CVE-2024-50144: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/xe: fix unbalanced rpm put() with fence_fini() Currently we can call fence_fini() twice if something goes wrong when sending the GuC CT for the tlb request, since we signal the fence and return an error, leading to the caller also calling fini() on the error path in the case of stack version of the flow, which leads to an extra rpm put() which might later cause device to enter suspend when it shouldn't. It looks like we can just drop the fini() call since the fence signaller side will already call this for us. There are known mysterious splats with device going to sleep even with an rpm ref, and this could be one candidate. v2 (Matt B): - Prefer warning if we detect double fini() (cherry picked from commit cfcbc0520d5055825f0647ab922b655688605183)
AI Analysis
Technical Summary
CVE-2024-50144 is a vulnerability identified in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the Intel Xe graphics driver (drm/xe). The issue arises from an unbalanced reference count decrement (rpm put()) related to the fence_fini() function, which is responsible for cleaning up synchronization fences used in GPU command submission. The vulnerability occurs when fence_fini() is called twice due to an error path triggered during the submission of a GuC command transport layer (CT) request for a translation lookaside buffer (TLB) operation. When the first call to fence_fini() signals the fence and returns an error, the caller also attempts to finalize the fence again, leading to an extra rpm put() call. This unbalanced decrement can cause the device to enter a suspend state unexpectedly, even though a runtime power management (rpm) reference is still held. This behavior can lead to device instability, unexpected power state transitions, and potentially disrupt GPU operations. The patch resolves this by removing the redundant fence_fini() call and adding warnings to detect double fini() invocations. The vulnerability does not have known exploits in the wild and no CVSS score has been assigned yet. It primarily affects Linux kernel versions containing the specified commit hash, which corresponds to recent versions of the Linux kernel with Intel Xe graphics support.
Potential Impact
For European organizations, this vulnerability could impact systems running Linux with Intel Xe graphics hardware, particularly in environments where GPU acceleration is critical, such as data centers, cloud providers, research institutions, and enterprises relying on Linux-based workstations. The unexpected device suspend behavior could lead to degraded system performance, application crashes, or service interruptions, especially in graphics-intensive or compute-heavy workloads. While this vulnerability does not appear to allow direct code execution or privilege escalation, the instability it causes could be exploited indirectly to cause denial of service or disrupt critical operations. Organizations using Linux-based infrastructure with Intel integrated graphics should be aware of potential reliability issues until patched. The impact is more pronounced in sectors relying on high availability and GPU-accelerated computing, such as financial services, scientific research, and media production.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Apply the official Linux kernel patch that fixes the unbalanced rpm put() call in the drm/xe driver as soon as it is available and tested in their environment. 2) Monitor kernel updates from trusted Linux distributions and vendors that include this fix. 3) Implement runtime monitoring for GPU device power states and error logs to detect abnormal suspend events or fence finalization warnings, which could indicate attempts to trigger this issue. 4) For critical systems, consider isolating or limiting the use of Intel Xe graphics hardware until patched, or use alternative hardware drivers if feasible. 5) Engage with hardware and software vendors to confirm compatibility and patch deployment timelines. 6) Maintain robust backup and recovery procedures to minimize impact from potential system instability caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium
CVE-2024-50144: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: fix unbalanced rpm put() with fence_fini() Currently we can call fence_fini() twice if something goes wrong when sending the GuC CT for the tlb request, since we signal the fence and return an error, leading to the caller also calling fini() on the error path in the case of stack version of the flow, which leads to an extra rpm put() which might later cause device to enter suspend when it shouldn't. It looks like we can just drop the fini() call since the fence signaller side will already call this for us. There are known mysterious splats with device going to sleep even with an rpm ref, and this could be one candidate. v2 (Matt B): - Prefer warning if we detect double fini() (cherry picked from commit cfcbc0520d5055825f0647ab922b655688605183)
AI-Powered Analysis
Technical Analysis
CVE-2024-50144 is a vulnerability identified in the Linux kernel's Direct Rendering Manager (DRM) subsystem, specifically within the Intel Xe graphics driver (drm/xe). The issue arises from an unbalanced reference count decrement (rpm put()) related to the fence_fini() function, which is responsible for cleaning up synchronization fences used in GPU command submission. The vulnerability occurs when fence_fini() is called twice due to an error path triggered during the submission of a GuC command transport layer (CT) request for a translation lookaside buffer (TLB) operation. When the first call to fence_fini() signals the fence and returns an error, the caller also attempts to finalize the fence again, leading to an extra rpm put() call. This unbalanced decrement can cause the device to enter a suspend state unexpectedly, even though a runtime power management (rpm) reference is still held. This behavior can lead to device instability, unexpected power state transitions, and potentially disrupt GPU operations. The patch resolves this by removing the redundant fence_fini() call and adding warnings to detect double fini() invocations. The vulnerability does not have known exploits in the wild and no CVSS score has been assigned yet. It primarily affects Linux kernel versions containing the specified commit hash, which corresponds to recent versions of the Linux kernel with Intel Xe graphics support.
Potential Impact
For European organizations, this vulnerability could impact systems running Linux with Intel Xe graphics hardware, particularly in environments where GPU acceleration is critical, such as data centers, cloud providers, research institutions, and enterprises relying on Linux-based workstations. The unexpected device suspend behavior could lead to degraded system performance, application crashes, or service interruptions, especially in graphics-intensive or compute-heavy workloads. While this vulnerability does not appear to allow direct code execution or privilege escalation, the instability it causes could be exploited indirectly to cause denial of service or disrupt critical operations. Organizations using Linux-based infrastructure with Intel integrated graphics should be aware of potential reliability issues until patched. The impact is more pronounced in sectors relying on high availability and GPU-accelerated computing, such as financial services, scientific research, and media production.
Mitigation Recommendations
To mitigate this vulnerability, organizations should: 1) Apply the official Linux kernel patch that fixes the unbalanced rpm put() call in the drm/xe driver as soon as it is available and tested in their environment. 2) Monitor kernel updates from trusted Linux distributions and vendors that include this fix. 3) Implement runtime monitoring for GPU device power states and error logs to detect abnormal suspend events or fence finalization warnings, which could indicate attempts to trigger this issue. 4) For critical systems, consider isolating or limiting the use of Intel Xe graphics hardware until patched, or use alternative hardware drivers if feasible. 5) Engage with hardware and software vendors to confirm compatibility and patch deployment timelines. 6) Maintain robust backup and recovery procedures to minimize impact from potential system instability caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.956Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe00b8
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 5:42:30 PM
Last updated: 8/8/2025, 10:54:18 AM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.