VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2025-71307

CVE-2025-71307

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug

This patch removes the MCU halt and wait for halt procedures during panthor_fw_unplug() as the MCU can be in a variety of states or the FW may not even be loaded/initialized at all, the latter of which can lead to a NULL pointer dereference.

It should be safe on unplug to just disable the MCU without waiting for it to halt as it may not be able to.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in Linux kernel's Panthor GPU driver when unplugging firmware, fixed by skipping MCU halt if firmware is not loaded.

Vulnerability

A NULL pointer dereference vulnerability exists in the Linux kernel's drm/panthor driver, specifically in the panthor_fw_unplug() function. When the MCU (Microcontroller Unit) halt and wait-for-halt procedures are executed during firmware unplug, the MCU can be in a variety of states, and the firmware may not even be loaded or initialized at all. If the firmware is not loaded, a NULL pointer dereference occurs [1].

Exploitation

An attacker would need to trigger a scenario where the MCU firmware is not loaded or initialized, and then cause the panthor_fw_unplug() function to be called. This could be achieved through a sequence involving device removal or driver unbinding on a system using the affected Panthor GPU driver [1].

Impact

Successful exploitation leads to a NULL pointer dereference, which can result in a system crash (denial of service) or potentially allow an attacker to cause a kernel panic. No code execution or privilege escalation is indicated in the available references [1].

Mitigation

This vulnerability is fixed in the Linux kernel by commit 920c6af98e98e6afedf6318a75bac95af8415c6c, which removes the MCU halt and wait-for-halt procedures during panthor_fw_unplug(). Users should apply the patch or update their kernel to a version containing this fix [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
aab8b8a42e20

drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKarunika ChooDec 15, 2025Fixed in 6.19.4via kernel-cna
commit
1 file changed · +0 5
  • drivers/gpu/drm/panthor/panthor_fw.c+0 5 modified
    diff --git a/drivers/gpu/drm/panthor/panthor_fw.c b/drivers/gpu/drm/panthor/panthor_fw.c
index 94a3cd6dfa6dec..9533b1a31820e6 100644
--- a/drivers/gpu/drm/panthor/panthor_fw.c
+++ b/drivers/gpu/drm/panthor/panthor_fw.c
@@ -1260,10 +1260,6 @@ void panthor_fw_unplug(struct panthor_device *ptdev)
 		if (ptdev->fw->irq.irq)
 			panthor_job_irq_suspend(&ptdev->fw->irq);
 
-		panthor_fw_halt_mcu(ptdev);
-		if (!panthor_fw_wait_mcu_halted(ptdev))
-			drm_warn(&ptdev->base, "Failed to halt MCU on unplug");
-
 		panthor_fw_stop(ptdev);
 	}
 
-- 
cgit 1.3-korg
920c6af98e98

drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitKarunika ChooDec 15, 2025Fixed in 7.0via kernel-cna
commit
1 file changed · +0 5
  • drivers/gpu/drm/panthor/panthor_fw.c+0 5 modified
    diff --git a/drivers/gpu/drm/panthor/panthor_fw.c b/drivers/gpu/drm/panthor/panthor_fw.c
index 4beaa589ba66cd..a64ec8756bed23 100644
--- a/drivers/gpu/drm/panthor/panthor_fw.c
+++ b/drivers/gpu/drm/panthor/panthor_fw.c
@@ -1261,10 +1261,6 @@ void panthor_fw_unplug(struct panthor_device *ptdev)
 		if (ptdev->fw->irq.irq)
 			panthor_job_irq_suspend(&ptdev->fw->irq);
 
-		panthor_fw_halt_mcu(ptdev);
-		if (!panthor_fw_wait_mcu_halted(ptdev))
-			drm_warn(&ptdev->base, "Failed to halt MCU on unplug");
-
 		panthor_fw_stop(ptdev);
 	}
 
-- 
cgit 1.3-korg
aab8b8a42e20

drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKarunika ChooDec 15, 2025via nvd-ref
commit
1 file changed · +0 5
  • drivers/gpu/drm/panthor/panthor_fw.c+0 5 modified
    diff --git a/drivers/gpu/drm/panthor/panthor_fw.c b/drivers/gpu/drm/panthor/panthor_fw.c
index 94a3cd6dfa6dec..9533b1a31820e6 100644
--- a/drivers/gpu/drm/panthor/panthor_fw.c
+++ b/drivers/gpu/drm/panthor/panthor_fw.c
@@ -1260,10 +1260,6 @@ void panthor_fw_unplug(struct panthor_device *ptdev)
 		if (ptdev->fw->irq.irq)
 			panthor_job_irq_suspend(&ptdev->fw->irq);
 
-		panthor_fw_halt_mcu(ptdev);
-		if (!panthor_fw_wait_mcu_halted(ptdev))
-			drm_warn(&ptdev->base, "Failed to halt MCU on unplug");
-
 		panthor_fw_stop(ptdev);
 	}
 
-- 
cgit 1.3-korg
920c6af98e98

drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitKarunika ChooDec 15, 2025via nvd-ref
commit
1 file changed · +0 5
  • drivers/gpu/drm/panthor/panthor_fw.c+0 5 modified
    diff --git a/drivers/gpu/drm/panthor/panthor_fw.c b/drivers/gpu/drm/panthor/panthor_fw.c
index 4beaa589ba66cd..a64ec8756bed23 100644
--- a/drivers/gpu/drm/panthor/panthor_fw.c
+++ b/drivers/gpu/drm/panthor/panthor_fw.c
@@ -1261,10 +1261,6 @@ void panthor_fw_unplug(struct panthor_device *ptdev)
 		if (ptdev->fw->irq.irq)
 			panthor_job_irq_suspend(&ptdev->fw->irq);
 
-		panthor_fw_halt_mcu(ptdev);
-		if (!panthor_fw_wait_mcu_halted(ptdev))
-			drm_warn(&ptdev->base, "Failed to halt MCU on unplug");
-
 		panthor_fw_stop(ptdev);
 	}
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing NULL/state check before halting the MCU firmware during unplug allows a NULL pointer dereference when firmware was never loaded."

Attack vector

An attacker who can trigger a device unplug (e.g., via hot-unplug or driver unbind) on a Panthor GPU where the firmware has not been loaded or initialized will cause `panthor_fw_unplug()` to attempt halting the MCU. Because the firmware structures may be NULL or in an uninitialized state, the halt and wait-for-halt operations dereference a NULL pointer, leading to a kernel crash. No special network path or payload is required — the precondition is simply that the firmware was never loaded before the unplug event.

Affected code

The vulnerability is in `drivers/gpu/drm/panthor/panthor_fw.c` in the `panthor_fw_unplug()` function. The fault lies in the calls to `panthor_fw_halt_mcu()` and `panthor_fw_wait_mcu_halted()` which were unconditionally invoked during the unplug path [patch_id=2662185].

What the fix does

The patch removes the two lines that called `panthor_fw_halt_mcu(ptdev)` and `panthor_fw_wait_mcu_halted(ptdev)` from `panthor_fw_unplug()` [patch_id=2662185]. These calls assumed the MCU firmware was always loaded and initialized, which is not true during an early unplug. By simply disabling the MCU via the existing `panthor_fw_stop()` call without waiting for a halt, the NULL pointer dereference is avoided and the unplug path becomes safe regardless of the MCU state.

Preconditions

  • configThe Panthor GPU device must be unplugged (hot-unplug or driver unbind) before the firmware has been loaded/initialized.
  • inputThe attacker must have the ability to trigger a device removal or driver unbind on the affected system.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.