VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46278

CVE-2026-46278

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/imagination: Fix segfault when updating ftrace mask

Fix invalid data access by passing right data for debugfs entry.

[ 171.549793] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 171.559248] Mem abort info: [ 171.562173] ESR = 0x0000000096000044 [ 171.566227] EC = 0x25: DABT (current EL), IL = 32 bits [ 171.573108] SET = 0, FnV = 0 [ 171.576448] EA = 0, S1PTW = 0 [ 171.579745] FSC = 0x04: level 0 translation fault [ 171.584760] Data abort info: [ 171.588012] ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000 [ 171.593734] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 171.598962] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 171.604471] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000083837000 [ 171.611358] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 171.618500] Internal error: Oops: 0000000096000044 [#1] SMP [ 171.624222] Modules linked in: powervr drm_shmem_helper drm_gpuvm... [ 171.656580] CPU: 0 UID: 0 PID: 549 Comm: bash Not tainted 7.0.0-rc2-g730b257ba723-dirty #13 PREEMPT [ 171.665773] Hardware name: BeagleBoard.org BeaglePlay (DT) [ 171.671296] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 171.678306] pc : pvr_fw_trace_mask_set+0x78/0x154 [powervr] [ 171.683959] lr : pvr_fw_trace_mask_set+0x4c/0x154 [powervr] [ 171.689593] sp : ffff8000835ebb90 [ 171.692929] x29: ffff8000835ebc00 x28: ffff000005c60f80 x27: 0000000000000000 [ 171.700130] x26: 0000000000000000 x25: ffff00000504af28 x24: 0000000000000000 [ 171.707324] x23: ffff00000504af50 x22: 0000000000000203 x21: 0000000000000000 [ 171.714518] x20: ffff000005c44a80 x19: ffff000005c457b8 x18: 0000000000000000 [ 171.721715] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaae8887580 [ 171.728908] x14: 0000000000000000 x13: 0000000000000000 x12: ffff8000835ebc30 [ 171.736095] x11: ffff00000504af2a x10: ffff00008504af29 x9 : 0fffffffffffffff [ 171.743286] x8 : ffff8000835ebbf8 x7 : 0000000000000000 x6 : 000000000000002a [ 171.750479] x5 : ffff00000504af2e x4 : 0000000000000000 x3 : 0000000000000010 [ 171.757674] x2 : 0000000000000203 x1 : 0000000000000000 x0 : ffff8000835ebba0 [ 171.764871] Call trace: [ 171.767342] pvr_fw_trace_mask_set+0x78/0x154 [powervr] (P) [ 171.772984] simple_attr_write_xsigned.isra.0+0xe0/0x19c [ 171.778341] simple_attr_write+0x18/0x24 [ 171.782296] debugfs_attr_write+0x50/0x98 [ 171.786341] full_proxy_write+0x6c/0xa8 [ 171.790208] vfs_write+0xd4/0x350 [ 171.793561] ksys_write+0x70/0x108 [ 171.796995] __arm64_sys_write+0x1c/0x28 [ 171.800952] invoke_syscall+0x48/0x10c [ 171.804740] el0_svc_common.constprop.0+0x40/0xe0 [ 171.809487] do_el0_svc+0x1c/0x28 [ 171.812834] el0_svc+0x34/0x108 [ 171.816013] el0t_64_sync_handler+0xa0/0xe4 [ 171.820237] el0t_64_sync+0x198/0x19c [ 171.823939] Code: 32000262 b90ac293 1a931056 9134e293 (b9000036) [ 171.830073] ---[ end trace 0000000000000000 ]---

Affected products

1

Patches

4
5dfd429591f8

drm/imagination: Fix segfault when updating ftrace mask

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBrajesh GuptaApr 27, 2026Fixed in 7.1-rc2via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpu/drm/imagination/pvr_fw_trace.c+1 2 modified
    diff --git a/drivers/gpu/drm/imagination/pvr_fw_trace.c b/drivers/gpu/drm/imagination/pvr_fw_trace.c
index e154cb35f604d..6193811ef7beb 100644
--- a/drivers/gpu/drm/imagination/pvr_fw_trace.c
+++ b/drivers/gpu/drm/imagination/pvr_fw_trace.c
@@ -558,6 +558,6 @@ pvr_fw_trace_debugfs_init(struct pvr_device *pvr_dev, struct dentry *dir)
 				    &pvr_fw_trace_fops);
 	}
 
