ghsa-rfrp-6hx4-mcc5
Vulnerability from github
Published
2025-11-12 12:30
Modified
2025-11-12 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Fix bootup splat with separate_gpu_drm modparam

The drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses drm_gem_obj.gpuva.list, which is not initialized when the drm driver does not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms drm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam is set:

[ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0 [ 9.523160] Mem abort info: [ 9.523161] ESR = 0x0000000096000006 [ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits [ 9.523165] SET = 0, FnV = 0 [ 9.523166] EA = 0, S1PTW = 0 [ 9.523167] FSC = 0x06: level 2 translation fault [ 9.523169] Data abort info: [ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000 [ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000 [ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP [ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT [ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024 [ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 9.592973] pc : lookup_vma+0x28/0xe0 [msm] [ 9.592996] lr : get_vma_locked+0x2c/0x128 [msm] [ 9.763632] sp : ffff800082dab460 [ 9.763666] Call trace: [ 9.763668] lookup_vma+0x28/0xe0 [msm] (P) [ 9.763688] get_vma_locked+0x2c/0x128 [msm] [ 9.763706] msm_gem_get_and_pin_iova_range+0x68/0x11c [msm] [ 9.763723] msm_gem_get_and_pin_iova+0x18/0x24 [msm] [ 9.763740] msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm] [ 9.763760] __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper] [ 9.763771] drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper] [ 9.763779] drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib] [ 9.763782] drm_client_register+0x58/0x9c [drm] [ 9.763806] drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib] [ 9.763809] drm_client_setup+0xb4/0xd8 [drm_client_lib] [ 9.763811] msm_drm_kms_post_init+0x2c/0x3c [msm] [ 9.763830] msm_drm_init+0x1a8/0x22c [msm] [ 9.763848] msm_drm_bind+0x30/0x3c [msm] [ 9.919273] try_to_bring_up_aggregate_device+0x168/0x1d4 [ 9.919283] __component_add+0xa4/0x170 [ 9.919286] component_add+0x14/0x20 [ 9.919288] msm_dp_display_probe_tail+0x4c/0xac [msm] [ 9.919315] msm_dp_auxbus_done_probe+0x14/0x20 [msm] [ 9.919335] dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus] [ 9.919341] really_probe+0xbc/0x298 [ 9.919345] __driver_probe_device+0x78/0x12c [ 9.919348] driver_probe_device+0x40/0x160 [ 9.919350] __driver_attach+0x94/0x19c [ 9.919353] bus_for_each_dev+0x74/0xd4 [ 9.919355] driver_attach+0x24/0x30 [ 9.919358] bus_add_driver+0xe4/0x208 [ 9.919360] driver_register+0x60/0x128 [ 9.919363] __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus] [ 9.919365] atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20] [ 9.919370] do_one_initcall+0x6c/0x1b0 [ 9.919374] do_init_module+0x58/0x234 [ 9.919377] load_module+0x19cc/0x1bd4 [ 9.919380] init_module_from_file+0x84/0xc4 [ 9.919382] __arm64_sys_finit_module+0x1b8/0x2cc [ 9.919384] invoke_syscall+0x48/0x110 [ 9.919389] el0_svc_common.constprop.0+0xc8/0xe8 [ 9.919393] do_el0_svc+0x20/0x2c [ 9.919396] el0_svc+0x34/0xf0 [ 9.919401] el0t_64_sync_handler+0xa0/0xe4 [ 9.919403] el0t_64_sync+0x198/0x19c [ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44) [ 9.919410] ---[ end trace 0000000000000000 ]---

