CVE-2025-38189
Fecha de publicación:
04/07/2025
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()`<br />
<br />
The following kernel Oops was recently reported by Mesa CI:<br />
<br />
[ 800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588<br />
[ 800.148619] Mem abort info:<br />
[ 800.151402] ESR = 0x0000000096000005<br />
[ 800.155141] EC = 0x25: DABT (current EL), IL = 32 bits<br />
[ 800.160444] SET = 0, FnV = 0<br />
[ 800.163488] EA = 0, S1PTW = 0<br />
[ 800.166619] FSC = 0x05: level 1 translation fault<br />
[ 800.171487] Data abort info:<br />
[ 800.174357] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br />
[ 800.179832] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br />
[ 800.184873] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br />
[ 800.190176] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001014c2000<br />
[ 800.196607] [0000000000000588] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000<br />
[ 800.205305] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP<br />
[ 800.211564] Modules linked in: vc4 snd_soc_hdmi_codec drm_display_helper v3d cec gpu_sched drm_dma_helper drm_shmem_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm i2c_brcmstb snd_timer snd backlight<br />
[ 800.234448] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1<br />
[ 800.244182] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)<br />
[ 800.250005] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br />
[ 800.256959] pc : v3d_job_update_stats+0x60/0x130 [v3d]<br />
[ 800.262112] lr : v3d_job_update_stats+0x48/0x130 [v3d]<br />
[ 800.267251] sp : ffffffc080003e60<br />
[ 800.270555] x29: ffffffc080003e60 x28: ffffffd842784980 x27: 0224012000000000<br />
[ 800.277687] x26: ffffffd84277f630 x25: ffffff81012fd800 x24: 0000000000000020<br />
[ 800.284818] x23: ffffff8040238b08 x22: 0000000000000570 x21: 0000000000000158<br />
[ 800.291948] x20: 0000000000000000 x19: ffffff8040238000 x18: 0000000000000000<br />
[ 800.299078] x17: ffffffa8c1bd2000 x16: ffffffc080000000 x15: 0000000000000000<br />
[ 800.306208] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000<br />
[ 800.313338] x11: 0000000000000040 x10: 0000000000001a40 x9 : ffffffd83b39757c<br />
[ 800.320468] x8 : ffffffd842786420 x7 : 7fffffffffffffff x6 : 0000000000ef32b0<br />
[ 800.327598] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : ffffffd842784980<br />
[ 800.334728] x2 : 0000000000000004 x1 : 0000000000010002 x0 : 000000ba4c0ca382<br />
[ 800.341859] Call trace:<br />
[ 800.344294] v3d_job_update_stats+0x60/0x130 [v3d]<br />
[ 800.349086] v3d_irq+0x124/0x2e0 [v3d]<br />
[ 800.352835] __handle_irq_event_percpu+0x58/0x218<br />
[ 800.357539] handle_irq_event+0x54/0xb8<br />
[ 800.361369] handle_fasteoi_irq+0xac/0x240<br />
[ 800.365458] handle_irq_desc+0x48/0x68<br />
[ 800.369200] generic_handle_domain_irq+0x24/0x38<br />
[ 800.373810] gic_handle_irq+0x48/0xd8<br />
[ 800.377464] call_on_irq_stack+0x24/0x58<br />
[ 800.381379] do_interrupt_handler+0x88/0x98<br />
[ 800.385554] el1_interrupt+0x34/0x68<br />
[ 800.389123] el1h_64_irq_handler+0x18/0x28<br />
[ 800.393211] el1h_64_irq+0x64/0x68<br />
[ 800.396603] default_idle_call+0x3c/0x168<br />
[ 800.400606] do_idle+0x1fc/0x230<br />
[ 800.403827] cpu_startup_entry+0x40/0x50<br />
[ 800.407742] rest_init+0xe4/0xf0<br />
[ 800.410962] start_kernel+0x5e8/0x790<br />
[ 800.414616] __primary_switched+0x80/0x90<br />
[ 800.418622] Code: 8b170277 8b160296 11000421 b9000861 (b9401ac1)<br />
[ 800.424707] ---[ end trace 0000000000000000 ]---<br />
[ 800.457313] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---<br />
<br />
This issue happens when the file descriptor is closed before the jobs<br />
submitted by it are completed. When the job completes, we update the<br />
global GPU stats and the per-fd GPU stats, which are exposed through<br />
fdinfo. If the file descriptor was closed, then the struct `v3d_file_priv`<br />
and its stats were already freed and we can&#39;t update the per-fd stats.<br />
<br />
Therefore, if the file descriptor was already closed, don&#39;t u<br />
---truncated---
Gravedad: Pendiente de análisis
Última modificación:
04/07/2025