CVE-2025-22093

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-22093
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22093.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-22093
Downstream
Related
Published
2025-04-16T14:12:44.802Z
Modified
2025-11-16T15:52:57.447099Z
Summary
drm/amd/display: avoid NPD when ASIC does not support DMUB
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: avoid NPD when ASIC does not support DMUB

ctx->dmubsrv will de NULL if the ASIC does not support DMUB, which is tested in dmdmubswinit.

However, it will be dereferenced in dmubhwlockmgrcmd if shouldusedmub_lock returns true.

This has been the case since dmub support has been added for PSR1.

Fix this by checking for dmubsrv in shouldusedmublock.

[ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 37.447808] #PF: supervisor read access in kernel mode [ 37.452959] #PF: errorcode(0x0000) - not-present page [ 37.458112] PGD 0 P4D 0 [ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88 [ 37.478324] Hardware name: Google Morphius/Morphius, BIOS GoogleMorphius.13434.858.0 10/26/2023 [ 37.487103] RIP: 0010:dmubhwlockmgrcmd+0x77/0xb0 [ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5 [ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202 [ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358 [ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000 [ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5 [ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000 [ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000 [ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000 [ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0 [ 37.572697] Call Trace: [ 37.575152] <TASK> [ 37.577258] ? diebody+0x66/0xb0 [ 37.580756] ? pagefaultoops+0x3e7/0x4a0 [ 37.584861] ? excpagefault+0x3e/0xe0 [ 37.588706] ? excpagefault+0x5c/0xe0 [ 37.592550] ? asmexcpagefault+0x22/0x30 [ 37.596742] ? dmubhwlockmgrcmd+0x77/0xb0 [ 37.601107] dcn10cursorlock+0x1e1/0x240 [ 37.605211] programcursorattributes+0x81/0x190 [ 37.609923] commitplanesforstream+0x998/0x1ef0 [ 37.614722] updateplanesandstreamv2+0x41e/0x5c0 [ 37.619703] dcupdateplanesandstream+0x78/0x140 [ 37.624588] amdgpudmatomiccommittail+0x4362/0x49f0 [ 37.629832] ? srsoreturnthunk+0x5/0x5f [ 37.633847] ? markheldlocks+0x6d/0xd0 [ 37.637774] ? _rawspinunlockirq+0x24/0x50 [ 37.642135] ? srsoreturnthunk+0x5/0x5f [ 37.646148] ? lockdephardirqson+0x95/0x150 [ 37.650510] ? srsoreturnthunk+0x5/0x5f [ 37.654522] ? rawspinunlockirq+0x2f/0x50 [ 37.658883] ? srsoreturnthunk+0x5/0x5f [ 37.662897] ? waitforcommon+0x186/0x1c0 [ 37.666998] ? srsoreturnthunk+0x5/0x5f [ 37.671009] ? drmcrtcnextvblankstart+0xc3/0x170 [ 37.675983] committail+0xf5/0x1c0 [ 37.679478] drmatomichelpercommit+0x2a2/0x2b0 [ 37.684186] drmatomiccommit+0xd6/0x100 [ 37.688199] ? _cfidrmprintfninfo+0x10/0x10 [ 37.692911] drmatomichelperupdateplane+0xe5/0x130 [ 37.698054] drmmodecursorcommon+0x501/0x670 [ 37.702600] ? _cfidrmmodecursorioctl+0x10/0x10 [ 37.707572] drmmodecursorioctl+0x48/0x70 [ 37.711851] drmioctlkernel+0xf2/0x150 [ 37.715781] drmioctl+0x363/0x590 [ 37.719189] ? _cfidrmmodecursorioctl+0x10/0x10 [ 37.724165] amdgpudrmioctl+0x41/0x80 [ 37.728013] _sesysioctl+0x7f/0xd0 [ 37.731685] dosyscall64+0x87/0x100 [ 37.735355] ? vmaendread+0x12/0xe0 [ 37.739024] ? srsoreturnthunk+0x5/0x5f [ 37.743041] ? findheldlock+0x47/0xf0 [ 37.746884] ? vmaendread+0x12/0xe0 [ 37.750552] ? srsoreturnthunk+0x5/0 ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b7d2461858ac75c9d6bc4ab8af1a738d0814b716
Fixed
d953e2cd59ab466569c6f9da460e01caf1c83559
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
758abba3dd413dc5de2016f8588403294263a30a
Fixed
b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4b46fc30b37e457d25cf3908c0c4dc3fbedd2044
Fixed
3453bcaf2ca92659346bf8504c2b52b3993fbd79
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5c764d6ed556c4e81fbe3fd976da77ec450c08e
Fixed
5e4b1e04740cdb28de189285007366d99a92f1ce
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5c764d6ed556c4e81fbe3fd976da77ec450c08e
Fixed
35ad39afd007eddf34b3307bebb715c26891cc96
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5c764d6ed556c4e81fbe3fd976da77ec450c08e
Fixed
42d9d7bed270247f134190ba0cb05bbd072f58c2