Patchwork: https://patchwork.freedesktop.org/pa ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40152"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T11:15:45Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix bootup splat with separate_gpu_drm modparam\n\nThe drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses\ndrm_gem_obj.gpuva.list, which is not initialized when the drm driver\ndoes not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms\ndrm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam\nis set:\n\n[    9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0\n[    9.523160] Mem abort info:\n[    9.523161]   ESR = 0x0000000096000006\n[    9.523163]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    9.523165]   SET = 0, FnV = 0\n[    9.523166]   EA = 0, S1PTW = 0\n[    9.523167]   FSC = 0x06: level 2 translation fault\n[    9.523169] Data abort info:\n[    9.523170]   ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[    9.523171]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    9.523172]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000\n[    9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000\n[    9.523184] Internal error: Oops: 0000000096000006 [#1]  SMP\n[    9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT\n[    9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024\n[    9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[    9.592973] pc : lookup_vma+0x28/0xe0 [msm]\n[    9.592996] lr : get_vma_locked+0x2c/0x128 [msm]\n[    9.763632] sp : ffff800082dab460\n[    9.763666] Call trace:\n[    9.763668]  lookup_vma+0x28/0xe0 [msm] (P)\n[    9.763688]  get_vma_locked+0x2c/0x128 [msm]\n[    9.763706]  msm_gem_get_and_pin_iova_range+0x68/0x11c [msm]\n[    9.763723]  msm_gem_get_and_pin_iova+0x18/0x24 [msm]\n[    9.763740]  msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm]\n[    9.763760]  __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper]\n[    9.763771]  drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper]\n[    9.763779]  drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib]\n[    9.763782]  drm_client_register+0x58/0x9c [drm]\n[    9.763806]  drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib]\n[    9.763809]  drm_client_setup+0xb4/0xd8 [drm_client_lib]\n[    9.763811]  msm_drm_kms_post_init+0x2c/0x3c [msm]\n[    9.763830]  msm_drm_init+0x1a8/0x22c [msm]\n[    9.763848]  msm_drm_bind+0x30/0x3c [msm]\n[    9.919273]  try_to_bring_up_aggregate_device+0x168/0x1d4\n[    9.919283]  __component_add+0xa4/0x170\n[    9.919286]  component_add+0x14/0x20\n[    9.919288]  msm_dp_display_probe_tail+0x4c/0xac [msm]\n[    9.919315]  msm_dp_auxbus_done_probe+0x14/0x20 [msm]\n[    9.919335]  dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus]\n[    9.919341]  really_probe+0xbc/0x298\n[    9.919345]  __driver_probe_device+0x78/0x12c\n[    9.919348]  driver_probe_device+0x40/0x160\n[    9.919350]  __driver_attach+0x94/0x19c\n[    9.919353]  bus_for_each_dev+0x74/0xd4\n[    9.919355]  driver_attach+0x24/0x30\n[    9.919358]  bus_add_driver+0xe4/0x208\n[    9.919360]  driver_register+0x60/0x128\n[    9.919363]  __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus]\n[    9.919365]  atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20]\n[    9.919370]  do_one_initcall+0x6c/0x1b0\n[    9.919374]  do_init_module+0x58/0x234\n[    9.919377]  load_module+0x19cc/0x1bd4\n[    9.919380]  init_module_from_file+0x84/0xc4\n[    9.919382]  __arm64_sys_finit_module+0x1b8/0x2cc\n[    9.919384]  invoke_syscall+0x48/0x110\n[    9.919389]  el0_svc_common.constprop.0+0xc8/0xe8\n[    9.919393]  do_el0_svc+0x20/0x2c\n[    9.919396]  el0_svc+0x34/0xf0\n[    9.919401]  el0t_64_sync_handler+0xa0/0xe4\n[    9.919403]  el0t_64_sync+0x198/0x19c\n[    9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44)\n[    9.919410] ---[ end trace 0000000000000000 ]---\n\nPatchwork: https://patchwork.freedesktop.org/pa\n---truncated---",
  "id": "GHSA-rfrp-6hx4-mcc5",
  "modified": "2025-11-12T12:30:27Z",
  "published": "2025-11-12T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40152"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/87aff6d08f3b13bfad66df7c13af5f3a3548d5b9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.