{"id":"CVE-2025-40152","summary":"drm/msm: Fix bootup splat with separate_gpu_drm modparam","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix bootup splat with separate_gpu_drm modparam\n\nThe drm_gem_for_each_gpuvm_bo() call from lookup_vma() accesses\ndrm_gem_obj.gpuva.list, which is not initialized when the drm driver\ndoes not support DRIVER_GEM_GPUVA feature. Enable it for msm_kms\ndrm driver to fix the splat seen when msm.separate_gpu_drm=1 modparam\nis set:\n\n[    9.506020] Unable to handle kernel paging request at virtual address fffffffffffffff0\n[    9.523160] Mem abort info:\n[    9.523161]   ESR = 0x0000000096000006\n[    9.523163]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    9.523165]   SET = 0, FnV = 0\n[    9.523166]   EA = 0, S1PTW = 0\n[    9.523167]   FSC = 0x06: level 2 translation fault\n[    9.523169] Data abort info:\n[    9.523170]   ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000\n[    9.523171]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    9.523172]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    9.523174] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000ad370f000\n[    9.523176] [fffffffffffffff0] pgd=0000000000000000, p4d=0000000ad4787403, pud=0000000ad4788403, pmd=0000000000000000\n[    9.523184] Internal error: Oops: 0000000096000006 [#1]  SMP\n[    9.592968] CPU: 9 UID: 0 PID: 448 Comm: (udev-worker) Not tainted 6.17.0-rc4-assorted-fix-00005-g0e9bb53a2282-dirty #3 PREEMPT\n[    9.592970] Hardware name: Qualcomm CRD, BIOS 6.0.240718.BOOT.MXF.2.4-00515-HAMOA-1 07/18/2024\n[    9.592971] pstate: a1400005 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[    9.592973] pc : lookup_vma+0x28/0xe0 [msm]\n[    9.592996] lr : get_vma_locked+0x2c/0x128 [msm]\n[    9.763632] sp : ffff800082dab460\n[    9.763666] Call trace:\n[    9.763668]  lookup_vma+0x28/0xe0 [msm] (P)\n[    9.763688]  get_vma_locked+0x2c/0x128 [msm]\n[    9.763706]  msm_gem_get_and_pin_iova_range+0x68/0x11c [msm]\n[    9.763723]  msm_gem_get_and_pin_iova+0x18/0x24 [msm]\n[    9.763740]  msm_fbdev_driver_fbdev_probe+0xd0/0x258 [msm]\n[    9.763760]  __drm_fb_helper_initial_config_and_unlock+0x288/0x528 [drm_kms_helper]\n[    9.763771]  drm_fb_helper_initial_config+0x44/0x54 [drm_kms_helper]\n[    9.763779]  drm_fbdev_client_hotplug+0x84/0xd4 [drm_client_lib]\n[    9.763782]  drm_client_register+0x58/0x9c [drm]\n[    9.763806]  drm_fbdev_client_setup+0xe8/0xcf0 [drm_client_lib]\n[    9.763809]  drm_client_setup+0xb4/0xd8 [drm_client_lib]\n[    9.763811]  msm_drm_kms_post_init+0x2c/0x3c [msm]\n[    9.763830]  msm_drm_init+0x1a8/0x22c [msm]\n[    9.763848]  msm_drm_bind+0x30/0x3c [msm]\n[    9.919273]  try_to_bring_up_aggregate_device+0x168/0x1d4\n[    9.919283]  __component_add+0xa4/0x170\n[    9.919286]  component_add+0x14/0x20\n[    9.919288]  msm_dp_display_probe_tail+0x4c/0xac [msm]\n[    9.919315]  msm_dp_auxbus_done_probe+0x14/0x20 [msm]\n[    9.919335]  dp_aux_ep_probe+0x4c/0xf0 [drm_dp_aux_bus]\n[    9.919341]  really_probe+0xbc/0x298\n[    9.919345]  __driver_probe_device+0x78/0x12c\n[    9.919348]  driver_probe_device+0x40/0x160\n[    9.919350]  __driver_attach+0x94/0x19c\n[    9.919353]  bus_for_each_dev+0x74/0xd4\n[    9.919355]  driver_attach+0x24/0x30\n[    9.919358]  bus_add_driver+0xe4/0x208\n[    9.919360]  driver_register+0x60/0x128\n[    9.919363]  __dp_aux_dp_driver_register+0x24/0x30 [drm_dp_aux_bus]\n[    9.919365]  atana33xc20_init+0x20/0x1000 [panel_samsung_atna33xc20]\n[    9.919370]  do_one_initcall+0x6c/0x1b0\n[    9.919374]  do_init_module+0x58/0x234\n[    9.919377]  load_module+0x19cc/0x1bd4\n[    9.919380]  init_module_from_file+0x84/0xc4\n[    9.919382]  __arm64_sys_finit_module+0x1b8/0x2cc\n[    9.919384]  invoke_syscall+0x48/0x110\n[    9.919389]  el0_svc_common.constprop.0+0xc8/0xe8\n[    9.919393]  do_el0_svc+0x20/0x2c\n[    9.919396]  el0_svc+0x34/0xf0\n[    9.919401]  el0t_64_sync_handler+0xa0/0xe4\n[    9.919403]  el0t_64_sync+0x198/0x19c\n[    9.919407] Code: eb0000bf 54000480 d100a003 aa0303e2 (f8418c44)\n[    9.919410] ---[ end trace 0000000000000000 ]---\n\nPatchwork: https://patchwork.freedesktop.org/pa\n---truncated---","modified":"2026-04-02T12:48:18.431322Z","published":"2025-11-12T10:23:27.925Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40152.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/87aff6d08f3b13bfad66df7c13af5f3a3548d5b9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40152.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40152"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"217ed15bd399980981f90f4332bc7ad4b05baa7e"},{"fixed":"87aff6d08f3b13bfad66df7c13af5f3a3548d5b9"},{"fixed":"f028bcafb6dfb4c2bb656cbff9e6a66222d3d3d7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40152.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40152.json"}}],"schema_version":"1.7.5"}