VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2025· Updated Apr 15, 2026

CVE-2025-68189

CVE-2025-68189

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/msm: Fix GEM free for imported dma-bufs

Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case.

Fixes this splat that was reported with IRIS video playback:

------------[ cut here ]------------ WARNING: CPU: 3 PID: 2040 at drivers/gpu/drm/msm/msm_gem.c:1127 msm_gem_free_object+0x1f8/0x264 [msm] CPU: 3 UID: 1000 PID: 2040 Comm: .gnome-shell-wr Not tainted 6.17.0-rc7 #1 PREEMPT pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : msm_gem_free_object+0x1f8/0x264 [msm] lr : msm_gem_free_object+0x138/0x264 [msm] sp : ffff800092a1bb30 x29: ffff800092a1bb80 x28: ffff800092a1bce8 x27: ffffbc702dbdbe08 x26: 0000000000000008 x25: 0000000000000009 x24: 00000000000000a6 x23: ffff00083c72f850 x22: ffff00083c72f868 x21: ffff00087e69f200 x20: ffff00087e69f330 x19: ffff00084d157ae0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffbc704bd46b80 x15: 0000ffffd0959540 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: ffffbc702e6cdb48 x10: 0000000000000000 x9 : 000000000000003f x8 : ffff800092a1ba90 x7 : 0000000000000000 x6 : 0000000000000020 x5 : ffffbc704bd46c40 x4 : fffffdffe102cf60 x3 : 0000000000400032 x2 : 0000000000020000 x1 : ffff00087e6978e8 x0 : ffff00087e6977e8 Call trace: msm_gem_free_object+0x1f8/0x264 [msm] (P) drm_gem_object_free+0x1c/0x30 [drm] drm_gem_object_handle_put_unlocked+0x138/0x150 [drm] drm_gem_object_release_handle+0x5c/0xcc [drm] drm_gem_handle_delete+0x68/0xbc [drm] drm_gem_close_ioctl+0x34/0x40 [drm] drm_ioctl_kernel+0xc0/0x130 [drm] drm_ioctl+0x360/0x4e0 [drm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------

Patchwork: https://patchwork.freedesktop.org/patch/676273/

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Linux kernel GPU memory management bug in drm/msm causes a kernel warning (splat) when freeing imported DMA-bufs due to incorrect reservation object check.

In the Linux kernel's MSM DRM driver (drm/msm), the msm_gem_free_object function contains a bug in how it handles the 'no-share' (NO_SHARE) case for imported DMA-buf objects. Imported DMA-bufs set obj->resv to a different pointer than the embedded &obj->_resv, but the driver's free path only checked the flags without verifying this condition, leading to incorrect handling. This mismatch triggers a kernel warning with a splat during object destruction, as seen in the reported crash log with IRIS video playback[1].

The vulnerability can be triggered by a local user importing a DMA-buf (e.g., via DRM ioctls) and then closing the GEM handle, which calls the flawed free path. No special privileges are needed beyond access to the DRM device; the attack surface is local, requiring the ability to perform DRM operations. The precise scenario involves video playback using IRIS or similar buffer-sharing workflows[1].

The impact is a kernel WARN_ON splat that exposes kernel addresses and metadata in the dmesg log, which could aid local attackers in exploiting other vulnerabilities. While the warning itself does not grant code execution, it corrupts state and could lead to system instability or denial-of-service if the object is freed incorrectly. In some configurations, this might be leveraged for more serious exploitation, though the primary documented consequence is the warning and potential use-after-free-like conditions.

The fix, committed to the Linux kernel stable branch, adds a check for obj->resv != &obj->_resv in addition to the flag check, ensuring imported buffers are correctly handled during free[1]. Users should apply the patch if their kernel is affected, or update to a version that includes commit c34e08ba6c0037a72a7433741225b020c989e4ae. No workaround is available; the vulnerability is fixed in the kernel source.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.