CVE-2025-22096

The SUBMITERROR() macro turns the error code negative. This extra '-' operation turns it back to positive EINVAL again. The error code is passed to ERRPTR() and since positive values are not an IS_ERR() it eventually will lead to an oops. Delete the '-'.

Patchwork: https://patchwork.freedesktop.org/patch/637625/

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

866e43b945bf98f8e807dfa45eca92f931f3a032

Fixed

efe759dcf3352d8379a1adad7b4d14044a4c41a7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

866e43b945bf98f8e807dfa45eca92f931f3a032

Fixed

0b305b7cadce835505bd93183a599acb1f800a05

Affected versions

v6.*

v6.13

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.14.1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-22096-375b387a",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/gpu/drm/msm/msm_gem_submit.c",
            "function": "msm_parse_deps"
        },
        "digest": {
            "function_hash": "301730406535021294946295979215658787945",
            "length": 1267.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b305b7cadce835505bd93183a599acb1f800a05"
    },
    {
        "id": "CVE-2025-22096-9e1ceea6",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/msm/msm_gem_submit.c"
        },
        "digest": {
            "line_hashes": [
                "145255094620104632069238387157923189383",
                "172904566046654603306929390044442955771",
                "27823261552055308787678772249159107137",
                "23996190449597715417580835028566002417"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b305b7cadce835505bd93183a599acb1f800a05"
    },
    {
        "id": "CVE-2025-22096-a9b81fd2",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "drivers/gpu/drm/msm/msm_gem_submit.c"
        },
        "digest": {
            "line_hashes": [
                "145255094620104632069238387157923189383",
                "172904566046654603306929390044442955771",
                "27823261552055308787678772249159107137",
                "23996190449597715417580835028566002417"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@efe759dcf3352d8379a1adad7b4d14044a4c41a7"
    },
    {
        "id": "CVE-2025-22096-fd93ef00",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "drivers/gpu/drm/msm/msm_gem_submit.c",
            "function": "msm_parse_deps"
        },
        "digest": {
            "function_hash": "301730406535021294946295979215658787945",
            "length": 1267.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@efe759dcf3352d8379a1adad7b4d14044a4c41a7"
    }
]

CVE-2025-22096

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges