CVE-2025-40152

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Fix bootup splat with separategpudrm modparam

The drmgemforeachgpuvmbo() call from lookupvma() accesses drmgemobj.gpuva.list, which is not initialized when the drm driver does not support DRIVERGEMGPUVA feature. Enable it for msmkms drm driver to fix the splat seen when msm.separategpu_drm=1 modparam is set:

[ 9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0 [ 9.523160] Mem abort info: [ 9.523161] ESR = 0x0000000096000006 [ 9.523163] EC = 0x25: DABT (current EL), IL = 32 bits [ 9.523165] SET = 0, FnV = 0 [ 9.523166] EA = 0, S1PTW = 0 [ 9.523167] FSC = 0x06: level 2 translation fault [ 9.523169] Data abort info: [ 9.523170] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000 [ 9.523171] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 9.523172] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000 [ 9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000 [ 9.523184] Internal error: Oops: 0000000096000006 [#1] SMP [ 9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT [ 9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024 [ 9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 9.592973] pc : lookupvma+0x28/0xe0 [msm] [ 9.592996] lr : getvmalocked+0x2c/0x128 [msm] [ 9.763632] sp : ffff800082dab460 [ 9.763666] Call trace: [ 9.763668] lookupvma+0x28/0xe0 [msm] (P) [ 9.763688] getvmalocked+0x2c/0x128 [msm] [ 9.763706] msmgemgetandpiniovarange+0x68/0x11c [msm] [ 9.763723] msmgemgetandpiniova+0x18/0x24 [msm] [ 9.763740] msmfbdevdriverfbdevprobe+0xd0/0x258 [msm] [ 9.763760] _drmfbhelperinitialconfigandunlock+0x288/0x528 [drmkmshelper] [ 9.763771] drmfbhelperinitialconfig+0x44/0x54 [drmkmshelper] [ 9.763779] drmfbdevclienthotplug+0x84/0xd4 [drmclientlib] [ 9.763782] drmclientregister+0x58/0x9c [drm] [ 9.763806] drmfbdevclientsetup+0xe8/0xcf0 [drmclientlib] [ 9.763809] drmclientsetup+0xb4/0xd8 [drmclientlib] [ 9.763811] msmdrmkmspostinit+0x2c/0x3c [msm] [ 9.763830] msmdrminit+0x1a8/0x22c [msm] [ 9.763848] msmdrmbind+0x30/0x3c [msm] [ 9.919273] trytobringupaggregatedevice+0x168/0x1d4 [ 9.919283] _componentadd+0xa4/0x170 [ 9.919286] componentadd+0x14/0x20 [ 9.919288] msmdpdisplayprobetail+0x4c/0xac [msm] [ 9.919315] msmdpauxbusdoneprobe+0x14/0x20 [msm] [ 9.919335] dpauxepprobe+0x4c/0xf0 [drmdpauxbus] [ 9.919341] reallyprobe+0xbc/0x298 [ 9.919345] _driverprobedevice+0x78/0x12c [ 9.919348] driverprobedevice+0x40/0x160 [ 9.919350] _driverattach+0x94/0x19c [ 9.919353] busforeachdev+0x74/0xd4 [ 9.919355] driverattach+0x24/0x30 [ 9.919358] busadddriver+0xe4/0x208 [ 9.919360] driverregister+0x60/0x128 [ 9.919363] _dpauxdpdriverregister+0x24/0x30 [drmdpauxbus] [ 9.919365] atana33xc20init+0x20/0x1000 [panelsamsungatna33xc20] [ 9.919370] dooneinitcall+0x6c/0x1b0 [ 9.919374] doinitmodule+0x58/0x234 [ 9.919377] loadmodule+0x19cc/0x1bd4 [ 9.919380] initmodulefromfile+0x84/0xc4 [ 9.919382] _arm64sysfinitmodule+0x1b8/0x2cc [ 9.919384] invokesyscall+0x48/0x110 [ 9.919389] el0svccommon.constprop.0+0xc8/0xe8 [ 9.919393] doel0svc+0x20/0x2c [ 9.919396] el0svc+0x34/0xf0 [ 9.919401] el0t64synchandler+0xa0/0xe4 [ 9.919403] el0t64_sync+0x198/0x19c [ 9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44) [ 9.919410] ---[ end trace 0000000000000000 ]---

Patchwork: https://patchwork.freedesktop.org/pa ---truncated---