CVE-2025-40225

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Fix kernel panic on partial unmap of a GPU VA region

This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drmgpuva). The VMBIND interface allows partial unmapping of a BO.

Panthor driver pre-allocates memory for the new drmgpuva structures that would be needed for the map/unmap operation, done using drmgpuvm layer. It expected that only one new drmgpuva would be needed on umap but a partial unmap can require 2 new drmgpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic.

Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP <snip> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthorgpuvasmstepremap+0xe4/0x330 [panthor] lr : panthorgpuvasmstepremap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthorgpuvasmstepremap+0xe4/0x330 [panthor] opremapcb.isra.22+0x50/0x80 __drmgpuvmsmunmap+0x10c/0x1c8 drmgpuvmsmunmap+0x40/0x60 panthorvmexecop+0xb4/0x3d0 [panthor] panthorvmbindexecsyncop+0x154/0x278 [panthor] panthorioctlvmbind+0x160/0x4a0 [panthor] drmioctlkernel+0xbc/0x138 drmioctl+0x240/0x500 _arm64sysioctl+0xb0/0xf8 invokesyscall+0x4c/0x110 el0svccommon.constprop.1+0x98/0xf8 doel0svc+0x24/0x38 el0svc+0x40/0xf8 el0t64synchandler+0xa0/0xc8 el0t64sync+0x174/0x178