Bug 2383519 (CVE-2025-38449) - CVE-2025-38449 kernel: drm/gem: Acquire references on GEM handles for framebuffers
Summary: CVE-2025-38449 kernel: drm/gem: Acquire references on GEM handles for framebu...
Keywords:
Status: NEW
Alias: CVE-2025-38449
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-25 16:03 UTC by OSIDB Bzimport
Modified: 2025-10-02 09:54 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:15447 0 None None None 2025-09-08 10:22:58 UTC
Red Hat Product Errata RHSA-2025:15661 0 None None None 2025-09-11 03:14:46 UTC
Red Hat Product Errata RHSA-2025:15785 0 None None None 2025-09-15 10:38:29 UTC
Red Hat Product Errata RHSA-2025:15786 0 None None None 2025-09-15 10:20:21 UTC
Red Hat Product Errata RHSA-2025:17122 0 None None None 2025-10-01 00:22:24 UTC
Red Hat Product Errata RHSA-2025:17123 0 None None None 2025-10-01 00:21:46 UTC
Red Hat Product Errata RHSA-2025:17159 0 None None None 2025-10-01 18:10:23 UTC
Red Hat Product Errata RHSA-2025:17192 0 None None None 2025-10-01 19:16:46 UTC
Red Hat Product Errata RHSA-2025:17241 0 None None None 2025-10-02 09:54:04 UTC

Description OSIDB Bzimport 2025-07-25 16:03:55 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/gem: Acquire references on GEM handles for framebuffers

A GEM handle can be released while the GEM buffer object is attached
to a DRM framebuffer. This leads to the release of the dma-buf backing
the buffer object, if any. [1] Trying to use the framebuffer in further
mode-setting operations leads to a segmentation fault. Most easily
happens with driver that use shadow planes for vmap-ing the dma-buf
during a page flip. An example is shown below.

[  156.791968] ------------[ cut here ]------------
[  156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430
[...]
[  156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430
[  157.043420] Call Trace:
[  157.045898]  <TASK>
[  157.048030]  ? show_trace_log_lvl+0x1af/0x2c0
[  157.052436]  ? show_trace_log_lvl+0x1af/0x2c0
[  157.056836]  ? show_trace_log_lvl+0x1af/0x2c0
[  157.061253]  ? drm_gem_shmem_vmap+0x74/0x710
[  157.065567]  ? dma_buf_vmap+0x224/0x430
[  157.069446]  ? __warn.cold+0x58/0xe4
[  157.073061]  ? dma_buf_vmap+0x224/0x430
[  157.077111]  ? report_bug+0x1dd/0x390
[  157.080842]  ? handle_bug+0x5e/0xa0
[  157.084389]  ? exc_invalid_op+0x14/0x50
[  157.088291]  ? asm_exc_invalid_op+0x16/0x20
[  157.092548]  ? dma_buf_vmap+0x224/0x430
[  157.096663]  ? dma_resv_get_singleton+0x6d/0x230
[  157.101341]  ? __pfx_dma_buf_vmap+0x10/0x10
[  157.105588]  ? __pfx_dma_resv_get_singleton+0x10/0x10
[  157.110697]  drm_gem_shmem_vmap+0x74/0x710
[  157.114866]  drm_gem_vmap+0xa9/0x1b0
[  157.118763]  drm_gem_vmap_unlocked+0x46/0xa0
[  157.123086]  drm_gem_fb_vmap+0xab/0x300
[  157.126979]  drm_atomic_helper_prepare_planes.part.0+0x487/0xb10
[  157.133032]  ? lockdep_init_map_type+0x19d/0x880
[  157.137701]  drm_atomic_helper_commit+0x13d/0x2e0
[  157.142671]  ? drm_atomic_nonblocking_commit+0xa0/0x180
[  157.147988]  drm_mode_atomic_ioctl+0x766/0xe40
[...]
[  157.346424] ---[ end trace 0000000000000000 ]---

Acquiring GEM handles for the framebuffer's GEM buffer objects prevents
this from happening. The framebuffer's cleanup later puts the handle
references.

Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object
instance") triggers the segmentation fault easily by using the dma-buf
field more widely. The underlying issue with reference counting has
been present before.

v2:
- acquire the handle instead of the BO (Christian)
- fix comment style (Christian)
- drop the Fixes tag (Christian)
- rename err_ gotos
- add missing Link tag
Comment 1 Jon Moroney 2025-07-25 16:49:29 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025072504-CVE-2025-38449-cbf0@gregkh/T
Comment 4 errata-xmlrpc 2025-09-08 10:22:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:15447 https://access.redhat.com/errata/RHSA-2025:15447
Comment 6 errata-xmlrpc 2025-09-11 03:14:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:15661 https://access.redhat.com/errata/RHSA-2025:15661
Comment 7 errata-xmlrpc 2025-09-15 10:20:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15786 https://access.redhat.com/errata/RHSA-2025:15786
Comment 8 errata-xmlrpc 2025-09-15 10:38:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:15785 https://access.redhat.com/errata/RHSA-2025:15785
Comment 10 errata-xmlrpc 2025-10-01 00:21:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17123 https://access.redhat.com/errata/RHSA-2025:17123
Comment 11 errata-xmlrpc 2025-10-01 00:22:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17122 https://access.redhat.com/errata/RHSA-2025:17122
Comment 12 errata-xmlrpc 2025-10-01 18:10:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:17159 https://access.redhat.com/errata/RHSA-2025:17159
Comment 13 errata-xmlrpc 2025-10-01 19:16:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:17192 https://access.redhat.com/errata/RHSA-2025:17192
Comment 14 errata-xmlrpc 2025-10-02 09:54:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:17241 https://access.redhat.com/errata/RHSA-2025:17241
Note You need to log in before you can comment on or make changes to this bug.