ghsa-cj72-qxmq-rj7q
Vulnerability from github
Published
2025-08-19 18:31
Modified
2025-08-19 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c

The issue was reproduced on NV10 using IGT pci_unplug test. It is expected that amdgpu_driver_postclose_kms() is called prior to amdgpu_drm_release(). However, the bug is that amdgpu_fpriv was freed in amdgpu_driver_postclose_kms(), and then later accessed in amdgpu_drm_release() via a call to amdgpu_userq_mgr_fini(). As a result, KASAN detected a use-after-free condition, as shown in the log below. The proposed fix is to move the calls to amdgpu_eviction_fence_destroy() and amdgpu_userq_mgr_fini() into amdgpu_driver_postclose_kms(), so they are invoked before amdgpu_fpriv is freed.

This also ensures symmetry with the initialization path in amdgpu_driver_open_kms(), where the following components are initialized: - amdgpu_userq_mgr_init() - amdgpu_eviction_fence_init() - amdgpu_ctx_mgr_init()

Correspondingly, in amdgpu_driver_postclose_kms() we should clean up using: - amdgpu_userq_mgr_fini() - amdgpu_eviction_fence_destroy() - amdgpu_ctx_mgr_fini()

This change eliminates the use-after-free and improves consistency in resource management between open and close paths.

[ +0.094367] ================================================================== [ +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737 [ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2 [ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000004] Call Trace: [ +0.000004] [ +0.000003] dump_stack_lvl+0x76/0xa0 [ +0.000010] print_report+0xce/0x600 [ +0.000009] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000790] ? srso_return_thunk+0x5/0x5f [ +0.000007] ? kasan_complete_mode_report_info+0x76/0x200 [ +0.000008] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000684] kasan_report+0xbe/0x110 [ +0.000007] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000601] __asan_report_store8_noabort+0x17/0x30 [ +0.000007] amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000801] ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu] [ +0.000819] ? srso_return_thunk+0x5/0x5f [ +0.000008] amdgpu_drm_release+0xa3/0xe0 [amdgpu] [ +0.000604] __fput+0x354/0xa90 [ +0.000010] __fput_sync+0x59/0x80 [ +0.000005] __x64_sys_close+0x7d/0xe0 [ +0.000006] x64_sys_call+0x2505/0x26f0 [ +0.000006] do_syscall_64+0x7c/0x170 [ +0.000004] ? kasan_record_aux_stack+0xae/0xd0 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? kmem_cache_free+0x398/0x580 [ +0.000006] ? __fput+0x543/0xa90 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __fput+0x543/0xa90 [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? do_syscall_64+0x88/0x170 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? do_syscall_64+0x88/0x170 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? irqentry_exit+0x43/0x50 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? exc_page_fault+0x7c/0x110 [ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7ffff7b14f67 [ +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff [ +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ +0.000006] RAX: ffffffffff ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38603"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:38Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c\n\nThe issue was reproduced on NV10 using IGT pci_unplug test.\nIt is expected that `amdgpu_driver_postclose_kms()` is called prior to `amdgpu_drm_release()`.\nHowever, the bug is that `amdgpu_fpriv` was freed in `amdgpu_driver_postclose_kms()`, and then\nlater accessed in `amdgpu_drm_release()` via a call to `amdgpu_userq_mgr_fini()`.\nAs a result, KASAN detected a use-after-free condition, as shown in the log below.\nThe proposed fix is to move the calls to `amdgpu_eviction_fence_destroy()` and\n`amdgpu_userq_mgr_fini()` into `amdgpu_driver_postclose_kms()`, so they are invoked before\n`amdgpu_fpriv` is freed.\n\nThis also ensures symmetry with the initialization path in `amdgpu_driver_open_kms()`,\nwhere the following components are initialized:\n- `amdgpu_userq_mgr_init()`\n- `amdgpu_eviction_fence_init()`\n- `amdgpu_ctx_mgr_init()`\n\nCorrespondingly, in `amdgpu_driver_postclose_kms()` we should clean up using:\n- `amdgpu_userq_mgr_fini()`\n- `amdgpu_eviction_fence_destroy()`\n- `amdgpu_ctx_mgr_fini()`\n\nThis change eliminates the use-after-free and improves consistency in resource management between open and close paths.\n\n[  +0.094367] ==================================================================\n[  +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[  +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737\n[  +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2\n[  +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[  +0.000004] Call Trace:\n[  +0.000004]  \u003cTASK\u003e\n[  +0.000003]  dump_stack_lvl+0x76/0xa0\n[  +0.000010]  print_report+0xce/0x600\n[  +0.000009]  ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[  +0.000790]  ? srso_return_thunk+0x5/0x5f\n[  +0.000007]  ? kasan_complete_mode_report_info+0x76/0x200\n[  +0.000008]  ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[  +0.000684]  kasan_report+0xbe/0x110\n[  +0.000007]  ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[  +0.000601]  __asan_report_store8_noabort+0x17/0x30\n[  +0.000007]  amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[  +0.000801]  ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu]\n[  +0.000819]  ? srso_return_thunk+0x5/0x5f\n[  +0.000008]  amdgpu_drm_release+0xa3/0xe0 [amdgpu]\n[  +0.000604]  __fput+0x354/0xa90\n[  +0.000010]  __fput_sync+0x59/0x80\n[  +0.000005]  __x64_sys_close+0x7d/0xe0\n[  +0.000006]  x64_sys_call+0x2505/0x26f0\n[  +0.000006]  do_syscall_64+0x7c/0x170\n[  +0.000004]  ? kasan_record_aux_stack+0xae/0xd0\n[  +0.000005]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? kmem_cache_free+0x398/0x580\n[  +0.000006]  ? __fput+0x543/0xa90\n[  +0.000006]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? __fput+0x543/0xa90\n[  +0.000004]  ? __kasan_check_read+0x11/0x20\n[  +0.000007]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? __kasan_check_read+0x11/0x20\n[  +0.000003]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? fpregs_assert_state_consistent+0x21/0xb0\n[  +0.000006]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? syscall_exit_to_user_mode+0x4e/0x240\n[  +0.000005]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? do_syscall_64+0x88/0x170\n[  +0.000003]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? do_syscall_64+0x88/0x170\n[  +0.000004]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? irqentry_exit+0x43/0x50\n[  +0.000004]  ? srso_return_thunk+0x5/0x5f\n[  +0.000004]  ? exc_page_fault+0x7c/0x110\n[  +0.000006]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  +0.000005] RIP: 0033:0x7ffff7b14f67\n[  +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff\n[  +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003\n[  +0.000006] RAX: ffffffffff\n---truncated---",
  "id": "GHSA-cj72-qxmq-rj7q",
  "modified": "2025-08-19T18:31:33Z",
  "published": "2025-08-19T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38603"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5fb90421fa0fbe0a968274912101fe917bf1c47b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f2997cef6d4056cb1b62190f1cf06e8dd19e228f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.