CVE-2025-38449
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
25/07/2025
Last modified:
19/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/gem: Acquire references on GEM handles for framebuffers<br />
<br />
A GEM handle can be released while the GEM buffer object is attached<br />
to a DRM framebuffer. This leads to the release of the dma-buf backing<br />
the buffer object, if any. [1] Trying to use the framebuffer in further<br />
mode-setting operations leads to a segmentation fault. Most easily<br />
happens with driver that use shadow planes for vmap-ing the dma-buf<br />
during a page flip. An example is shown below.<br />
<br />
[ 156.791968] ------------[ cut here ]------------<br />
[ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430<br />
[...]<br />
[ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430<br />
[ 157.043420] Call Trace:<br />
[ 157.045898] <br />
[ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0<br />
[ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0<br />
[ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0<br />
[ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710<br />
[ 157.065567] ? dma_buf_vmap+0x224/0x430<br />
[ 157.069446] ? __warn.cold+0x58/0xe4<br />
[ 157.073061] ? dma_buf_vmap+0x224/0x430<br />
[ 157.077111] ? report_bug+0x1dd/0x390<br />
[ 157.080842] ? handle_bug+0x5e/0xa0<br />
[ 157.084389] ? exc_invalid_op+0x14/0x50<br />
[ 157.088291] ? asm_exc_invalid_op+0x16/0x20<br />
[ 157.092548] ? dma_buf_vmap+0x224/0x430<br />
[ 157.096663] ? dma_resv_get_singleton+0x6d/0x230<br />
[ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10<br />
[ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10<br />
[ 157.110697] drm_gem_shmem_vmap+0x74/0x710<br />
[ 157.114866] drm_gem_vmap+0xa9/0x1b0<br />
[ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0<br />
[ 157.123086] drm_gem_fb_vmap+0xab/0x300<br />
[ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10<br />
[ 157.133032] ? lockdep_init_map_type+0x19d/0x880<br />
[ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0<br />
[ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180<br />
[ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40<br />
[...]<br />
[ 157.346424] ---[ end trace 0000000000000000 ]---<br />
<br />
Acquiring GEM handles for the framebuffer&#39;s GEM buffer objects prevents<br />
this from happening. The framebuffer&#39;s cleanup later puts the handle<br />
references.<br />
<br />
Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object<br />
instance") triggers the segmentation fault easily by using the dma-buf<br />
field more widely. The underlying issue with reference counting has<br />
been present before.<br />
<br />
v2:<br />
- acquire the handle instead of the BO (Christian)<br />
- fix comment style (Christian)<br />
- drop the Fixes tag (Christian)<br />
- rename err_ gotos<br />
- add missing Link tag
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.6.99 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.39 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page