CVE-2025-40037
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-40037
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40037.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-40037
- Downstream
- Related
- Published
- 2025-10-28T11:48:18Z
- Modified
- 2025-10-28T20:25:44.467991Z
- Summary
- fbdev: simplefb: Fix use after free in simplefb_detach_genpds()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
fbdev: simplefb: Fix use after free in simplefbdetachgenpds()
The pmdomain cleanup can not be devres managed as it uses struct simplefbpar which is allocated within struct fbinfo by framebufferalloc(). This allocation is explicitly freed by unregisterframebuffer() in simplefbremove(). Devres managed cleanup runs after the device remove call and thus can no longer access struct simplefbpar. Call simplefbdetachgenpds() explicitly from simplefbdestroy() like the cleanup functions for clocks and regulators.
Fixes an use after free on M2 Mac mini during apertureremoveconflicting_devices() using the downstream asahi kernel with Debian's kernel config. For unknown reasons this started to consistently dereference an invalid pointer in v6.16.3 based kernels.
[ 6.736134] BUG: KASAN: slab-use-after-free in simplefbdetachgenpds+0x58/0x220 [ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227 [ 6.750697] [ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY [ 6.752186] Tainted: [S]=CPUOUTOFSPEC [ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT) [ 6.752189] Call trace: [ 6.752190] showstack+0x34/0x98 (C) [ 6.752194] dumpstacklvl+0x60/0x80 [ 6.752197] printreport+0x17c/0x4d8 [ 6.752201] kasanreport+0xb4/0x100 [ 6.752206] _asanreportload4noabort+0x20/0x30 [ 6.752209] simplefbdetachgenpds+0x58/0x220 [ 6.752213] devmactionrelease+0x50/0x98 [ 6.752216] releasenodes+0xd0/0x2c8 [ 6.752219] devresreleaseall+0xfc/0x178 [ 6.752221] deviceunbindcleanup+0x28/0x168 [ 6.752224] devicereleasedriverinternal+0x34c/0x470 [ 6.752228] devicereleasedriver+0x20/0x38 [ 6.752231] busremovedevice+0x1b0/0x380 [ 6.752234] devicedel+0x314/0x820 [ 6.752238] platformdevicedel+0x3c/0x1e8 [ 6.752242] platformdeviceunregister+0x20/0x50 [ 6.752246] aperturedetachplatformdevice+0x1c/0x30 [ 6.752250] aperturedetachdevices+0x16c/0x290 [ 6.752253] apertureremoveconflictingdevices+0x34/0x50 ... [ 6.752343] [ 6.967409] Allocated by task 62: [ 6.970724] kasansavestack+0x3c/0x70 [ 6.974560] kasansavetrack+0x20/0x40 [ 6.978397] kasansaveallocinfo+0x40/0x58 [ 6.982670] _kasankmalloc+0xd4/0xd8 [ 6.986420] _kmallocnoprof+0x194/0x540 [ 6.990432] framebufferalloc+0xc8/0x130 [ 6.994444] simplefbprobe+0x258/0x2378 ... [ 7.054356] [ 7.055838] Freed by task 227: [ 7.058891] kasansavestack+0x3c/0x70 [ 7.062727] kasansavetrack+0x20/0x40 [ 7.066565] kasansavefreeinfo+0x4c/0x80 [ 7.070751] _kasanslabfree+0x6c/0xa0 [ 7.074675] kfree+0x10c/0x380 [ 7.077727] framebufferrelease+0x5c/0x90 [ 7.081826] simplefbdestroy+0x1b4/0x2c0 [ 7.085837] putfbinfo+0x98/0x100 [ 7.089326] unregisterframebuffer+0x178/0x320 [ 7.093861] simplefbremove+0x3c/0x60 [ 7.097611] platformremove+0x60/0x98 [ 7.101361] deviceremove+0xb8/0x160 [ 7.105024] devicereleasedriverinternal+0x2fc/0x470 [ 7.110256] devicereleasedriver+0x20/0x38 [ 7.114529] busremovedevice+0x1b0/0x380 [ 7.118628] devicedel+0x314/0x820 [ 7.122116] platformdevicedel+0x3c/0x1e8 [ 7.126302] platformdeviceunregister+0x20/0x50 [ 7.131012] aperturedetachplatformdevice+0x1c/0x30 [ 7.136157] aperturedetachdevices+0x16c/0x290 [ 7.140779] apertureremoveconflictingdevices+0x34/0x50 ...
