Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-37837

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/05/2025
Last modified:
14/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent()<br /> <br /> Two WARNINGs are observed when SMMU driver rolls back upon failure:<br /> arm-smmu-v3.9.auto: Failed to register iommu<br /> arm-smmu-v3.9.auto: probe with driver arm-smmu-v3 failed with error -22<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 5 PID: 1 at kernel/dma/mapping.c:74 dmam_free_coherent+0xc0/0xd8<br /> Call trace:<br /> dmam_free_coherent+0xc0/0xd8 (P)<br /> tegra241_vintf_free_lvcmdq+0x74/0x188<br /> tegra241_cmdqv_remove_vintf+0x60/0x148<br /> tegra241_cmdqv_remove+0x48/0xc8<br /> arm_smmu_impl_remove+0x28/0x60<br /> devm_action_release+0x1c/0x40<br /> ------------[ cut here ]------------<br /> 128 pages are still in use!<br /> WARNING: CPU: 16 PID: 1 at mm/page_alloc.c:6902 free_contig_range+0x18c/0x1c8<br /> Call trace:<br /> free_contig_range+0x18c/0x1c8 (P)<br /> cma_release+0x154/0x2f0<br /> dma_free_contiguous+0x38/0xa0<br /> dma_direct_free+0x10c/0x248<br /> dma_free_attrs+0x100/0x290<br /> dmam_free_coherent+0x78/0xd8<br /> tegra241_vintf_free_lvcmdq+0x74/0x160<br /> tegra241_cmdqv_remove+0x98/0x198<br /> arm_smmu_impl_remove+0x28/0x60<br /> devm_action_release+0x1c/0x40<br /> <br /> This is because the LVCMDQ queue memory are managed by devres, while that<br /> dmam_free_coherent() is called in the context of devm_action_release().<br /> <br /> Jason pointed out that "arm_smmu_impl_probe() has mis-ordered the devres<br /> callbacks if ops-&gt;device_remove() is going to be manually freeing things<br /> that probe allocated":<br /> https://lore.kernel.org/linux-iommu/20250407174408.GB1722458@nvidia.com/<br /> <br /> In fact, tegra241_cmdqv_init_structures() only allocates memory resources<br /> which means any failure that it generates would be similar to -ENOMEM, so<br /> there is no point in having that "falling back to standard SMMU" routine,<br /> as the standard SMMU would likely fail to allocate memory too.<br /> <br /> Remove the unwind part in tegra241_cmdqv_init_structures(), and return a<br /> proper error code to ask SMMU driver to call tegra241_cmdqv_remove() via<br /> impl_ops-&gt;device_remove(). Then, drop tegra241_vintf_free_lvcmdq() since<br /> devres will take care of that.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12 (including) 6.12.24 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.12 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.3 (excluding)
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools