fkie_cve-2025-40037
Vulnerability from fkie_nvd
Published
2025-10-28 12:15
Modified
2025-10-30 15:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: fbdev: simplefb: Fix use after free in simplefb_detach_genpds() The pm_domain cleanup can not be devres managed as it uses struct simplefb_par which is allocated within struct fb_info by framebuffer_alloc(). This allocation is explicitly freed by unregister_framebuffer() in simplefb_remove(). Devres managed cleanup runs after the device remove call and thus can no longer access struct simplefb_par. Call simplefb_detach_genpds() explicitly from simplefb_destroy() like the cleanup functions for clocks and regulators. Fixes an use after free on M2 Mac mini during aperture_remove_conflicting_devices() using the downstream asahi kernel with Debian's kernel config. For unknown reasons this started to consistently dereference an invalid pointer in v6.16.3 based kernels. [ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220 [ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227 [ 6.750697] [ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY [ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC [ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT) [ 6.752189] Call trace: [ 6.752190] show_stack+0x34/0x98 (C) [ 6.752194] dump_stack_lvl+0x60/0x80 [ 6.752197] print_report+0x17c/0x4d8 [ 6.752201] kasan_report+0xb4/0x100 [ 6.752206] __asan_report_load4_noabort+0x20/0x30 [ 6.752209] simplefb_detach_genpds+0x58/0x220 [ 6.752213] devm_action_release+0x50/0x98 [ 6.752216] release_nodes+0xd0/0x2c8 [ 6.752219] devres_release_all+0xfc/0x178 [ 6.752221] device_unbind_cleanup+0x28/0x168 [ 6.752224] device_release_driver_internal+0x34c/0x470 [ 6.752228] device_release_driver+0x20/0x38 [ 6.752231] bus_remove_device+0x1b0/0x380 [ 6.752234] device_del+0x314/0x820 [ 6.752238] platform_device_del+0x3c/0x1e8 [ 6.752242] platform_device_unregister+0x20/0x50 [ 6.752246] aperture_detach_platform_device+0x1c/0x30 [ 6.752250] aperture_detach_devices+0x16c/0x290 [ 6.752253] aperture_remove_conflicting_devices+0x34/0x50 ... [ 6.752343] [ 6.967409] Allocated by task 62: [ 6.970724] kasan_save_stack+0x3c/0x70 [ 6.974560] kasan_save_track+0x20/0x40 [ 6.978397] kasan_save_alloc_info+0x40/0x58 [ 6.982670] __kasan_kmalloc+0xd4/0xd8 [ 6.986420] __kmalloc_noprof+0x194/0x540 [ 6.990432] framebuffer_alloc+0xc8/0x130 [ 6.994444] simplefb_probe+0x258/0x2378 ... [ 7.054356] [ 7.055838] Freed by task 227: [ 7.058891] kasan_save_stack+0x3c/0x70 [ 7.062727] kasan_save_track+0x20/0x40 [ 7.066565] kasan_save_free_info+0x4c/0x80 [ 7.070751] __kasan_slab_free+0x6c/0xa0 [ 7.074675] kfree+0x10c/0x380 [ 7.077727] framebuffer_release+0x5c/0x90 [ 7.081826] simplefb_destroy+0x1b4/0x2c0 [ 7.085837] put_fb_info+0x98/0x100 [ 7.089326] unregister_framebuffer+0x178/0x320 [ 7.093861] simplefb_remove+0x3c/0x60 [ 7.097611] platform_remove+0x60/0x98 [ 7.101361] device_remove+0xb8/0x160 [ 7.105024] device_release_driver_internal+0x2fc/0x470 [ 7.110256] device_release_driver+0x20/0x38 [ 7.114529] bus_remove_device+0x1b0/0x380 [ 7.118628] device_del+0x314/0x820 [ 7.122116] platform_device_del+0x3c/0x1e8 [ 7.126302] platform_device_unregister+0x20/0x50 [ 7.131012] aperture_detach_platform_device+0x1c/0x30 [ 7.136157] aperture_detach_devices+0x16c/0x290 [ 7.140779] aperture_remove_conflicting_devices+0x34/0x50 ...
