CVE-2025-68286
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/12/2025
Last modified:
16/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/amd/display: Check NULL before accessing<br />
<br />
[WHAT]<br />
IGT kms_cursor_legacy&#39;s long-nonblocking-modeset-vs-cursor-atomic<br />
fails with NULL pointer dereference. This can be reproduced with<br />
both an eDP panel and a DP monitors connected.<br />
<br />
BUG: kernel NULL pointer dereference, address: 0000000000000000<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD 0 P4D 0<br />
Oops: Oops: 0000 [#1] SMP NOPTI<br />
CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted<br />
6.16.0-99-custom #8 PREEMPT(voluntary)<br />
Hardware name: AMD ........<br />
RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]<br />
Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49<br />
89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30<br />
c2 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02<br />
RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292<br />
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668<br />
RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000<br />
RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760<br />
R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000<br />
R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c<br />
FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000)<br />
knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]<br />
amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]<br />
? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]<br />
amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]<br />
drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400<br />
drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30<br />
drm_crtc_get_last_vbltimestamp+0x55/0x90<br />
drm_crtc_next_vblank_start+0x45/0xa0<br />
drm_atomic_helper_wait_for_fences+0x81/0x1f0<br />
...<br />
<br />
(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/09092269cb762378ca8b56024746b1a136761e0d
- https://git.kernel.org/stable/c/109e9c92543f3105e8e1efd2c5e6b92ef55d5743
- https://git.kernel.org/stable/c/3ce62c189693e8ed7b3abe551802bbc67f3ace54
- https://git.kernel.org/stable/c/62150f1e7ec707da76ff353fb7db51fef9cd6557
- https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2
- https://git.kernel.org/stable/c/9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9
- https://git.kernel.org/stable/c/f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf