CVE-2025-40152 (GCVE-0-2025-40152)
Vulnerability from cvelistv5
Published
2025-11-12 10:23
Modified
2025-11-12 10:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: Fix bootup splat with separate_gpu_drm modparam
The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses
drm_gem_obj.gpuva.list, which is not initialized when the drm driver
does not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms
drm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam
is set:
[ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0
[ 9.523160] Mem abort info:
[ 9.523161] ESR = 0x0000000096000006
[ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits
[ 9.523165] SET = 0, FnV = 0
[ 9.523166] EA = 0, S1PTW = 0
[ 9.523167] FSC = 0x06: level 2 translation fault
[ 9.523169] Data abort info:
[ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
[ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000
[ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000
[ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP
[ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT
[ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024
[ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 9.592973] pc : lookup_vma+0x28/0xe0 [msm]
[ 9.592996] lr : get_vma_locked+0x2c/0x128 [msm]
[ 9.763632] sp : ffff800082dab460
[ 9.763666] Call trace:
[ 9.763668] lookup_vma+0x28/0xe0 [msm] (P)
[ 9.763688] get_vma_locked+0x2c/0x128 [msm]
[ 9.763706] msm_gem_get_and_pin_iova_range+0x68/0x11c [msm]
[ 9.763723] msm_gem_get_and_pin_iova+0x18/0x24 [msm]
[ 9.763740] msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm]
[ 9.763760] __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper]
[ 9.763771] drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper]
[ 9.763779] drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib]
[ 9.763782] drm_client_register+0x58/0x9c [drm]
[ 9.763806] drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib]
[ 9.763809] drm_client_setup+0xb4/0xd8 [drm_client_lib]
[ 9.763811] msm_drm_kms_post_init+0x2c/0x3c [msm]
[ 9.763830] msm_drm_init+0x1a8/0x22c [msm]
[ 9.763848] msm_drm_bind+0x30/0x3c [msm]
[ 9.919273] try_to_bring_up_aggregate_device+0x168/0x1d4
[ 9.919283] __component_add+0xa4/0x170
[ 9.919286] component_add+0x14/0x20
[ 9.919288] msm_dp_display_probe_tail+0x4c/0xac [msm]
[ 9.919315] msm_dp_auxbus_done_probe+0x14/0x20 [msm]
[ 9.919335] dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus]
[ 9.919341] really_probe+0xbc/0x298
[ 9.919345] __driver_probe_device+0x78/0x12c
[ 9.919348] driver_probe_device+0x40/0x160
[ 9.919350] __driver_attach+0x94/0x19c
[ 9.919353] bus_for_each_dev+0x74/0xd4
[ 9.919355] driver_attach+0x24/0x30
[ 9.919358] bus_add_driver+0xe4/0x208
[ 9.919360] driver_register+0x60/0x128
[ 9.919363] __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus]
[ 9.919365] atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20]
[ 9.919370] do_one_initcall+0x6c/0x1b0
[ 9.919374] do_init_module+0x58/0x234
[ 9.919377] load_module+0x19cc/0x1bd4
[ 9.919380] init_module_from_file+0x84/0xc4
[ 9.919382] __arm64_sys_finit_module+0x1b8/0x2cc
[ 9.919384] invoke_syscall+0x48/0x110
[ 9.919389] el0_svc_common.constprop.0+0xc8/0xe8
[ 9.919393] do_el0_svc+0x20/0x2c
[ 9.919396] el0_svc+0x34/0xf0
[ 9.919401] el0t_64_sync_handler+0xa0/0xe4
[ 9.919403] el0t_64_sync+0x198/0x19c
[ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44)
[ 9.919410] ---[ end trace 0000000000000000 ]---
Patchwork: https://patchwork.freedesktop.org/pa
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87aff6d08f3b13bfad66df7c13af5f3a3548d5b9",
"status": "affected",
"version": "217ed15bd399980981f90f4332bc7ad4b05baa7e",
"versionType": "git"
},
{
"lessThan": "f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7",
"status": "affected",
"version": "217ed15bd399980981f90f4332bc7ad4b05baa7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/msm/msm_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.17"
},
{
"lessThan": "6.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.17.*",
"status": "unaffected",
