CVE-2025-38603 - AMDGPU Slab-Use-After-Free Vulnerability
CVE ID : CVE-2025-38603
Published : Aug. 19, 2025, 5:15 p.m. | 52 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c The issue was reproduced on NV10 using IGT pci_unplug test. It is expected that `amdgpu_driver_postclose_kms()` is called prior to `amdgpu_drm_release()`. However, the bug is that `amdgpu_fpriv` was freed in `amdgpu_driver_postclose_kms()`, and then later accessed in `amdgpu_drm_release()` via a call to `amdgpu_userq_mgr_fini()`. As a result, KASAN detected a use-after-free condition, as shown in the log below. The proposed fix is to move the calls to `amdgpu_eviction_fence_destroy()` and `amdgpu_userq_mgr_fini()` into `amdgpu_driver_postclose_kms()`, so they are invoked before `amdgpu_fpriv` is freed. This also ensures symmetry with the initialization path in `amdgpu_driver_open_kms()`, where the following components are initialized: - `amdgpu_userq_mgr_init()` - `amdgpu_eviction_fence_init()` - `amdgpu_ctx_mgr_init()` Correspondingly, in `amdgpu_driver_postclose_kms()` we should clean up using: - `amdgpu_userq_mgr_fini()` - `amdgpu_eviction_fence_destroy()` - `amdgpu_ctx_mgr_fini()` This change eliminates the use-after-free and improves consistency in resource management between open and close paths. [ +0.094367] ================================================================== [ +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737 [ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2 [ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000004] Call Trace: [ +0.000004]
[ +0.000003] dump_stack_lvl+0x76/0xa0
[ +0.000010] print_report+0xce/0x600
[ +0.000009] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
[ +0.000790] ? srso_return_thunk+0x5/0x5f
[ +0.000007] ? kasan_complete_mode_report_info+0x76/0x200
[ +0.000008] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
[ +0.000684] kasan_report+0xbe/0x110
[ +0.000007] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
[ +0.000601] __asan_report_store8_noabort+0x17/0x30
[ +0.000007] amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]
[ +0.000801] ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu]
[ +0.000819] ? srso_return_thunk+0x5/0x5f
[ +0.000008] amdgpu_drm_release+0xa3/0xe0 [amdgpu]
[ +0.000604] __fput+0x354/0xa90
[ +0.000010] __fput_sync+0x59/0x80
[ +0.000005] __x64_sys_close+0x7d/0xe0
[ +0.000006] x64_sys_call+0x2505/0x26f0
[ +0.000006] do_syscall_64+0x7c/0x170
[ +0.000004] ? kasan_record_aux_stack+0xae/0xd0
[ +0.000005] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? kmem_cache_free+0x398/0x580
[ +0.000006] ? __fput+0x543/0xa90
[ +0.000006] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? __fput+0x543/0xa90
[ +0.000004] ? __kasan_check_read+0x11/0x20
[ +0.000007] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? __kasan_check_read+0x11/0x20
[ +0.000003] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0
[ +0.000006] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240
[ +0.000005] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? do_syscall_64+0x88/0x170
[ +0.000003] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? do_syscall_64+0x88/0x170
[ +0.000004] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? irqentry_exit+0x43/0x50
[ +0.000004] ? srso_return_thunk+0x5/0x5f
[ +0.000004] ? exc_page_fault+0x7c/0x110
[ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ +0.000005] RIP: 0033:0x7ffff7b14f67
[ +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff
[ +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
[ +0.000006] RAX: ffffffffff
---truncated---
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : Aug. 19, 2025, 5:15 p.m. | 52 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c The issue was reproduced on NV10 using IGT pci_unplug test. It is expected that `amdgpu_driver_postclose_kms()` is called prior to `amdgpu_drm_release()`. However, the bug is that `amdgpu_fpriv` was freed in `amdgpu_driver_postclose_kms()`, and then later accessed in `amdgpu_drm_release()` via a call to `amdgpu_userq_mgr_fini()`. As a result, KASAN detected a use-after-free condition, as shown in the log below. The proposed fix is to move the calls to `amdgpu_eviction_fence_destroy()` and `amdgpu_userq_mgr_fini()` into `amdgpu_driver_postclose_kms()`, so they are invoked before `amdgpu_fpriv` is freed. This also ensures symmetry with the initialization path in `amdgpu_driver_open_kms()`, where the following components are initialized: - `amdgpu_userq_mgr_init()` - `amdgpu_eviction_fence_init()` - `amdgpu_ctx_mgr_init()` Correspondingly, in `amdgpu_driver_postclose_kms()` we should clean up using: - `amdgpu_userq_mgr_fini()` - `amdgpu_eviction_fence_destroy()` - `amdgpu_ctx_mgr_fini()` This change eliminates the use-after-free and improves consistency in resource management between open and close paths. [ +0.094367] ================================================================== [ +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737 [ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2 [ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000004] Call Trace: [ +0.000004]
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...