Bug 2383519 (CVE-2025-38449)
| Summary: | CVE-2025-38449 kernel: drm/gem: Acquire references on GEM handles for framebuffers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2025072504-CVE-2025-38449-cbf0@gregkh/T This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:15447 https://access.redhat.com/errata/RHSA-2025:15447 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:15661 https://access.redhat.com/errata/RHSA-2025:15661 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:15786 https://access.redhat.com/errata/RHSA-2025:15786 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:15785 https://access.redhat.com/errata/RHSA-2025:15785 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:17123 https://access.redhat.com/errata/RHSA-2025:17123 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:17122 https://access.redhat.com/errata/RHSA-2025:17122 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:17159 https://access.redhat.com/errata/RHSA-2025:17159 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:17192 https://access.redhat.com/errata/RHSA-2025:17192 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:17241 https://access.redhat.com/errata/RHSA-2025:17241 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:17570 https://access.redhat.com/errata/RHSA-2025:17570 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:18043 https://access.redhat.com/errata/RHSA-2025:18043 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:21667 https://access.redhat.com/errata/RHSA-2025:21667 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:22752 https://access.redhat.com/errata/RHSA-2025:22752 |
In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is shown below. [ 156.791968] ------------[ cut here ]------------ [ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430 [...] [ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430 [ 157.043420] Call Trace: [ 157.045898] <TASK> [ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710 [ 157.065567] ? dma_buf_vmap+0x224/0x430 [ 157.069446] ? __warn.cold+0x58/0xe4 [ 157.073061] ? dma_buf_vmap+0x224/0x430 [ 157.077111] ? report_bug+0x1dd/0x390 [ 157.080842] ? handle_bug+0x5e/0xa0 [ 157.084389] ? exc_invalid_op+0x14/0x50 [ 157.088291] ? asm_exc_invalid_op+0x16/0x20 [ 157.092548] ? dma_buf_vmap+0x224/0x430 [ 157.096663] ? dma_resv_get_singleton+0x6d/0x230 [ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10 [ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10 [ 157.110697] drm_gem_shmem_vmap+0x74/0x710 [ 157.114866] drm_gem_vmap+0xa9/0x1b0 [ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0 [ 157.123086] drm_gem_fb_vmap+0xab/0x300 [ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10 [ 157.133032] ? lockdep_init_map_type+0x19d/0x880 [ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0 [ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180 [ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40 [...] [ 157.346424] ---[ end trace 0000000000000000 ]--- Acquiring GEM handles for the framebuffer's GEM buffer objects prevents this from happening. The framebuffer's cleanup later puts the handle references. Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object instance") triggers the segmentation fault easily by using the dma-buf field more widely. The underlying issue with reference counting has been present before. v2: - acquire the handle instead of the BO (Christian) - fix comment style (Christian) - drop the Fixes tag (Christian) - rename err_ gotos - add missing Link tag