{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38603", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.028Z", "datePublished": "2025-08-19T17:03:42.409Z", "dateUpdated": "2025-08-19T17:03:42.409Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-19T17:03:42.409Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c\n\nThe issue was reproduced on NV10 using IGT pci_unplug test.\nIt is expected that `amdgpu_driver_postclose_kms()` is called prior to `amdgpu_drm_release()`.\nHowever, the bug is that `amdgpu_fpriv` was freed in `amdgpu_driver_postclose_kms()`, and then\nlater accessed in `amdgpu_drm_release()` via a call to `amdgpu_userq_mgr_fini()`.\nAs a result, KASAN detected a use-after-free condition, as shown in the log below.\nThe proposed fix is to move the calls to `amdgpu_eviction_fence_destroy()` and\n`amdgpu_userq_mgr_fini()` into `amdgpu_driver_postclose_kms()`, so they are invoked before\n`amdgpu_fpriv` is freed.\n\nThis also ensures symmetry with the initialization path in `amdgpu_driver_open_kms()`,\nwhere the following components are initialized:\n- `amdgpu_userq_mgr_init()`\n- `amdgpu_eviction_fence_init()`\n- `amdgpu_ctx_mgr_init()`\n\nCorrespondingly, in `amdgpu_driver_postclose_kms()` we should clean up using:\n- `amdgpu_userq_mgr_fini()`\n- `amdgpu_eviction_fence_destroy()`\n- `amdgpu_ctx_mgr_fini()`\n\nThis change eliminates the use-after-free and improves consistency in resource management between open and close paths.\n\n[ +0.094367] ==================================================================\n[ +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737\n[ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2\n[ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000004] Call Trace:\n[ +0.000004] <TASK>\n[ +0.000003] dump_stack_lvl+0x76/0xa0\n[ +0.000010] print_report+0xce/0x600\n[ +0.000009] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000790] ? srso_return_thunk+0x5/0x5f\n[ +0.000007] ? kasan_complete_mode_report_info+0x76/0x200\n[ +0.000008] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000684] kasan_report+0xbe/0x110\n[ +0.000007] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000601] __asan_report_store8_noabort+0x17/0x30\n[ +0.000007] amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000801] ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu]\n[ +0.000819] ? srso_return_thunk+0x5/0x5f\n[ +0.000008] amdgpu_drm_release+0xa3/0xe0 [amdgpu]\n[ +0.000604] __fput+0x354/0xa90\n[ +0.000010] __fput_sync+0x59/0x80\n[ +0.000005] __x64_sys_close+0x7d/0xe0\n[ +0.000006] x64_sys_call+0x2505/0x26f0\n[ +0.000006] do_syscall_64+0x7c/0x170\n[ +0.000004] ? kasan_record_aux_stack+0xae/0xd0\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? kmem_cache_free+0x398/0x580\n[ +0.000006] ? __fput+0x543/0xa90\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __fput+0x543/0xa90\n[ +0.000004] ? __kasan_check_read+0x11/0x20\n[ +0.000007] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __kasan_check_read+0x11/0x20\n[ +0.000003] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? do_syscall_64+0x88/0x170\n[ +0.000003] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? do_syscall_64+0x88/0x170\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? irqentry_exit+0x43/0x50\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? exc_page_fault+0x7c/0x110\n[ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ +0.000005] RIP: 0033:0x7ffff7b14f67\n[ +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff\n[ +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003\n[ +0.000006] RAX: ffffffffff\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c", "drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"], "versions": [{"version": "adba0929736a6a2d2780e8e6e4082e42e5ba025c", "lessThan": "f2997cef6d4056cb1b62190f1cf06e8dd19e228f", "status": "affected", "versionType": "git"}, {"version": "adba0929736a6a2d2780e8e6e4082e42e5ba025c", "lessThan": "5fb90421fa0fbe0a968274912101fe917bf1c47b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c", "drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.1", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.16.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.17-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f2997cef6d4056cb1b62190f1cf06e8dd19e228f"}, {"url": "https://git.kernel.org/stable/c/5fb90421fa0fbe0a968274912101fe917bf1c47b"}], "title": "drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c\n\nThe issue was reproduced on NV10 using IGT pci_unplug test.\nIt is expected that `amdgpu_driver_postclose_kms()` is called prior to `amdgpu_drm_release()`.\nHowever, the bug is that `amdgpu_fpriv` was freed in `amdgpu_driver_postclose_kms()`, and then\nlater accessed in `amdgpu_drm_release()` via a call to `amdgpu_userq_mgr_fini()`.\nAs a result, KASAN detected a use-after-free condition, as shown in the log below.\nThe proposed fix is to move the calls to `amdgpu_eviction_fence_destroy()` and\n`amdgpu_userq_mgr_fini()` into `amdgpu_driver_postclose_kms()`, so they are invoked before\n`amdgpu_fpriv` is freed.\n\nThis also ensures symmetry with the initialization path in `amdgpu_driver_open_kms()`,\nwhere the following components are initialized:\n- `amdgpu_userq_mgr_init()`\n- `amdgpu_eviction_fence_init()`\n- `amdgpu_ctx_mgr_init()`\n\nCorrespondingly, in `amdgpu_driver_postclose_kms()` we should clean up using:\n- `amdgpu_userq_mgr_fini()`\n- `amdgpu_eviction_fence_destroy()`\n- `amdgpu_ctx_mgr_fini()`\n\nThis change eliminates the use-after-free and improves consistency in resource management between open and close paths.