"version": "6.17.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.18-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17.3",
"versionStartIncluding": "6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18-rc1",
"versionStartIncluding": "6.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix bootup splat with separate_gpu_drm modparam\n\nThe drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses\ndrm_gem_obj.gpuva.list, which is not initialized when the drm driver\ndoes not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms\ndrm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam\nis set:\n\n[ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0\n[ 9.523160] Mem abort info:\n[ 9.523161] ESR = 0x0000000096000006\n[ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9.523165] SET = 0, FnV = 0\n[ 9.523166] EA = 0, S1PTW = 0\n[ 9.523167] FSC = 0x06: level 2 translation fault\n[ 9.523169] Data abort info:\n[ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000\n[ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000\n[ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP\n[ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT\n[ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024\n[ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 9.592973] pc : lookup_vma+0x28/0xe0 [msm]\n[ 9.592996] lr : get_vma_locked+0x2c/0x128 [msm]\n[ 9.763632] sp : ffff800082dab460\n[ 9.763666] Call trace:\n[ 9.763668] lookup_vma+0x28/0xe0 [msm] (P)\n[ 9.763688] get_vma_locked+0x2c/0x128 [msm]\n[ 9.763706] msm_gem_get_and_pin_iova_range+0x68/0x11c [msm]\n[ 9.763723] msm_gem_get_and_pin_iova+0x18/0x24 [msm]\n[ 9.763740] msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm]\n[ 9.763760] __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper]\n[ 9.763771] drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper]\n[ 9.763779] drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib]\n[ 9.763782] drm_client_register+0x58/0x9c [drm]\n[ 9.763806] drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib]\n[ 9.763809] drm_client_setup+0xb4/0xd8 [drm_client_lib]\n[ 9.763811] msm_drm_kms_post_init+0x2c/0x3c [msm]\n[ 9.763830] msm_drm_init+0x1a8/0x22c [msm]\n[ 9.763848] msm_drm_bind+0x30/0x3c [msm]\n[ 9.919273] try_to_bring_up_aggregate_device+0x168/0x1d4\n[ 9.919283] __component_add+0xa4/0x170\n[ 9.919286] component_add+0x14/0x20\n[ 9.919288] msm_dp_display_probe_tail+0x4c/0xac [msm]\n[ 9.919315] msm_dp_auxbus_done_probe+0x14/0x20 [msm]\n[ 9.919335] dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus]\n[ 9.919341] really_probe+0xbc/0x298\n[ 9.919345] __driver_probe_device+0x78/0x12c\n[ 9.919348] driver_probe_device+0x40/0x160\n[ 9.919350] __driver_attach+0x94/0x19c\n[ 9.919353] bus_for_each_dev+0x74/0xd4\n[ 9.919355] driver_attach+0x24/0x30\n[ 9.919358] bus_add_driver+0xe4/0x208\n[ 9.919360] driver_register+0x60/0x128\n[ 9.919363] __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus]\n[ 9.919365] atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20]\n[ 9.919370] do_one_initcall+0x6c/0x1b0\n[ 9.919374] do_init_module+0x58/0x234\n[ 9.919377] load_module+0x19cc/0x1bd4\n[ 9.919380] init_module_from_file+0x84/0xc4\n[ 9.919382] __arm64_sys_finit_module+0x1b8/0x2cc\n[ 9.919384] invoke_syscall+0x48/0x110\n[ 9.919389] el0_svc_common.constprop.0+0xc8/0xe8\n[ 9.919393] do_el0_svc+0x20/0x2c\n[ 9.919396] el0_svc+0x34/0xf0\n[ 9.919401] el0t_64_sync_handler+0xa0/0xe4\n[ 9.919403] el0t_64_sync+0x198/0x19c\n[ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44)\n[ 9.919410] ---[ end trace 0000000000000000 ]---\n\nPatchwork: https://patchwork.freedesktop.org/pa\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T10:23:27.925Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87aff6d08f3b13bfad66df7c13af5f3a3548d5b9"
},
{
"url": "https://git.kernel.org/stable/c/f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7"
}
],
"title": "drm/msm: Fix bootup splat with separate_gpu_drm modparam",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-40152",
"datePublished": "2025-11-12T10:23:27.925Z",
