CVE-2025-40073 (GCVE-0-2025-40073)

Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2026-05-11 21:41
VLAI
Title
drm/msm: Do not validate SSPP when it is not ready
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/msm: Do not validate SSPP when it is not ready Current code will validate current plane and previous plane to confirm they can share a SSPP with multi-rect mode. The SSPP is already allocated for previous plane, while current plane is not associated with any SSPP yet. Null pointer is referenced when validating the SSPP of current plane. Skip SSPP validation for current plane. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000888ac3000 [0000000000000020] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 4 UID: 0 PID: 1891 Comm: modetest Tainted: G S 6.15.0-rc2-g3ee3f6e1202e #335 PREEMPT Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: SM8650 EV1 rev1 4slam 2et (DT) pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : dpu_plane_is_multirect_capable+0x68/0x90 lr : dpu_assign_plane_resources+0x288/0x410 sp : ffff800093dcb770 x29: ffff800093dcb770 x28: 0000000000002000 x27: ffff000817c6c000 x26: ffff000806b46368 x25: ffff0008013f6080 x24: ffff00080cbf4800 x23: ffff000810842680 x22: ffff0008013f1080 x21: ffff00080cc86080 x20: ffff000806b463b0 x19: ffff00080cbf5a00 x18: 00000000ffffffff x17: 707a5f657a696c61 x16: 0000000000000003 x15: 0000000000002200 x14: 00000000ffffffff x13: 00aaaaaa00aaaaaa x12: 0000000000000000 x11: ffff000817c6e2b8 x10: 0000000000000000 x9 : ffff80008106a950 x8 : ffff00080cbf48f4 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000438 x3 : 0000000000000438 x2 : ffff800082e245e0 x1 : 0000000000000008 x0 : 0000000000000000 Call trace: dpu_plane_is_multirect_capable+0x68/0x90 (P) dpu_crtc_atomic_check+0x5bc/0x650 drm_atomic_helper_check_planes+0x13c/0x220 drm_atomic_helper_check+0x58/0xb8 msm_atomic_check+0xd8/0xf0 drm_atomic_check_only+0x4a8/0x968 drm_atomic_commit+0x50/0xd8 drm_atomic_helper_update_plane+0x140/0x188 __setplane_atomic+0xfc/0x148 drm_mode_setplane+0x164/0x378 drm_ioctl_kernel+0xc0/0x140 drm_ioctl+0x20c/0x500 __arm64_sys_ioctl+0xbc/0xf8 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0x48/0xf8 do_el0_svc+0x28/0x40 el0_svc+0x30/0xd0 el0t_64_sync_handler+0x144/0x168 el0t_64_sync+0x198/0x1a0 Code: b9402021 370fffc1 f9401441 3707ff81 (f94010a1) ---[ end trace 0000000000000000 ]--- Patchwork: https://patchwork.freedesktop.org/patch/669224/
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 3ed12a3664b362e3462cca61d41f9a9460c9e260 , < f1dbb3eedb7db4cad45d2619edb1cce6041f79e3 (git)
Affected: 3ed12a3664b362e3462cca61d41f9a9460c9e260 , < 6fc616723bb5fd4289d7422fa013da062b44ae55 (git)
Create a notification for this product.
Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1dbb3eedb7db4cad45d2619edb1cce6041f79e3",
              "status": "affected",
              "version": "3ed12a3664b362e3462cca61d41f9a9460c9e260",
              "versionType": "git"
            },
            {
              "lessThan": "6fc616723bb5fd4289d7422fa013da062b44ae55",
              "status": "affected",
              "version": "3ed12a3664b362e3462cca61d41f9a9460c9e260",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Do not validate SSPP when it is not ready\n\nCurrent code will validate current plane and previous plane to\nconfirm they can share a SSPP with multi-rect mode. The SSPP\nis already allocated for previous plane, while current plane\nis not associated with any SSPP yet. Null pointer is referenced\nwhen validating the SSPP of current plane. Skip SSPP validation\nfor current plane.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\nMem abort info:\n  ESR = 0x0000000096000004\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x04: level 0 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000888ac3000\n[0000000000000020] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1]  SMP\nModules linked in:\nCPU: 4 UID: 0 PID: 1891 Comm: modetest Tainted: G S                  6.15.0-rc2-g3ee3f6e1202e #335 PREEMPT\nTainted: [S]=CPU_OUT_OF_SPEC\nHardware name: SM8650 EV1 rev1 4slam 2et (DT)\npstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\npc : dpu_plane_is_multirect_capable+0x68/0x90\nlr : dpu_assign_plane_resources+0x288/0x410\nsp : ffff800093dcb770\nx29: ffff800093dcb770 x28: 0000000000002000 x27: ffff000817c6c000\nx26: ffff000806b46368 x25: ffff0008013f6080 x24: ffff00080cbf4800\nx23: ffff000810842680 x22: ffff0008013f1080 x21: ffff00080cc86080\nx20: ffff000806b463b0 x19: ffff00080cbf5a00 x18: 00000000ffffffff\nx17: 707a5f657a696c61 x16: 0000000000000003 x15: 0000000000002200\nx14: 00000000ffffffff x13: 00aaaaaa00aaaaaa x12: 0000000000000000\nx11: ffff000817c6e2b8 x10: 0000000000000000 x9 : ffff80008106a950\nx8 : ffff00080cbf48f4 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : 