Overview
CVE-2025-40225 describes a critical vulnerability in the Linux kernel’s Panthor graphics driver. This flaw can lead to a kernel panic if userspace attempts to partially unmap a GPU virtual region. The issue stems from how the Panthor driver manages memory allocation during unmap operations, specifically when dealing with partial unmappings of buffer objects (BOs). A fix has been implemented in the kernel to address this vulnerability.
Technical Details
The vulnerability arises within the drm/panthor driver due to improper handling of memory allocation when partially unmapping GPU virtual regions, also known as drm_gpuva. The VM_BIND interface allows for partial unmapping of buffer objects. The Panthor driver pre-allocates memory for new drm_gpuva structures needed for map/unmap operations using the drm_gpuvm layer.
The driver incorrectly assumes that only one new drm_gpuva structure will be required during an unmap operation. However, a partial unmap can necessitate two new drm_gpuva structures. This discrepancy leads to a NULL pointer dereference, ultimately triggering a kernel panic.
The following kernel dump illustrates the issue:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078
Mem abort info:
ESR = 0x0000000096000046
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000
CM = 0, WnR = 1, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000
[000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000
Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP
<snip>
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]
sp : ffff800085d43970
x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000
x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000
x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180
x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010
x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c
x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58
x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c
x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7
x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001
x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078
Call trace:
panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]
op_remap_cb.isra.22+0x50/0x80
__drm_gpuvm_sm_unmap+0x10c/0x1c8
drm_gpuvm_sm_unmap+0x40/0x60
panthor_vm_exec_op+0xb4/0x3d0 [panthor]
panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]
panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]
drm_ioctl_kernel+0xbc/0x138
drm_ioctl+0x240/0x500
__arm64_sys_ioctl+0xb0/0xf8
invoke_syscall+0x4c/0x110
el0_svc_common.constprop.1+0x98/0xf8
do_el0_svc+0x24/0x38
el0_svc+0x40/0xf8
el0t_64_sync_handler+0xa0/0xc8
el0t_64_sync+0x174/0x178
CVSS Analysis
As of now, no CVSS score has been assigned to CVE-2025-40225. However, due to the potential for a kernel panic, it is likely to be classified as a high-severity vulnerability. A kernel panic can cause a system crash, leading to data loss and service disruption.
Possible Impact
The exploitation of CVE-2025-40225 can result in a denial-of-service (DoS) condition. An attacker who can trigger the partial unmapping of a GPU virtual region in a vulnerable system can cause the system to crash. This can disrupt critical services and lead to data loss if the system is not properly configured for recovery.
Mitigation or Patch Steps
The vulnerability is addressed by specific patches committed to the Linux kernel. To mitigate this vulnerability, users should apply the following patches or upgrade to a kernel version that includes these fixes:
- https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f
- https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645
- https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e
It is highly recommended to update to the latest stable kernel version to ensure that all known security vulnerabilities, including CVE-2025-40225, are addressed.