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced92a511a568e44cf11681a2223cae4d576a1a515dFixedb1deb39cfd614fb2f278b71011692a8dbf0f05ba
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced92a511a568e44cf11681a2223cae4d576a1a515dFixedb6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced92a511a568e44cf11681a2223cae4d576a1a515dFixedda1bb9135213744e7ec398826c8f2e843de4fb94
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.2
v6.6
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"deprecated": false,
"id": "CVE-2025-40037-13c1bc3a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353",
"digest": {
"function_hash": "62174750152125103978437388906721420171",
"length": 1340.0
},
"target": {
"function": "simplefb_attach_genpds",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-187526a3",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da1bb9135213744e7ec398826c8f2e843de4fb94",
"digest": {
"function_hash": "31355560352309439819942569312492020723",
"length": 330.0
},
"target": {
"function": "simplefb_detach_genpds",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-1db941ac",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da1bb9135213744e7ec398826c8f2e843de4fb94",
"digest": {
"function_hash": "62174750152125103978437388906721420171",
"length": 1340.0
},
"target": {
"function": "simplefb_attach_genpds",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-2dcab1af",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353",
"digest": {
"function_hash": "31355560352309439819942569312492020723",
"length": 330.0
},
"target": {
"function": "simplefb_detach_genpds",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-33e216ea",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da1bb9135213744e7ec398826c8f2e843de4fb94",
"digest": {
"line_hashes": [
"80587603539116907621418827032606569483",
"1829489248780700298289658105873177549",
"259050528701367680809891700158197639925",
"294625410472784923369788217123718723990",
"168176011452808835725381377208845344103",
"296040439776068278379886818338947609175",
"77801169977147158660924994119926520847",
"304265195701590520663249788222797417965",
"196680242407696763308668793481117975643",
"53655328326631464302709777856826633334",
"114262555889325333872359099239664156001",
"113650236892923765256125417636067090216",
"279030782095481519887079600520291836304",
"170631112469270783254699968213671539214",
"286178977730919144656052875692893649956",
"303152474284891034617793394595213249154",
"63436525806104448732113373068557989509",
"276054195203453328315358678813841995596",
"14861671938681778670671653104153697910",
"42694448061808762597334846665776165107",
"253051473460752899130925474652731518916",
"78100845440930667108844601446982482188",
"71387219022494000900636717302887124265",
"136749784777231417608417767034476445833",
"330629675684472538829574071480078794674",
"276433036756185574684513520455321064063",
"258351160258456087023811947842608926106",
"243295609496217208885660212429535505407",
"23782728400066545569910070981429353692",
"161051542299830051113117862118484981161",
"232841340220404439221576425865194607813",
"36767819600898660222698701956617325161",
"303986922121477876330553723349904389606",
"26461395772943308492747192206827028924",
"90221765535182349769227210585854160606",
"121116059820028793257978314607189291507",
"215516971530163989147449822335029026239",
"28155625925908287580505436534966812295",
"182516402900263504294925242088764610312",
"91158680737947688696569635045656872221",
"126795527894318833778572544563926036563",
"267921465622082237269598882761405138829",
"92709359497872913602523013449160940129",
"276477287398728960098034449149077332211",
"240463642647287800892167953107169962593",
"126459036673209648917894981974774738116",
"259984716064806067792173495849334149902",
"163979761316889161603738023437972737011",
"97692820421482380514359217336562110093",
"213771405895121268745390015169360104200",
"339258317486112078503337723841729837858"
],
"threshold": 0.9
},
"target": {
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-374b735c",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da1bb9135213744e7ec398826c8f2e843de4fb94",
"digest": {
"function_hash": "243312214077297382532240737698324712005",
"length": 298.0
},
"target": {
"function": "simplefb_destroy",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-39e69f52",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353",
"digest": {
"function_hash": "214833450928195112655944900084270452615",
"length": 3093.0
},
"target": {
"function": "simplefb_probe",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-3d634f20",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1deb39cfd614fb2f278b71011692a8dbf0f05ba",
"digest": {
"function_hash": "214833450928195112655944900084270452615",
"length": 3093.0
},
"target": {
"function": "simplefb_probe",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-405ffa51",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1deb39cfd614fb2f278b71011692a8dbf0f05ba",
"digest": {
"function_hash": "31355560352309439819942569312492020723",
"length": 330.0
},
"target": {
"function": "simplefb_detach_genpds",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-5d78c026",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353",
"digest": {
"function_hash": "243312214077297382532240737698324712005",
"length": 298.0
},
"target": {
"function": "simplefb_destroy",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-6c3f035e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@da1bb9135213744e7ec398826c8f2e843de4fb94",
"digest": {
"function_hash": "214833450928195112655944900084270452615",