"dateReserved": "2025-04-16T07:20:57.176Z",
"dateUpdated": "2025-11-12T10:23:27.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-40152\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-11-12T11:15:45.143\",\"lastModified\":\"2025-11-12T16:19:12.850\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm: Fix bootup splat with separate_gpu_drm modparam\\n\\nThe drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses\\ndrm_gem_obj.gpuva.list, which is not initialized when the drm driver\\ndoes not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms\\ndrm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam\\nis set:\\n\\n[ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0\\n[ 9.523160] Mem abort info:\\n[ 9.523161] ESR = 0x0000000096000006\\n[ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits\\n[ 9.523165] SET = 0, FnV = 0\\n[ 9.523166] EA = 0, S1PTW = 0\\n[ 9.523167] FSC = 0x06: level 2 translation fault\\n[ 9.523169] Data abort info:\\n[ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\\n[ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n[ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n[ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000\\n[ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000\\n[ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP\\n[ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT\\n[ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024\\n[ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\\n[ 9.592973] pc : lookup_vma+0x28/0xe0 [msm]\\n[ 9.592996] lr : get_vma_locked+0x2c/0x128 [msm]\\n[ 9.763632] sp : ffff800082dab460\\n[ 9.763666] Call trace:\\n[ 9.763668] lookup_vma+0x28/0xe0 [msm] (P)\\n[ 9.763688] get_vma_locked+0x2c/0x128 [msm]\\n[ 9.763706] msm_gem_get_and_pin_iova_range+0x68/0x11c [msm]\\n[ 9.763723] msm_gem_get_and_pin_iova+0x18/0x24 [msm]\\n[ 9.763740] msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm]\\n[ 9.763760] __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper]\\n[ 9.763771] drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper]\\n[ 9.763779] drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib]\\n[ 9.763782] drm_client_register+0x58/0x9c [drm]\\n[ 9.763806] drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib]\\n[ 9.763809] drm_client_setup+0xb4/0xd8 [drm_client_lib]\\n[ 9.763811] msm_drm_kms_post_init+0x2c/0x3c [msm]\\n[ 9.763830] msm_drm_init+0x1a8/0x22c [msm]\\n[ 9.763848] msm_drm_bind+0x30/0x3c [msm]\\n[ 9.919273] try_to_bring_up_aggregate_device+0x168/0x1d4\\n[ 9.919283] __component_add+0xa4/0x170\\n[ 9.919286] component_add+0x14/0x20\\n[ 9.919288] msm_dp_display_probe_tail+0x4c/0xac [msm]\\n[ 9.919315] msm_dp_auxbus_done_probe+0x14/0x20 [msm]\\n[ 9.919335] dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus]\\n[ 9.919341] really_probe+0xbc/0x298\\n[ 9.919345] __driver_probe_device+0x78/0x12c\\n[ 9.919348] driver_probe_device+0x40/0x160\\n[ 9.919350] __driver_attach+0x94/0x19c\\n[ 9.919353] bus_for_each_dev+0x74/0xd4\\n[ 9.919355] driver_attach+0x24/0x30\\n[ 9.919358] bus_add_driver+0xe4/0x208\\n[ 9.919360] driver_register+0x60/0x128\\n[ 9.919363] __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus]\\n[ 9.919365] atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20]\\n[ 9.919370] do_one_initcall+0x6c/0x1b0\\n[ 9.919374] do_init_module+0x58/0x234\\n[ 9.919377] load_module+0x19cc/0x1bd4\\n[ 9.919380] init_module_from_file+0x84/0xc4\\n[ 9.919382] __arm64_sys_finit_module+0x1b8/0x2cc\\n[ 9.919384] invoke_syscall+0x48/0x110\\n[ 9.919389] el0_svc_common.constprop.0+0xc8/0xe8\\n[ 9.919393] do_el0_svc+0x20/0x2c\\n[ 9.919396] el0_svc+0x34/0xf0\\n[ 9.919401] el0t_64_sync_handler+0xa0/0xe4\\n[ 9.919403] el0t_64_sync+0x198/0x19c\\n[ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44)\\n[ 9.919410] ---[ end trace 0000000000000000 ]---\\n\\nPatchwork: https://patchwork.freedesktop.org/pa\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/87aff6d08f3b13bfad66df7c13af5f3a3548d5b9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…