{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40288","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.184Z","datePublished":"2025-12-06T21:51:14.440Z","dateUpdated":"2026-05-11T21:46:27.181Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:46:27.181Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices\n\nPreviously, APU platforms (and other scenarios with uninitialized VRAM managers)\ntriggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root\ncause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,\nbut that `man->bdev` (the backing device pointer within the manager) remains\nuninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully\nset up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to\nacquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to\na kernel OOPS.\n\n1. **amdgpu_cs.c**: Extend the existing bandwidth control check in\n   `amdgpu_cs_get_threshold_for_moves()` to include a check for\n   `ttm_resource_manager_used()`. If the manager is not used (uninitialized\n   `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific\n   logic that would trigger the NULL dereference.\n\n2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info\n   reporting to use a conditional: if the manager is used, return the real VRAM\n   usage; otherwise, return 0. This avoids accessing `man->bdev` when it is\n   NULL.\n\n3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)\n   data write path. Use `ttm_resource_manager_used()` to check validity: if the\n   manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set\n   `fb_usage` to 0 (APUs have no discrete framebuffer to report).\n\nThis approach is more robust than APU-specific checks because it:\n- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),\n- Aligns with TTM's design by using its native helper function,\n- Preserves correct behavior for discrete GPUs (which have fully initialized\n  `man->bdev` and pass the `ttm_resource_manager_used()` check).\n\nv4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c","drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c","drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"],"versions":[{"version":"d38ceaf99ed015f2a0b9af3499791bd3a3daae21","lessThan":"e70113b741ba253886cd71dbadfe3ea444bb2f5c","status":"affected","versionType":"git"},{"version":"d38ceaf99ed015f2a0b9af3499791bd3a3daae21","lessThan":"1243e396148a65bb6c42a2b70fe43e50c16c494f","status":"affected","versionType":"git"},{"version":"d38ceaf99ed015f2a0b9af3499791bd3a3daae21","lessThan":"43aa61c18a3a45042b098b7a1186ffb29364002c","status":"affected","versionType":"git"},{"version":"d38ceaf99ed015f2a0b9af3499791bd3a3daae21","lessThan":"070bdce18fb12a49eb9c421e57df17d2ad29bf5f","status":"affected","versionType":"git"},{"version":"d38ceaf99ed015f2a0b9af3499791bd3a3daae21","lessThan":"883f309add55060233bf11c1ea6947140372920f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c","drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c","drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"],"versions":[{"version":"4.2","status":"affected"},{"version":"0","lessThan":"4.2","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.59","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.9","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.12.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.17.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c"},{"url":"https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f"},{"url":"https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c"},{"url":"https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f"},{"url":"https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f"}],"title":"drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices","x_generator":{"engine":"bippy-1.2.0"}}}}