdgpu|amdkfd|ida_free|amdgpu_pasid_free_delayed"
• If an incident occurred, preserve full serial console and kdump traces immediately for vendor triage.

---

Remediation and mitigation guidance​

Definitive fix​

Install vendor-supplied kernel updates that include the upstream commit which implements the helper and corrected ordering, then reboot into the updated kernel. Because the change is in kernel space, a reboot is mandatory to make the fix effective. Distribution package change logs and security advisories map the commit into specific kernel package versions—use those authoritative mappings to verify patch presence.

Immediate compensations if you cannot patch​

• Restrict access to DRM device nodes: change udev rules or group ownership so /dev/dri/* is accessible only to a trusted group and not to untrusted processes or containers.
• Remove /dev/dri device passthrough from untrusted containers and CI runners; avoid device mounts such as --device=/dev/dri unless absolutely necessary.
• Consider temporarily blacklisting the amdgpu module where GPU functionality is not essential; note this disables GPU acceleration and may disrupt user workflows.
• Increase kernel log monitoring and SIEM rules to detect the signature traces described above; preserve oops traces for post-mortem and vendor support.

For operators building custom kernels​

If you maintain custom kernels or vendor forks, cherry-pick the upstream stable commit into your tree, rebuild, and validate on representative hardware. Verify presence of the fix by searching the source for the helper symbol (amdgpu_amdkfd_gpuvm_set_vm_pasid) or inspecting the diff in the stable commit. If the symbol is not present, treat the kernel as unpatched.

---

Verification and validation​

After patch deployment, perform these checks:

• Confirm kernel package changelog or vendor advisory metadata references the upstream commit or CVE mapping for CVE-2025-40310.
• Boot the patched kernel and run representative GPU workloads that exercise VM setup/teardown and compositor/hot-plug operations; monitor dmesg/journalctl for absence of prior oops traces.
• Use source-level verification for custom kernels: grep the kernel tree for amdgpu_amdkfd_gpuvm_set_vm_pasid and inspect kfd_process_device_init_vm call sites to ensure the helper invocation is present.
• Where vendor kernels are in use, open a vendor support case if you cannot find an explicit backport; ask the vendor to confirm whether the upstream commit was applied.

---

Risk assessment and operational priorities​

Severity and CVSS​

Multiple trackers classify the vulnerability as Medium with a CVSS v3.1 base score commonly around 5.5—the vector reflects a local attack path, low complexity, and an availability impact. The numeric score underscores limited confidentiality and integrity effects but should not understate operational risk: a deterministic kernel oops on shared hosts can be highly disruptive.

Exploitability in the wild​

Public trackers and vendor advisories at disclosure did not report widespread in-the-wild exploitation of this specific race. That absence aligns with the vulnerability’s local vector and hardware/topology sensitivity. Nevertheless, deterministic crash primitives are straightforward to weaponize for local denial-of-service on exposed systems; therefore, treat the absence of public PoCs as lack of evidence not an assurance of safety. Flag this as a residual risk especially in multi-tenant or poorly contained environments.

Prioritization heuristic​

• Patch immediately: multi-tenant GPU hosts, CI runners, VDI/terminal servers, and public kiosks.
• Next: developer workstations and test rigs that run untrusted code or share the host.
• Lower priority: single-user, well-maintained desktops that already run patched kernels—still verify via changelogs.

---

Practical playbook (concise)​

• Inventory (minutes)
• uname -r; lsmod | grep amdgpu; ls -l /dev/dri/*.
• Verify vendor mappings (minutes to hours)
• Check distro/vendor security advisory for CVE-2025-40310 mapping and package changelog.
• Patch and reboot (hours)
• Install vendor kernel update, schedule controlled reboots, validate post-boot.
• Short-term compensations (if patch delayed)
• Restrict /dev/dri access, remove device passthrough from containers, add monitoring.
• Post-patch validation (1–3 days)
• Run representative display and compute workloads; monitor for oops traces.

---

Special considerations​

Embedded, OEM, and long-tail devices​

Vendor-supplied or OEM kernels are the largest long-tail exposure. These kernels often lag upstream and may not receive backports in a timely manner. For appliances or embedded devices, open vendor support cases requesting a backport or updated firmware/kernel image that includes the upstream commit; do not assume an advisory applies until the vendor confirms the backport.

Containers and cloud images​

Systems that mount /dev/dri into containers or use GPU passthrough should assume increased exposure. Remove /dev/dri device nodes from untrusted containers and limit GPU passthrough to trusted workloads until all hosts are confirmed patched. Cloud images and marketplace artifacts that include custom kernels must be individually verified for the presence of the fix.

For security teams and responders​

Preserve complete kernel oops and serial console traces for vendor mapping. SIEM rules should target the canonical kernel messages and the amdgpu/amdkfd stack signatures described earlier; those traces are the most actionable forensic artifacts for triage and vendor escalation.

---

Conclusion​

CVE-2025-40310 is a clear example of how subtle race and ownership contract failures in kernel driver code can escalate to severe operational impact. The vulnerability is local and availability-focused, but the crash primitives it exposes are deterministically reproducible in vulnerable configurations and thus materially hazardous for shared and multi-tenant systems. The upstream remediation is small, targeted, and low-risk to backport, and vendors and distributions have been mapping fixes into their kernel packages.
Operators should prioritize patching GPU hosts, verify the presence of the upstream commit or vendor backport in their kernel packages, and apply compensating controls (restrict /dev/dri access, remove device passthrough from untrusted containers) while rollout proceeds. Preserve kernel oops traces for forensic analysis and vendor debugging if an incident occurs. Treat the lack of public PoCs as a cautionary gap in evidence, not a reason to delay remediation: in production environments, availability failures are themselves an immediate and high-impact risk.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center