-	debugfs_create_file("trace_mask", 0600, dir, fw_trace,
+	debugfs_create_file("trace_mask", 0600, dir, pvr_dev,
 			    &pvr_fw_trace_mask_fops);
 }
-- 
cgit 1.3-korg
ba422758981b

drm/imagination: Fix segfault when updating ftrace mask

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitBrajesh GuptaApr 27, 2026Fixed in 7.0.4via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpu/drm/imagination/pvr_fw_trace.c+1 2 modified
    diff --git a/drivers/gpu/drm/imagination/pvr_fw_trace.c b/drivers/gpu/drm/imagination/pvr_fw_trace.c
index e154cb35f604d..6193811ef7beb 100644
--- a/drivers/gpu/drm/imagination/pvr_fw_trace.c
+++ b/drivers/gpu/drm/imagination/pvr_fw_trace.c
@@ -558,6 +558,6 @@ pvr_fw_trace_debugfs_init(struct pvr_device *pvr_dev, struct dentry *dir)
 				    &pvr_fw_trace_fops);
 	}
 
-	debugfs_create_file("trace_mask", 0600, dir, fw_trace,
+	debugfs_create_file("trace_mask", 0600, dir, pvr_dev,
 			    &pvr_fw_trace_mask_fops);
 }
-- 
cgit 1.3-korg
5dfd429591f8

drm/imagination: Fix segfault when updating ftrace mask

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBrajesh GuptaApr 27, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpu/drm/imagination/pvr_fw_trace.c+1 2 modified
    diff --git a/drivers/gpu/drm/imagination/pvr_fw_trace.c b/drivers/gpu/drm/imagination/pvr_fw_trace.c
index e154cb35f604d..6193811ef7beb 100644
--- a/drivers/gpu/drm/imagination/pvr_fw_trace.c
+++ b/drivers/gpu/drm/imagination/pvr_fw_trace.c
@@ -558,6 +558,6 @@ pvr_fw_trace_debugfs_init(struct pvr_device *pvr_dev, struct dentry *dir)
 				    &pvr_fw_trace_fops);
 	}
 
-	debugfs_create_file("trace_mask", 0600, dir, fw_trace,
+	debugfs_create_file("trace_mask", 0600, dir, pvr_dev,
 			    &pvr_fw_trace_mask_fops);
 }
-- 
cgit 1.3-korg
ba422758981b

drm/imagination: Fix segfault when updating ftrace mask

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitBrajesh GuptaApr 27, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpu/drm/imagination/pvr_fw_trace.c+1 2 modified
    diff --git a/drivers/gpu/drm/imagination/pvr_fw_trace.c b/drivers/gpu/drm/imagination/pvr_fw_trace.c
index e154cb35f604d..6193811ef7beb 100644
--- a/drivers/gpu/drm/imagination/pvr_fw_trace.c
+++ b/drivers/gpu/drm/imagination/pvr_fw_trace.c
@@ -558,6 +558,6 @@ pvr_fw_trace_debugfs_init(struct pvr_device *pvr_dev, struct dentry *dir)
 				    &pvr_fw_trace_fops);
 	}
 
-	debugfs_create_file("trace_mask", 0600, dir, fw_trace,
+	debugfs_create_file("trace_mask", 0600, dir, pvr_dev,
 			    &pvr_fw_trace_mask_fops);
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"An invalid data access occurred when updating the ftrace mask due to incorrect data being passed to a debugfs entry."

Attack vector

An attacker can trigger this vulnerability by interacting with the debugfs entry for the ftrace mask. This interaction leads to an invalid data access within the kernel, specifically in the `pvr_fw_trace_mask_set` function. The vulnerability manifests as a NULL pointer dereference, causing a segmentation fault and a kernel oops. The exploit involves writing to the debugfs file, which is accessible by users with appropriate permissions.

Affected code

The vulnerability resides in the `drivers/gpu/drm/imagination/pvr_fw_trace.c` file. Specifically, the `pvr_fw_trace_debugfs_init` function is responsible for creating the debugfs entry. The issue arises from the incorrect argument passed to `debugfs_create_file` for the "trace_mask" entry.

What the fix does

The patch corrects the invalid data access by ensuring the correct data is passed to the debugfs entry. Previously, the `debugfs_create_file` function was called with `fw_trace` as the data pointer. The fix changes this to `pvr_dev`, which is the correct pointer to the device structure. This ensures that the `pvr_fw_trace_mask_set` function receives valid data, preventing the NULL pointer dereference and subsequent segmentation fault [patch_id=5240038].

Preconditions

  • configThe `powervr` kernel module must be loaded.
  • inputThe debugfs filesystem must be mounted and accessible.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.