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: simplefb: Fix use after free in simplefb_detach_genpds()\n\nThe pm_domain cleanup can not be devres managed as it uses struct\nsimplefb_par which is allocated within struct fb_info by\nframebuffer_alloc(). This allocation is explicitly freed by\nunregister_framebuffer() in simplefb_remove().\nDevres managed cleanup runs after the device remove call and thus can no\nlonger access struct simplefb_par.\nCall simplefb_detach_genpds() explicitly from simplefb_destroy() like\nthe cleanup functions for clocks and regulators.\n\nFixes an use after free on M2 Mac mini during\naperture_remove_conflicting_devices() using the downstream asahi kernel\nwith Debian\u0027s kernel config. For unknown reasons this started to\nconsistently dereference an invalid pointer in v6.16.3 based kernels.\n\n[    6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220\n[    6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227\n[    6.750697]\n[    6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S                  6.16.3-asahi+ #16 PREEMPTLAZY\n[    6.752186] Tainted: [S]=CPU_OUT_OF_SPEC\n[    6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)\n[    6.752189] Call trace:\n[    6.752190]  show_stack+0x34/0x98 (C)\n[    6.752194]  dump_stack_lvl+0x60/0x80\n[    6.752197]  print_report+0x17c/0x4d8\n[    6.752201]  kasan_report+0xb4/0x100\n[    6.752206]  __asan_report_load4_noabort+0x20/0x30\n[    6.752209]  simplefb_detach_genpds+0x58/0x220\n[    6.752213]  devm_action_release+0x50/0x98\n[    6.752216]  release_nodes+0xd0/0x2c8\n[    6.752219]  devres_release_all+0xfc/0x178\n[    6.752221]  device_unbind_cleanup+0x28/0x168\n[    6.752224]  device_release_driver_internal+0x34c/0x470\n[    6.752228]  device_release_driver+0x20/0x38\n[    6.752231]  bus_remove_device+0x1b0/0x380\n[    6.752234]  device_del+0x314/0x820\n[    6.752238]  platform_device_del+0x3c/0x1e8\n[    6.752242]  platform_device_unregister+0x20/0x50\n[    6.752246]  aperture_detach_platform_device+0x1c/0x30\n[    6.752250]  aperture_detach_devices+0x16c/0x290\n[    6.752253]  aperture_remove_conflicting_devices+0x34/0x50\n...\n[    6.752343]\n[    6.967409] Allocated by task 62:\n[    6.970724]  kasan_save_stack+0x3c/0x70\n[    6.974560]  kasan_save_track+0x20/0x40\n[    6.978397]  kasan_save_alloc_info+0x40/0x58\n[    6.982670]  __kasan_kmalloc+0xd4/0xd8\n[    6.986420]  __kmalloc_noprof+0x194/0x540\n[    6.990432]  framebuffer_alloc+0xc8/0x130\n[    6.994444]  simplefb_probe+0x258/0x2378\n...\n[    7.054356]\n[    7.055838] Freed by task 227:\n[    7.058891]  kasan_save_stack+0x3c/0x70\n[    7.062727]  kasan_save_track+0x20/0x40\n[    7.066565]  kasan_save_free_info+0x4c/0x80\n[    7.070751]  __kasan_slab_free+0x6c/0xa0\n[    7.074675]  kfree+0x10c/0x380\n[    7.077727]  framebuffer_release+0x5c/0x90\n[    7.081826]  simplefb_destroy+0x1b4/0x2c0\n[    7.085837]  put_fb_info+0x98/0x100\n[    7.089326]  unregister_framebuffer+0x178/0x320\n[    7.093861]  simplefb_remove+0x3c/0x60\n[    7.097611]  platform_remove+0x60/0x98\n[    7.101361]  device_remove+0xb8/0x160\n[    7.105024]  device_release_driver_internal+0x2fc/0x470\n[    7.110256]  device_release_driver+0x20/0x38\n[    7.114529]  bus_remove_device+0x1b0/0x380\n[    7.118628]  device_del+0x314/0x820\n[    7.122116]  platform_device_del+0x3c/0x1e8\n[    7.126302]  platform_device_unregister+0x20/0x50\n[    7.131012]  aperture_detach_platform_device+0x1c/0x30\n[    7.136157]  aperture_detach_devices+0x16c/0x290\n[    7.140779]  aperture_remove_conflicting_devices+0x34/0x50\n..."
    }
  ],
  "id": "CVE-2025-40037",
  "lastModified": "2025-10-30T15:05:32.197",
  "metrics": {},
  "published": "2025-10-28T12:15:37.613",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.