CVE-2024-36949 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
amd/amdkfd: sync all devices to wait all processes being evicted
If there are more than one device doing reset in parallel, the first device will call kfd_suspend_all_processes() to evict all processes on all devices, this call takes time to finish. other device will start reset and recover without waiting. if the process has not been evicted before doing recover, it will be restored, then caused page fault.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/01/2025
This vulnerability exists within the AMD Kernel Driver Framework component of the Linux kernel, specifically affecting the amd/amdkfd subsystem responsible for managing AMD GPU devices. The issue stems from a race condition during concurrent device reset operations where multiple GPU devices attempt to reset simultaneously. When the first device initiates the reset process, it invokes the kfd_suspend_all_processes() function to evict all running processes across all connected devices. This eviction process is time-consuming and asynchronous in nature, creating a window where other devices can begin their reset procedures before the initial eviction completes. The fundamental flaw lies in the lack of proper synchronization between device reset operations, violating the principle of atomicity in concurrent system operations.
The technical implementation of this vulnerability demonstrates a classic race condition scenario where process eviction and device recovery operations are not properly coordinated. During parallel device resets, the system fails to ensure that all processes have been successfully evicted from memory before proceeding with device recovery operations. This results in a scenario where processes that should have been evicted remain in memory and are subsequently restored during the recovery phase, leading to page fault exceptions. The vulnerability directly impacts the kernel's memory management subsystem and can be categorized under CWE-362, which addresses Race Conditions, specifically the lack of proper synchronization mechanisms. The issue manifests as a memory consistency problem where the kernel's process eviction and device recovery operations are not properly sequenced, creating an inconsistent system state.
The operational impact of this vulnerability is significant for systems utilizing AMD GPUs, particularly in high-performance computing environments where multiple GPU devices are present and concurrent reset operations may occur. When triggered, the vulnerability can cause system instability, application crashes, and potential data corruption during device reset operations. The page fault errors resulting from restored processes can lead to kernel panics or system hangs, especially in scenarios where multiple devices are reset simultaneously during system maintenance or error recovery. This vulnerability affects the reliability and availability of GPU-accelerated applications and can be exploited by malicious actors to cause denial of service conditions, making it a critical security concern for enterprise and cloud computing environments that rely on AMD GPU infrastructure.
Mitigation strategies for this vulnerability should focus on implementing proper synchronization mechanisms between device reset operations and process eviction procedures. The recommended approach involves modifying the amd/amdkfd subsystem to ensure that all device reset operations wait for the completion of process eviction before proceeding with device recovery. This can be achieved through the implementation of mutex locks or other synchronization primitives that prevent concurrent device reset operations from proceeding until all processes have been properly evicted. Additionally, the kernel should be updated to include proper error handling and state validation checks that verify process eviction completion before initiating device recovery operations. Organizations should prioritize applying the patched kernel version that resolves this synchronization issue, while also implementing monitoring solutions to detect and alert on unusual device reset patterns that may indicate potential exploitation attempts. The vulnerability aligns with ATT&CK technique T1490 which covers Data Destruction, as the instability caused by this race condition can lead to data loss and system corruption during critical reset operations.