CVE-2025-40225 (GCVE-0-2025-40225)
Vulnerability from cvelistv5
Published
2025-12-04 15:31
Modified
2025-12-04 15:31
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP <snip> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178
References
Impacted products
Vendor Product Version
Linux Linux Version: 647810ec247641eb5aec8caef818919a4518a0b1
Version: 647810ec247641eb5aec8caef818919a4518a0b1
Version: 647810ec247641eb5aec8caef818919a4518a0b1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_mmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "efe6dced3512066ebee2cf7c4c38d1c99625814e",
              "status": "affected",
              "version": "647810ec247641eb5aec8caef818919a4518a0b1",
              "versionType": "git"
            },
            {
              "lessThan": "e9c19d19dd7e08db89cead5b0337c18590dc6645",
              "status": "affected",
              "version": "647810ec247641eb5aec8caef818919a4518a0b1",
              "versionType": "git"
            },
            {
              "lessThan": "4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f",
              "status": "affected",
              "version": "647810ec247641eb5aec8caef818919a4518a0b1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_mmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix kernel panic on partial unmap of a GPU VA region\n\nThis commit address a kernel panic issue that can happen if Userspace\ntries to partially unmap a GPU virtual region (aka drm_gpuva).\nThe VM_BIND interface allows partial unmapping of a BO.\n\nPanthor driver pre-allocates memory for the new drm_gpuva structures\nthat would be needed for the map/unmap operation, done using drm_gpuvm\nlayer. It expected that only one new drm_gpuva would be needed on umap\nbut a partial unmap can require 2 new drm_gpuva and that\u0027s why it\nended up doing a NULL pointer dereference causing a kernel panic.\n\nFollowing dump was seen when partial unmap was exercised.\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078\n Mem abort info:\n   ESR = 0x0000000096000046\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n   FSC = 0x06: level 2 translation fault\n Data abort info:\n   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000\n [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000\n Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP\n \u003csnip\u003e\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]\n sp : ffff800085d43970\n x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000\n x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000\n x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180\n x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010\n x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c\n x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58\n x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c\n x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7\n x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001\n x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078\n Call trace:\n  panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n  op_remap_cb.isra.22+0x50/0x80\n  __drm_gpuvm_sm_unmap+0x10c/0x1c8\n  drm_gpuvm_sm_unmap+0x40/0x60\n  panthor_vm_exec_op+0xb4/0x3d0 [panthor]\n  panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]\n  panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]\n  drm_ioctl_kernel+0xbc/0x138\n  drm_ioctl+0x240/0x500\n  __arm64_sys_ioctl+0xb0/0xf8\n  invoke_syscall+0x4c/0x110\n  el0_svc_common.constprop.1+0x98/0xf8\n  do_el0_svc+0x24/0x38\n  el0_svc+0x40/0xf8\n  el0t_64_sync_handler+0xa0/0xc8\n  el0t_64_sync+0x174/0x178"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:17.057Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f"
        }
      ],
      "title": "drm/panthor: Fix kernel panic on partial unmap of a GPU VA region",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40225",
    "datePublished": "2025-12-04T15:31:17.057Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T15:31:17.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40225\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-04T16:16:15.043\",\"lastModified\":\"2025-12-04T17:15:08.283\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panthor: Fix kernel panic on partial unmap of a GPU VA region\\n\\nThis commit address a kernel panic issue that can happen if Userspace\\ntries to partially unmap a GPU virtual region (aka drm_gpuva).\\nThe VM_BIND interface allows partial unmapping of a BO.\\n\\nPanthor driver pre-allocates memory for the new drm_gpuva structures\\nthat would be needed for the map/unmap operation, done using drm_gpuvm\\nlayer. It expected that only one new drm_gpuva would be needed on umap\\nbut a partial unmap can require 2 new drm_gpuva and that\u0027s why it\\nended up doing a NULL pointer dereference causing a kernel panic.\\n\\nFollowing dump was seen when partial unmap was exercised.\\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078\\n Mem abort info:\\n   ESR = 0x0000000096000046\\n   EC = 0x25: DABT (current EL), IL = 32 bits\\n   SET = 0, FnV = 0\\n   EA = 0, S1PTW = 0\\n   FSC = 0x06: level 2 translation fault\\n Data abort info:\\n   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\\n   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000\\n [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000\\n Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP\\n \u003csnip\u003e\\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\\n lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]\\n sp : ffff800085d43970\\n x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000\\n x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000\\n x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180\\n x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010\\n x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c\\n x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58\\n x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c\\n x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7\\n x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001\\n x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078\\n Call trace:\\n  panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\\n  op_remap_cb.isra.22+0x50/0x80\\n  __drm_gpuvm_sm_unmap+0x10c/0x1c8\\n  drm_gpuvm_sm_unmap+0x40/0x60\\n  panthor_vm_exec_op+0xb4/0x3d0 [panthor]\\n  panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]\\n  panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]\\n  drm_ioctl_kernel+0xbc/0x138\\n  drm_ioctl+0x240/0x500\\n  __arm64_sys_ioctl+0xb0/0xf8\\n  invoke_syscall+0x4c/0x110\\n  el0_svc_common.constprop.1+0x98/0xf8\\n  do_el0_svc+0x24/0x38\\n  el0_svc+0x40/0xf8\\n  el0t_64_sync_handler+0xa0/0xc8\\n  el0t_64_sync+0x174/0x178\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.