"length": 3093.0
},
"target": {
"function": "simplefb_probe",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-6c8eaa96",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353",
"digest": {
"line_hashes": [
"80587603539116907621418827032606569483",
"1829489248780700298289658105873177549",
"259050528701367680809891700158197639925",
"294625410472784923369788217123718723990",
"168176011452808835725381377208845344103",
"296040439776068278379886818338947609175",
"77801169977147158660924994119926520847",
"304265195701590520663249788222797417965",
"196680242407696763308668793481117975643",
"53655328326631464302709777856826633334",
"114262555889325333872359099239664156001",
"113650236892923765256125417636067090216",
"279030782095481519887079600520291836304",
"170631112469270783254699968213671539214",
"286178977730919144656052875692893649956",
"303152474284891034617793394595213249154",
"63436525806104448732113373068557989509",
"276054195203453328315358678813841995596",
"14861671938681778670671653104153697910",
"42694448061808762597334846665776165107",
"253051473460752899130925474652731518916",
"78100845440930667108844601446982482188",
"71387219022494000900636717302887124265",
"136749784777231417608417767034476445833",
"330629675684472538829574071480078794674",
"276433036756185574684513520455321064063",
"258351160258456087023811947842608926106",
"243295609496217208885660212429535505407",
"23782728400066545569910070981429353692",
"161051542299830051113117862118484981161",
"232841340220404439221576425865194607813",
"36767819600898660222698701956617325161",
"303986922121477876330553723349904389606",
"26461395772943308492747192206827028924",
"90221765535182349769227210585854160606",
"121116059820028793257978314607189291507",
"215516971530163989147449822335029026239",
"28155625925908287580505436534966812295",
"182516402900263504294925242088764610312",
"91158680737947688696569635045656872221",
"126795527894318833778572544563926036563",
"267921465622082237269598882761405138829",
"92709359497872913602523013449160940129",
"276477287398728960098034449149077332211",
"240463642647287800892167953107169962593",
"126459036673209648917894981974774738116",
"259984716064806067792173495849334149902",
"163979761316889161603738023437972737011",
"97692820421482380514359217336562110093",
"213771405895121268745390015169360104200",
"339258317486112078503337723841729837858"
],
"threshold": 0.9
},
"target": {
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-79d97362",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1deb39cfd614fb2f278b71011692a8dbf0f05ba",
"digest": {
"line_hashes": [
"80587603539116907621418827032606569483",
"1829489248780700298289658105873177549",
"259050528701367680809891700158197639925",
"294625410472784923369788217123718723990",
"168176011452808835725381377208845344103",
"296040439776068278379886818338947609175",
"77801169977147158660924994119926520847",
"304265195701590520663249788222797417965",
"196680242407696763308668793481117975643",
"53655328326631464302709777856826633334",
"114262555889325333872359099239664156001",
"113650236892923765256125417636067090216",
"279030782095481519887079600520291836304",
"170631112469270783254699968213671539214",
"286178977730919144656052875692893649956",
"303152474284891034617793394595213249154",
"63436525806104448732113373068557989509",
"276054195203453328315358678813841995596",
"14861671938681778670671653104153697910",
"42694448061808762597334846665776165107",
"253051473460752899130925474652731518916",
"78100845440930667108844601446982482188",
"71387219022494000900636717302887124265",
"136749784777231417608417767034476445833",
"330629675684472538829574071480078794674",
"276433036756185574684513520455321064063",
"258351160258456087023811947842608926106",
"243295609496217208885660212429535505407",
"23782728400066545569910070981429353692",
"161051542299830051113117862118484981161",
"232841340220404439221576425865194607813",
"36767819600898660222698701956617325161",
"303986922121477876330553723349904389606",
"26461395772943308492747192206827028924",
"90221765535182349769227210585854160606",
"121116059820028793257978314607189291507",
"215516971530163989147449822335029026239",
"28155625925908287580505436534966812295",
"182516402900263504294925242088764610312",
"91158680737947688696569635045656872221",
"126795527894318833778572544563926036563",
"267921465622082237269598882761405138829",
"92709359497872913602523013449160940129",
"276477287398728960098034449149077332211",
"240463642647287800892167953107169962593",
"126459036673209648917894981974774738116",
"259984716064806067792173495849334149902",
"163979761316889161603738023437972737011",
"97692820421482380514359217336562110093",
"213771405895121268745390015169360104200",
"339258317486112078503337723841729837858"
],
"threshold": 0.9
},
"target": {
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Line",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-7a67ba3b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1deb39cfd614fb2f278b71011692a8dbf0f05ba",
"digest": {
"function_hash": "243312214077297382532240737698324712005",
"length": 298.0
},
"target": {
"function": "simplefb_destroy",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
},
{
"deprecated": false,
"id": "CVE-2025-40037-aad11124",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1deb39cfd614fb2f278b71011692a8dbf0f05ba",
"digest": {
"function_hash": "62174750152125103978437388906721420171",
"length": 1340.0
},
"target": {
"function": "simplefb_attach_genpds",
"file": "drivers/video/fbdev/simplefb.c"
},
"signature_type": "Function",
"signature_version": "v1"
}
]