0000000000000000 x4 : 0000000000000438 x3 : 0000000000000438\nx2 : ffff800082e245e0 x1 : 0000000000000008 x0 : 0000000000000000\nCall trace:\n dpu_plane_is_multirect_capable+0x68/0x90 (P)\n dpu_crtc_atomic_check+0x5bc/0x650\n drm_atomic_helper_check_planes+0x13c/0x220\n drm_atomic_helper_check+0x58/0xb8\n msm_atomic_check+0xd8/0xf0\n drm_atomic_check_only+0x4a8/0x968\n drm_atomic_commit+0x50/0xd8\n drm_atomic_helper_update_plane+0x140/0x188\n __setplane_atomic+0xfc/0x148\n drm_mode_setplane+0x164/0x378\n drm_ioctl_kernel+0xc0/0x140\n drm_ioctl+0x20c/0x500\n __arm64_sys_ioctl+0xbc/0xf8\n invoke_syscall+0x50/0x120\n el0_svc_common.constprop.0+0x48/0xf8\n do_el0_svc+0x28/0x40\n el0_svc+0x30/0xd0\n el0t_64_sync_handler+0x144/0x168\n el0t_64_sync+0x198/0x1a0\nCode: b9402021 370fffc1 f9401441 3707ff81 (f94010a1)\n---[ end trace 0000000000000000 ]---\n\nPatchwork: https://patchwork.freedesktop.org/patch/669224/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:41:57.606Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1dbb3eedb7db4cad45d2619edb1cce6041f79e3"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fc616723bb5fd4289d7422fa013da062b44ae55"
        }
      ],
      "title": "drm/msm: Do not validate SSPP when it is not ready",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40073",
    "datePublished": "2025-10-28T11:48:40.588Z",
    "dateReserved": "2025-04-16T07:20:57.160Z",
    "dateUpdated": "2026-05-11T21:41:57.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-40073",
      "date": "2026-06-22",
      "epss": "0.00154",
      "percentile": "0.0485"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40073\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-28T12:15:41.830\",\"lastModified\":\"2025-10-30T15:05:32.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm: Do not validate SSPP when it is not ready\\n\\nCurrent code will validate current plane and previous plane to\\nconfirm they can share a SSPP with multi-rect mode. The SSPP\\nis already allocated for previous plane, while current plane\\nis not associated with any SSPP yet. Null pointer is referenced\\nwhen validating the SSPP of current plane. Skip SSPP validation\\nfor current plane.\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000020\\nMem abort info:\\n  ESR = 0x0000000096000004\\n  EC = 0x25: DABT (current EL), IL = 32 bits\\n  SET = 0, FnV = 0\\n  EA = 0, S1PTW = 0\\n  FSC = 0x04: level 0 translation fault\\nData abort info:\\n  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\\nuser pgtable: 4k pages, 48-bit VAs, pgdp=0000000888ac3000\\n[0000000000000020] pgd=0000000000000000, p4d=0000000000000000\\nInternal error: Oops: 0000000096000004 [#1]  SMP\\nModules linked in:\\nCPU: 4 UID: 0 PID: 1891 Comm: modetest Tainted: G S                  6.15.0-rc2-g3ee3f6e1202e #335 PREEMPT\\nTainted: [S]=CPU_OUT_OF_SPEC\\nHardware name: SM8650 EV1 rev1 4slam 2et (DT)\\npstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)\\npc : dpu_plane_is_multirect_capable+0x68/0x90\\nlr : dpu_assign_plane_resources+0x288/0x410\\nsp : ffff800093dcb770\\nx29: ffff800093dcb770 x28: 0000000000002000 x27: ffff000817c6c000\\nx26: ffff000806b46368 x25: ffff0008013f6080 x24: ffff00080cbf4800\\nx23: ffff000810842680 x22: ffff0008013f1080 x21: ffff00080cc86080\\nx20: ffff000806b463b0 x19: ffff00080cbf5a00 x18: 00000000ffffffff\\nx17: 707a5f657a696c61 x16: 0000000000000003 x15: 0000000000002200\\nx14: 00000000ffffffff x13: 00aaaaaa00aaaaaa x12: 0000000000000000\\nx11: ffff000817c6e2b8 x10: 0000000000000000 x9 : ffff80008106a950\\nx8 : ffff00080cbf48f4 x7 : 0000000000000000 x6 : 0000000000000000\\nx5 : 0000000000000000 x4 : 0000000000000438 x3 : 0000000000000438\\nx2 : ffff800082e245e0 x1 : 0000000000000008 x0 : 0000000000000000\\nCall trace:\\n dpu_plane_is_multirect_capable+0x68/0x90 (P)\\n dpu_crtc_atomic_check+0x5bc/0x650\\n drm_atomic_helper_check_planes+0x13c/0x220\\n drm_atomic_helper_check+0x58/0xb8\\n msm_atomic_check+0xd8/0xf0\\n drm_atomic_check_only+0x4a8/0x968\\n drm_atomic_commit+0x50/0xd8\\n drm_atomic_helper_update_plane+0x140/0x188\\n __setplane_atomic+0xfc/0x148\\n drm_mode_setplane+0x164/0x378\\n drm_ioctl_kernel+0xc0/0x140\\n drm_ioctl+0x20c/0x500\\n __arm64_sys_ioctl+0xbc/0xf8\\n invoke_syscall+0x50/0x120\\n el0_svc_common.constprop.0+0x48/0xf8\\n do_el0_svc+0x28/0x40\\n el0_svc+0x30/0xd0\\n el0t_64_sync_handler+0x144/0x168\\n el0t_64_sync+0x198/0x1a0\\nCode: b9402021 370fffc1 f9401441 3707ff81 (f94010a1)\\n---[ end trace 0000000000000000 ]---\\n\\nPatchwork: https://patchwork.freedesktop.org/patch/669224/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6fc616723bb5fd4289d7422fa013da062b44ae55\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f1dbb3eedb7db4cad45d2619edb1cce6041f79e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.