Affected versions

v6.*

v6.1.128
v6.1.129
v6.1.130
v6.1.131
v6.1.132
v6.1.133
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.20
v6.12.21
v6.12.22
v6.13
v6.13-rc7
v6.13.1
v6.13.10
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@42d9d7bed270247f134190ba0cb05bbd072f58c2",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-061cec39",
        "digest": {
            "line_hashes": [
                "292177520748219029968344122856970991357",
                "259546282654894762068615460187837025484",
                "111119215115457007214347204767706377232",
                "129636403074890620813333528512374225673"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35ad39afd007eddf34b3307bebb715c26891cc96",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "should_use_dmub_lock",
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-2281d803",
        "digest": {
            "length": 382.0,
            "function_hash": "250902892535654225774452436720117508545"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d953e2cd59ab466569c6f9da460e01caf1c83559",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "should_use_dmub_lock",
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-22929204",
        "digest": {
            "length": 311.0,
            "function_hash": "54686356465597154557490365936429514379"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d953e2cd59ab466569c6f9da460e01caf1c83559",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-31501647",
        "digest": {
            "line_hashes": [
                "292177520748219029968344122856970991357",
                "259546282654894762068615460187837025484",
                "111119215115457007214347204767706377232",
                "243689070977919768840490332273914953618"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "should_use_dmub_lock",
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-43f1d0d6",
        "digest": {
            "length": 382.0,
            "function_hash": "250902892535654225774452436720117508545"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3453bcaf2ca92659346bf8504c2b52b3993fbd79",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "should_use_dmub_lock",
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-4add6842",
        "digest": {
            "length": 382.0,
            "function_hash": "250902892535654225774452436720117508545"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@42d9d7bed270247f134190ba0cb05bbd072f58c2",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "should_use_dmub_lock",
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-4d9b2515",
        "digest": {
            "length": 202.0,
            "function_hash": "123271265882286096045865808978422115199"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e4b1e04740cdb28de189285007366d99a92f1ce",
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "function": "should_use_dmub_lock",
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-91a72155",
        "digest": {
            "length": 382.0,
            "function_hash": "250902892535654225774452436720117508545"
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e4b1e04740cdb28de189285007366d99a92f1ce",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-96cbcb66",
        "digest": {
            "line_hashes": [
                "292177520748219029968344122856970991357",
                "259546282654894762068615460187837025484",
                "111119215115457007214347204767706377232",
                "129636403074890620813333528512374225673"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35ad39afd007eddf34b3307bebb715c26891cc96",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-bc789f20",
        "digest": {
            "line_hashes": [
                "292177520748219029968344122856970991357",
                "259546282654894762068615460187837025484",
                "111119215115457007214347204767706377232",
                "129636403074890620813333528512374225673"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-c037602a",
        "digest": {
            "line_hashes": [
                "292177520748219029968344122856970991357",
                "259546282654894762068615460187837025484",
                "111119215115457007214347204767706377232",
                "129636403074890620813333528512374225673"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3453bcaf2ca92659346bf8504c2b52b3993fbd79",
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
        },
        "id": "CVE-2025-22093-c5a84ccd",
        "digest": {
            "line_hashes": [
                "292177520748219029968344122856970991357",
                "259546282654894762068615460187837025484",
                "111119215115457007214347204767706377232",
                "129636403074890620813333528512374225673"
            ],
            "threshold": 0.9
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.134
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.87
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.23
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.11
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.14.2