\n\n[ +0.094367] ==================================================================\n[ +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737\n[ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2\n[ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000004] Call Trace:\n[ +0.000004] <TASK>\n[ +0.000003] dump_stack_lvl+0x76/0xa0\n[ +0.000010] print_report+0xce/0x600\n[ +0.000009] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000790] ? srso_return_thunk+0x5/0x5f\n[ +0.000007] ? kasan_complete_mode_report_info+0x76/0x200\n[ +0.000008] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000684] kasan_report+0xbe/0x110\n[ +0.000007] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000601] __asan_report_store8_noabort+0x17/0x30\n[ +0.000007] amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu]\n[ +0.000801] ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu]\n[ +0.000819] ? srso_return_thunk+0x5/0x5f\n[ +0.000008] amdgpu_drm_release+0xa3/0xe0 [amdgpu]\n[ +0.000604] __fput+0x354/0xa90\n[ +0.000010] __fput_sync+0x59/0x80\n[ +0.000005] __x64_sys_close+0x7d/0xe0\n[ +0.000006] x64_sys_call+0x2505/0x26f0\n[ +0.000006] do_syscall_64+0x7c/0x170\n[ +0.000004] ? kasan_record_aux_stack+0xae/0xd0\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? kmem_cache_free+0x398/0x580\n[ +0.000006] ? __fput+0x543/0xa90\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __fput+0x543/0xa90\n[ +0.000004] ? __kasan_check_read+0x11/0x20\n[ +0.000007] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? __kasan_check_read+0x11/0x20\n[ +0.000003] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0\n[ +0.000006] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240\n[ +0.000005] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? do_syscall_64+0x88/0x170\n[ +0.000003] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? do_syscall_64+0x88/0x170\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? irqentry_exit+0x43/0x50\n[ +0.000004] ? srso_return_thunk+0x5/0x5f\n[ +0.000004] ? exc_page_fault+0x7c/0x110\n[ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ +0.000005] RIP: 0033:0x7ffff7b14f67\n[ +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff\n[ +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003\n[ +0.000006] RAX: ffffffffff\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: correcci\u00f3n de slab-use-after-free en amdgpu_userq_mgr_fini+0x70c. El problema se reprodujo en NV10 mediante la prueba pci_unplug de IGT. Se espera que `amdgpu_driver_postclose_kms()` se llame antes que `amdgpu_drm_release()`. Sin embargo, el error radica en que `amdgpu_fpriv` se liber\u00f3 en `amdgpu_driver_postclose_kms()` y luego se accedi\u00f3 a \u00e9l en `amdgpu_drm_release()` mediante una llamada a `amdgpu_userq_mgr_fini()`. Como resultado, KASAN detect\u00f3 una condici\u00f3n de use-after-free, como se muestra en el registro a continuaci\u00f3n. La soluci\u00f3n propuesta es mover las llamadas a `amdgpu_eviction_fence_destroy()` y `amdgpu_userq_mgr_fini()` a `amdgpu_driver_postclose_kms()`, de modo que se invoquen antes de que se libere `amdgpu_fpriv`. Esto tambi\u00e9n garantiza la simetr\u00eda con la ruta de inicializaci\u00f3n en `amdgpu_driver_open_kms()`, donde se inicializan los siguientes componentes: - `amdgpu_userq_mgr_init()` - `amdgpu_eviction_fence_init()` - `amdgpu_ctx_mgr_init()` En consecuencia, en `amdgpu_driver_postclose_kms()` debemos limpiar usando: - `amdgpu_userq_mgr_fini()` - `amdgpu_eviction_fence_destroy()` - `amdgpu_ctx_mgr_fini()` Este cambio elimina el use-after-free y mejora la consistencia en la gesti\u00f3n de recursos entre las rutas de apertura y cierre. [ +0.094367] ====================================================================== [ +0.000026] ERROR: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737 [ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2 [ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000004] Call Trace: [ +0.000004] [ +0.000003] dump_stack_lvl+0x76/0xa0 [ +0.000010] print_report+0xce/0x600 [ +0.000009] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000790] ? srso_return_thunk+0x5/0x5f [ +0.000007] ? kasan_complete_mode_report_info+0x76/0x200 [ +0.000008] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000684] kasan_report+0xbe/0x110 [ +0.000007] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000601] __asan_report_store8_noabort+0x17/0x30 [ +0.000007] amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000801] ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu] [ +0.000819] ? srso_return_thunk+0x5/0x5f [ +0.000008] amdgpu_drm_release+0xa3/0xe0 [amdgpu] [ +0.000604] __fput+0x354/0xa90 [ +0.000010] __fput_sync+0x59/0x80 [ +0.000005] __x64_sys_close+0x7d/0xe0 [ +0.000006] x64_sys_call+0x2505/0x26f0 [ +0.000006] do_syscall_64+0x7c/0x170 [ +0.000004] ? kasan_record_aux_stack+0xae/0xd0 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? kmem_cache_free+0x398/0x580 [ +0.000006] ? __fput+0x543/0xa90 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __fput+0x543/0xa90 [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? do_syscall_64+0x88/0x170 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? do_syscall_64+0x88/0x170 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? irqentry_exit+0x43/0x50 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? exc_page_fault+0x7c/0x110 [ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7ffff7b14f67 [ +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 &lt;48&gt; 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff [ +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ +0.000006] RAX: ffffffffff ---truncado---"}], "id": "CVE-2025-38603", "lastModified": "2025-08-20T14:40:17.713", "metrics": {}, "published": "2025-08-19T17:15:38.517", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5fb90421fa0fbe0a968274912101fe917bf1c47b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f2997cef6d4056cb1b62190f1cf06e8dd19e228f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c", "id": "2389483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389483"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-38603", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38603\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38603\nhttps://lore.kernel.org/linux-cve-announce/2025081921-CVE-2025-38603-6dc3@gregkh/T"], "threat_severity": "Moderate"}