{"id":"CVE-2025-40288","summary":"drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices\n\nPreviously, APU platforms (and other scenarios with uninitialized VRAM managers)\ntriggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root\ncause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,\nbut that `man-\u003ebdev` (the backing device pointer within the manager) remains\nuninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully\nset up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to\nacquire `man-\u003ebdev-\u003elru_lock`, it dereferences the NULL `man-\u003ebdev`, leading to\na kernel OOPS.\n\n1. **amdgpu_cs.c**: Extend the existing bandwidth control check in\n   `amdgpu_cs_get_threshold_for_moves()` to include a check for\n   `ttm_resource_manager_used()`. If the manager is not used (uninitialized\n   `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific\n   logic that would trigger the NULL dereference.\n\n2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info\n   reporting to use a conditional: if the manager is used, return the real VRAM\n   usage; otherwise, return 0. This avoids accessing `man-\u003ebdev` when it is\n   NULL.\n\n3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)\n   data write path. Use `ttm_resource_manager_used()` to check validity: if the\n   manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set\n   `fb_usage` to 0 (APUs have no discrete framebuffer to report).\n\nThis approach is more robust than APU-specific checks because it:\n- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),\n- Aligns with TTM's design by using its native helper function,\n- Preserves correct behavior for discrete GPUs (which have fully initialized\n  `man-\u003ebdev` and pass the `ttm_resource_manager_used()` check).\n\nv4: use ttm_resource_manager_used(&adev-\u003emman.vram_mgr.manager) instead of checking the adev-\u003egmc.is_app_apu flag (Christian)","modified":"2026-04-16T04:33:47.825939849Z","published":"2025-12-06T21:51:14.440Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20145-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40288.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40288.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40288"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d38ceaf99ed015f2a0b9af3499791bd3a3daae21"},{"fixed":"e70113b741ba253886cd71dbadfe3ea444bb2f5c"},{"fixed":"1243e396148a65bb6c42a2b70fe43e50c16c494f"},{"fixed":"43aa61c18a3a45042b098b7a1186ffb29364002c"},{"fixed":"070bdce18fb12a49eb9c421e57df17d2ad29bf5f"},{"fixed":"883f309add55060233bf11c1ea6947140372920f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40288.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.2.0"},{"fixed":"6.1.159"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.117"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.59"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40288.json"}}],"schema_version":"1.7.5"}