CVE-2025-38596

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code

The object is potentially already gone after the drm_gem_object_put(). In general the object should be fully constructed before calling drm_gem_handle_create(), except the debugfs tracking uses a separate lock and list and separate flag to denotate whether the object is actually initialized.

Since I'm touching this all anyway simplify this by only adding the object to the debugfs when it's ready for that, which allows us to delete that separate flag. panthor_gem_debugfs_bo_rm() already checks whether we've actually been added to the list or this is some error path cleanup.

v2: Fix build issues for !CONFIG_DEBUGFS (Adrián)

v3: Add linebreak and remove outdated comment (Liviu)

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa3707f53eb3f4f3e7a30d720be0885f813d649bb < 5f2be12442db6a2904e6e31b0e3b5ad5aebf868baffected
LinuxLinuxa3707f53eb3f4f3e7a30d720be0885f813d649bb < fe69a391808404977b1f002a6e7447de3de7a88eaffected
LinuxLinux6.16affected
LinuxLinux0 < 6.16unaffected
LinuxLinux6.16.1 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

References