{ "public_date" : "2025-12-04T00:00:00Z", "bugzilla" : { "description" : "kernel: drm/msm: Fix pgtable prealloc error path", "id" : "2418873", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2418873" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm/msm: Fix pgtable prealloc error path\nThe following splat was reported:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000010\nMem abort info:\nESR = 0x0000000096000004\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x04: level 0 translation fault\nData abort info:\nISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=00000008d0fd8000\n[0000000000000010] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] SMP\nCPU: 5 UID: 1000 PID: 149076 Comm: Xwayland Tainted: G S 6.16.0-rc2-00809-g0b6974bb4134-dirty #367 PREEMPT\nTainted: [S]=CPU_OUT_OF_SPEC\nHardware name: Qualcomm Technologies, Inc. SM8650 HDK (DT)\npstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : build_detached_freelist+0x28/0x224\nlr : kmem_cache_free_bulk.part.0+0x38/0x244\nsp : ffff000a508c7a20\nx29: ffff000a508c7a20 x28: ffff000a508c7d50 x27: ffffc4e49d16f350\nx26: 0000000000000058 x25: 00000000fffffffc x24: 0000000000000000\nx23: ffff00098c4e1450 x22: 00000000fffffffc x21: 0000000000000000\nx20: ffff000a508c7af8 x19: 0000000000000002 x18: 00000000000003e8\nx17: ffff000809523850 x16: ffff000809523820 x15: 0000000000401640\nx14: ffff000809371140 x13: 0000000000000130 x12: ffff0008b5711e30\nx11: 00000000001058fa x10: 0000000000000a80 x9 : ffff000a508c7940\nx8 : ffff000809371ba0 x7 : 781fffe033087fff x6 : 0000000000000000\nx5 : ffff0008003cd000 x4 : 781fffe033083fff x3 : ffff000a508c7af8\nx2 : fffffdffc0000000 x1 : 0001000000000000 x0 : ffff0008001a6a00\nCall trace:\nbuild_detached_freelist+0x28/0x224 (P)\nkmem_cache_free_bulk.part.0+0x38/0x244\nkmem_cache_free_bulk+0x10/0x1c\nmsm_iommu_pagetable_prealloc_cleanup+0x3c/0xd0\nmsm_vma_job_free+0x30/0x240\nmsm_ioctl_vm_bind+0x1d0/0x9a0\ndrm_ioctl_kernel+0x84/0x104\ndrm_ioctl+0x358/0x4d4\n__arm64_sys_ioctl+0x8c/0xe0\ninvoke_syscall+0x44/0x100\nel0_svc_common.constprop.0+0x3c/0xe0\ndo_el0_svc+0x18/0x20\nel0_svc+0x30/0x100\nel0t_64_sync_handler+0x104/0x130\nel0t_64_sync+0x170/0x174\nCode: aa0203f5 b26287e2 f2dfbfe2 aa0303f4 (f8737ab6)\n---[ end trace 0000000000000000 ]---\nSince msm_vma_job_free() is called directly from the ioctl, this looks\nlike an error path cleanup issue. Which I think results from\nprealloc_cleanup() called without a preceding successful\nprealloc_allocate() call. So handle that case better.\nPatchwork: https://patchwork.freedesktop.org/patch/678677/" ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40247\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40247\nhttps://lore.kernel.org/linux-cve-announce/2025120429-CVE-2025-40247-14ed@gregkh/T" ], "name" : "CVE-2025-40247", "csaw" : false }