In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]drm/gem: Acquire references on GEM handles for framebuffers[EOL][EOL]A GEM handle can be released while the GEM buffer object is attached[EOL]to a DRM framebuffer. This leads to the release of the dma-buf backing[EOL]the buffer object, if any. [1] Trying to use the framebuffer in further[EOL]mode-setting operations leads to a segmentation fault. Most easily[EOL]happens with driver that use shadow planes for vmap-ing the dma-buf[EOL]during a page flip. An example is shown below.[EOL][EOL][ 156.791968] ------------[ cut here ]------------[EOL][ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430[EOL][...][EOL][ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430[EOL][ 157.043420] Call Trace:[EOL][ 157.045898] <TASK>[EOL][ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0[EOL][ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0[EOL][ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0[EOL][ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710[EOL][ 157.065567] ? dma_buf_vmap+0x224/0x430[EOL][ 157.069446] ? __warn.cold+0x58/0xe4[EOL][ 157.073061] ? dma_buf_vmap+0x224/0x430[EOL][ 157.077111] ? report_bug+0x1dd/0x390[EOL][ 157.080842] ? handle_bug+0x5e/0xa0[EOL][ 157.084389] ? exc_invalid_op+0x14/0x50[EOL][ 157.088291] ? asm_exc_invalid_op+0x16/0x20[EOL][ 157.092548] ? dma_buf_vmap+0x224/0x430[EOL][ 157.096663] ? dma_resv_get_singleton+0x6d/0x230[EOL][ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10[EOL][ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10[EOL][ 157.110697] drm_gem_shmem_vmap+0x74/0x710[EOL][ 157.114866] drm_gem_vmap+0xa9/0x1b0[EOL][ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0[EOL][ 157.123086] drm_gem_fb_vmap+0xab/0x300[EOL][ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10[EOL][ 157.133032] ? lockdep_init_map_type+0x19d/0x880[EOL][ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0[EOL][ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180[EOL][ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40[EOL][...][EOL][ 157.346424] ---[ end trace 0000000000000000 ]---[EOL][EOL]Acquiring GEM handles for the framebuffer's GEM buffer objects prevents[EOL]this from happening. The framebuffer's cleanup later puts the handle[EOL]references.[EOL][EOL]Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object[EOL]instance") triggers the segmentation fault easily by using the dma-buf[EOL]field more widely. The underlying issue with reference counting has[EOL]been present before.[EOL][EOL]v2:[EOL]- acquire the handle instead of the BO (Christian)[EOL]- fix comment style (Christian)[EOL]- drop the Fixes tag (Christian)[EOL]- rename err_ gotos[EOL]- add missing Link tag
CREATE(Triage):(User=admin) [CVE-2025-38449 (https://nvd.nist.gov/vuln/detail/CVE-2025-38449)
