DEBIAN-CVE-2025-40037

In the Linux kernel, the following vulnerability has been resolved: fbdev: simplefb: Fix use after free in simplefbdetachgenpds() The pmdomain cleanup can not be devres managed as it uses struct simplefbpar which is allocated within struct fbinfo by framebufferalloc(). This allocation is explicitly freed by unregisterframebuffer() in simplefbremove(). Devres managed cleanup runs after the device remove call and thus can no longer access struct simplefbpar. Call simplefbdetachgenpds() explicitly from simplefbdestroy() like the cleanup functions for clocks and regulators. Fixes an use after free on M2 Mac mini during apertureremoveconflictingdevices() using the downstream asahi kernel with Debian's kernel config. For unknown reasons this started to consistently dereference an invalid pointer in v6.16.3 based kernels. [ 6.736134] BUG: KASAN: slab-use-after-free in simplefbdetachgenpds+0x58/0x220 [ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227 [ 6.750697] [ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY [ 6.752186] Tainted: [S]=CPUOUTOFSPEC [ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT) [ 6.752189] Call trace: [ 6.752190] showstack+0x34/0x98 (C) [ 6.752194] dumpstacklvl+0x60/0x80 [ 6.752197] printreport+0x17c/0x4d8 [ 6.752201] kasanreport+0xb4/0x100 [ 6.752206] _asanreportload4noabort+0x20/0x30 [ 6.752209] simplefbdetachgenpds+0x58/0x220 [ 6.752213] devmactionrelease+0x50/0x98 [ 6.752216] releasenodes+0xd0/0x2c8 [ 6.752219] devresreleaseall+0xfc/0x178 [ 6.752221] deviceunbindcleanup+0x28/0x168 [ 6.752224] devicereleasedriverinternal+0x34c/0x470 [ 6.752228] devicereleasedriver+0x20/0x38 [ 6.752231] busremovedevice+0x1b0/0x380 [ 6.752234] devicedel+0x314/0x820 [ 6.752238] platformdevicedel+0x3c/0x1e8 [ 6.752242] platformdeviceunregister+0x20/0x50 [ 6.752246] aperturedetachplatformdevice+0x1c/0x30 [ 6.752250] aperturedetachdevices+0x16c/0x290 [ 6.752253] apertureremoveconflictingdevices+0x34/0x50 ... [ 6.752343] [ 6.967409] Allocated by task 62: [ 6.970724] kasansavestack+0x3c/0x70 [ 6.974560] kasansavetrack+0x20/0x40 [ 6.978397] kasansaveallocinfo+0x40/0x58 [ 6.982670] _kasankmalloc+0xd4/0xd8 [ 6.986420] _kmallocnoprof+0x194/0x540 [ 6.990432] framebufferalloc+0xc8/0x130 [ 6.994444] simplefbprobe+0x258/0x2378 ... [ 7.054356] [ 7.055838] Freed by task 227: [ 7.058891] kasansavestack+0x3c/0x70 [ 7.062727] kasansavetrack+0x20/0x40 [ 7.066565] kasansavefreeinfo+0x4c/0x80 [ 7.070751] _kasanslabfree+0x6c/0xa0 [ 7.074675] kfree+0x10c/0x380 [ 7.077727] framebufferrelease+0x5c/0x90 [ 7.081826] simplefbdestroy+0x1b4/0x2c0 [ 7.085837] putfbinfo+0x98/0x100 [ 7.089326] unregisterframebuffer+0x178/0x320 [ 7.093861] simplefbremove+0x3c/0x60 [ 7.097611] platformremove+0x60/0x98 [ 7.101361] deviceremove+0xb8/0x160 [ 7.105024] devicereleasedriverinternal+0x2fc/0x470 [ 7.110256] devicereleasedriver+0x20/0x38 [ 7.114529] busremovedevice+0x1b0/0x380 [ 7.118628] devicedel+0x314/0x820 [ 7.122116] platformdevicedel+0x3c/0x1e8 [ 7.126302] platformdeviceunregister+0x20/0x50 [ 7.131012] aperturedetachplatformdevice+0x1c/0x30 [ 7.136157] aperturedetachdevices+0x16c/0x290 [ 7.140779] apertureremoveconflicting_devices+0x34/0x50 ...