CVE-2025-71130

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer<br /> <br /> Initialize the eb.vma array with values of 0 when the eb structure is<br /> first set up. In particular, this sets the eb-&gt;vma[i].vma pointers to<br /> NULL, simplifying cleanup and getting rid of the bug described below.<br /> <br /> During the execution of eb_lookup_vmas(), the eb-&gt;vma array is<br /> successively filled up with struct eb_vma objects. This process includes<br /> calling eb_add_vma(), which might fail; however, even in the event of<br /> failure, eb-&gt;vma[i].vma is set for the currently processed buffer.<br /> <br /> If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which<br /> prompts a call to eb_release_vmas() to clean up the mess. Since<br /> eb_lookup_vmas() might fail during processing any (possibly not first)<br /> buffer, eb_release_vmas() checks whether a buffer&amp;#39;s vma is NULL to know<br /> at what point did the lookup function fail.<br /> <br /> In eb_lookup_vmas(), eb-&gt;vma[i].vma is set to NULL if either the helper<br /> function eb_lookup_vma() or eb_validate_vma() fails. eb-&gt;vma[i+1].vma is<br /> set to NULL in case i915_gem_object_userptr_submit_init() fails; the<br /> current one needs to be cleaned up by eb_release_vmas() at this point,<br /> so the next one is set. If eb_add_vma() fails, neither the current nor<br /> the next vma is set to NULL, which is a source of a NULL deref bug<br /> described in the issue linked in the Closes tag.<br /> <br /> When entering eb_lookup_vmas(), the vma pointers are set to the slab<br /> poison value, instead of NULL. This doesn&amp;#39;t matter for the actual<br /> lookup, since it gets overwritten anyway, however the eb_release_vmas()<br /> function only recognizes NULL as the stopping value, hence the pointers<br /> are being set to NULL as they go in case of intermediate failure. This<br /> patch changes the approach to filling them all with NULL at the start<br /> instead, rather than handling that manually during failure.<br /> <br /> (cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)