DEBIAN-CVE-2025-22093

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2025-22093

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-22093.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-22093

Upstream

CVE-2025-22093

Published

2025-04-16T15:16:03Z

Modified

2025-09-19T07:34:28.872322Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid NPD when ASIC does not support DMUB ctx->dmubsrv will de NULL if the ASIC does not support DMUB, which is tested in dmdmubswinit. However, it will be dereferenced in dmubhwlockmgrcmd if shouldusedmublock returns true. This has been the case since dmub support has been added for PSR1. Fix this by checking for dmubsrv in shouldusedmublock. [ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 37.447808] #PF: supervisor read access in kernel mode [ 37.452959] #PF: errorcode(0x0000) - not-present page [ 37.458112] PGD 0 P4D 0 [ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88 [ 37.478324] Hardware name: Google Morphius/Morphius, BIOS GoogleMorphius.13434.858.0 10/26/2023 [ 37.487103] RIP: 0010:dmubhwlockmgrcmd+0x77/0xb0 [ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5 [ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202 [ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358 [ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000 [ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5 [ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000 [ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000 [ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000 [ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0 [ 37.572697] Call Trace: [ 37.575152] <TASK> [ 37.577258] ? diebody+0x66/0xb0 [ 37.580756] ? pagefaultoops+0x3e7/0x4a0 [ 37.584861] ? excpagefault+0x3e/0xe0 [ 37.588706] ? excpagefault+0x5c/0xe0 [ 37.592550] ? asmexcpagefault+0x22/0x30 [ 37.596742] ? dmubhwlockmgrcmd+0x77/0xb0 [ 37.601107] dcn10cursorlock+0x1e1/0x240 [ 37.605211] programcursorattributes+0x81/0x190 [ 37.609923] commitplanesforstream+0x998/0x1ef0 [ 37.614722] updateplanesandstreamv2+0x41e/0x5c0 [ 37.619703] dcupdateplanesandstream+0x78/0x140 [ 37.624588] amdgpudmatomiccommittail+0x4362/0x49f0 [ 37.629832] ? srsoreturnthunk+0x5/0x5f [ 37.633847] ? markheldlocks+0x6d/0xd0 [ 37.637774] ? rawspinunlockirq+0x24/0x50 [ 37.642135] ? srsoreturnthunk+0x5/0x5f [ 37.646148] ? lockdephardirqson+0x95/0x150 [ 37.650510] ? srsoreturnthunk+0x5/0x5f [ 37.654522] ? rawspinunlockirq+0x2f/0x50 [ 37.658883] ? srsoreturnthunk+0x5/0x5f [ 37.662897] ? waitforcommon+0x186/0x1c0 [ 37.666998] ? srsoreturnthunk+0x5/0x5f [ 37.671009] ? drmcrtcnextvblankstart+0xc3/0x170 [ 37.675983] committail+0xf5/0x1c0 [ 37.679478] drmatomichelpercommit+0x2a2/0x2b0 [ 37.684186] drmatomiccommit+0xd6/0x100 [ 37.688199] ? _cfidrmprintfninfo+0x10/0x10 [ 37.692911] drmatomichelperupdateplane+0xe5/0x130 [ 37.698054] drmmodecursorcommon+0x501/0x670 [ 37.702600] ? _cfidrmmodecursorioctl+0x10/0x10 [ 37.707572] drmmodecursorioctl+0x48/0x70 [ 37.711851] drmioctlkernel+0xf2/0x150 [ 37.715781] drmioctl+0x363/0x590 [ 37.719189] ? _cfidrmmodecursorioctl+0x10/0x10 [ 37.724165] amdgpudrmioctl+0x41/0x80 [ 37.728013] _sesysioctl+0x7f/0xd0 [ 37.731685] dosyscall64+0x87/0x100 [ 37.735355] ? vmaendread+0x12/0xe0 [ 37.739024] ? srsoreturnthunk+0x5/0x5f [ 37.743041] ? findheldlock+0x47/0xf0 [ 37.746884] ? vmaendread+0x12/0xe0 [ 37.750552] ? srsoreturnthunk+0x5/0 ---truncated---

References

https://security-tracker.debian.org/tracker/CVE-2025-22093

Affected packages

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.135-1

Affected versions

6.*

6.1.27-1

6.1.37-1

6.1.38-1

6.1.38-2~bpo11+1

6.1.38-2

6.1.38-3

6.1.38-4~bpo11+1

6.1.38-4

6.1.52-1

6.1.55-1~bpo11+1

6.1.55-1

6.1.64-1

6.1.66-1

6.1.67-1

6.1.69-1~bpo11+1

6.1.69-1

6.1.76-1~bpo11+1

6.1.76-1

6.1.82-1

6.1.85-1

6.1.90-1~bpo11+1

6.1.90-1

6.1.94-1~bpo11+1

6.1.94-1

6.1.98-1

6.1.99-1

6.1.106-1

6.1.106-2

6.1.106-3

6.1.112-1

6.1.115-1

6.1.119-1

6.1.123-1

6.1.124-1

6.1.128-1

6.1.129-1

6.1.133-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.25-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.12.25-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / linux-6.1

Package

Name: linux-6.1
Purl: pkg:deb/debian/linux-6.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.137-1~deb11u1

Affected versions

6.*

6.1.106-3~deb11u1

6.1.106-3~deb11u2

6.1.106-3~deb11u3

6.1.112-1~deb11u1

6.1.119-1~deb11u1

6.1.128-1~deb11u1

6.1.129-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}