CVE-2025-40073
- Source
- https://cve.org/CVERecord?id=CVE-2025-40073
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40073.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-40073
- Aliases
- Downstream
- Published
- 2025-10-28T11:48:40.588Z
- Modified
- 2026-02-10T02:26:26.151593Z
- Summary
- drm/msm: Do not validate SSPP when it is not ready
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
drm/msm: Do not validate SSPP when it is not ready
Current code will validate current plane and previous plane to confirm they can share a SSPP with multi-rect mode. The SSPP is already allocated for previous plane, while current plane is not associated with any SSPP yet. Null pointer is referenced when validating the SSPP of current plane. Skip SSPP validation for current plane.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000888ac3000 [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 4 UID: 0 PID: 1891 Comm: modetest Tainted: G S 6.15.0-rc2-g3ee3f6e1202e #335 PREEMPT Tainted: [S]=CPUOUTOFSPEC Hardware name: SM8650 EV1 rev1 4slam 2et (DT) pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : dpuplaneismultirectcapable+0x68/0x90 lr : dpuassignplaneresources+0x288/0x410 sp : ffff800093dcb770 x29: ffff800093dcb770 x28: 0000000000002000 x27: ffff000817c6c000 x26: ffff000806b46368 x25: ffff0008013f6080 x24: ffff00080cbf4800 x23: ffff000810842680 x22: ffff0008013f1080 x21: ffff00080cc86080 x20: ffff000806b463b0 x19: ffff00080cbf5a00 x18: 00000000ffffffff x17: 707a5f657a696c61 x16: 0000000000000003 x15: 0000000000002200 x14: 00000000ffffffff x13: 00aaaaaa00aaaaaa x12: 0000000000000000 x11: ffff000817c6e2b8 x10: 0000000000000000 x9 : ffff80008106a950 x8 : ffff00080cbf48f4 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000438 x3 : 0000000000000438 x2 : ffff800082e245e0 x1 : 0000000000000008 x0 : 0000000000000000 Call trace: dpuplaneismultirectcapable+0x68/0x90 (P) dpucrtcatomiccheck+0x5bc/0x650 drmatomichelpercheckplanes+0x13c/0x220 drmatomichelpercheck+0x58/0xb8 msmatomiccheck+0xd8/0xf0 drmatomiccheckonly+0x4a8/0x968 drmatomiccommit+0x50/0xd8 drmatomichelperupdateplane+0x140/0x188 _setplaneatomic+0xfc/0x148 drmmodesetplane+0x164/0x378 drmioctlkernel+0xc0/0x140 drmioctl+0x20c/0x500 _arm64sysioctl+0xbc/0xf8 invokesyscall+0x50/0x120 el0svccommon.constprop.0+0x48/0xf8 doel0svc+0x28/0x40 el0svc+0x30/0xd0 el0t64synchandler+0x144/0x168 el0t64sync+0x198/0x1a0 Code: b9402021 370fffc1 f9401441 3707ff81 (f94010a1) ---[ end trace 0000000000000000 ]---
Patchwork: https://patchwork.freedesktop.org/patch/669224/
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40073.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/6fc616723bb5fd4289d7422fa013da062b44ae55
- https://git.kernel.org/stable/c/f1dbb3eedb7db4cad45d2619edb1cce6041f79e3
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40073.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-40073
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced3ed12a3664b362e3462cca61d41f9a9460c9e260Fixedf1dbb3eedb7db4cad45d2619edb1cce6041f79e3Fixed6fc616723bb5fd4289d7422fa013da062b44ae55