← Back
2025-10-28 11:48CVE-2025-40037Linux
PUBLISHED5.1

fbdev: simplefb: Fix use after free in simplefb_detach_genpds()

In the Linux kernel, the following vulnerability has been resolved:

fbdev: simplefb: Fix use after free in simplefb_detach_genpds()

The pm_domain cleanup can not be devres managed as it uses struct

simplefb_par which is allocated within struct fb_info by

framebuffer_alloc(). This allocation is explicitly freed by

unregister_framebuffer() in simplefb_remove().

Devres managed cleanup runs after the device remove call and thus can no

longer access struct simplefb_par.

Call simplefb_detach_genpds() explicitly from simplefb_destroy() like

the cleanup functions for clocks and regulators.

Fixes an use after free on M2 Mac mini during

aperture_remove_conflicting_devices() using the downstream asahi kernel

with Debian's kernel config. For unknown reasons this started to

consistently dereference an invalid pointer in v6.16.3 based kernels.

[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220

[ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227

[ 6.750697]

[ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY

[ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC

[ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)

[ 6.752189] Call trace:

[ 6.752190] show_stack+0x34/0x98 (C)

[ 6.752194] dump_stack_lvl+0x60/0x80

[ 6.752197] print_report+0x17c/0x4d8

[ 6.752201] kasan_report+0xb4/0x100

[ 6.752206] __asan_report_load4_noabort+0x20/0x30

[ 6.752209] simplefb_detach_genpds+0x58/0x220

[ 6.752213] devm_action_release+0x50/0x98

[ 6.752216] release_nodes+0xd0/0x2c8

[ 6.752219] devres_release_all+0xfc/0x178

[ 6.752221] device_unbind_cleanup+0x28/0x168

[ 6.752224] device_release_driver_internal+0x34c/0x470

[ 6.752228] device_release_driver+0x20/0x38

[ 6.752231] bus_remove_device+0x1b0/0x380

[ 6.752234] device_del+0x314/0x820

[ 6.752238] platform_device_del+0x3c/0x1e8

[ 6.752242] platform_device_unregister+0x20/0x50

[ 6.752246] aperture_detach_platform_device+0x1c/0x30

[ 6.752250] aperture_detach_devices+0x16c/0x290

[ 6.752253] aperture_remove_conflicting_devices+0x34/0x50

...

[ 6.752343]

[ 6.967409] Allocated by task 62:

[ 6.970724] kasan_save_stack+0x3c/0x70

[ 6.974560] kasan_save_track+0x20/0x40

[ 6.978397] kasan_save_alloc_info+0x40/0x58

[ 6.982670] __kasan_kmalloc+0xd4/0xd8

[ 6.986420] __kmalloc_noprof+0x194/0x540

[ 6.990432] framebuffer_alloc+0xc8/0x130

[ 6.994444] simplefb_probe+0x258/0x2378

...

[ 7.054356]

[ 7.055838] Freed by task 227:

[ 7.058891] kasan_save_stack+0x3c/0x70

[ 7.062727] kasan_save_track+0x20/0x40

[ 7.066565] kasan_save_free_info+0x4c/0x80

[ 7.070751] __kasan_slab_free+0x6c/0xa0

[ 7.074675] kfree+0x10c/0x380

[ 7.077727] framebuffer_release+0x5c/0x90

[ 7.081826] simplefb_destroy+0x1b4/0x2c0

[ 7.085837] put_fb_info+0x98/0x100

[ 7.089326] unregister_framebuffer+0x178/0x320

[ 7.093861] simplefb_remove+0x3c/0x60

[ 7.097611] platform_remove+0x60/0x98

[ 7.101361] device_remove+0xb8/0x160

[ 7.105024] device_release_driver_internal+0x2fc/0x470

[ 7.110256] device_release_driver+0x20/0x38

[ 7.114529] bus_remove_device+0x1b0/0x380

[ 7.118628] device_del+0x314/0x820

[ 7.122116] platform_device_del+0x3c/0x1e8

[ 7.126302] platform_device_unregister+0x20/0x50

[ 7.131012] aperture_detach_platform_device+0x1c/0x30

[ 7.136157] aperture_detach_devices+0x16c/0x290

[ 7.140779] aperture_remove_conflicting_devices+0x34/0x50

...

Affected products

Linux

Linux

< b1deb39cfd614fb2f278b71011692a8dbf0f05ba - AFFECTED

< b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353 - AFFECTED

< da1bb9135213744e7ec398826c8f2e843de4fb94 - AFFECTED

Linux

6.8 - AFFECTED

< 6.8 - UNAFFECTED

<= 6.12.* - UNAFFECTED

<= 6.17.* - UNAFFECTED

<= * - UNAFFECTED

References

git.kernel.org

https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba

git.kernel.org

https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353

git.kernel.org

https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94

GitHub Security Advisories

GHSA-5hpm-4x7m-g857

In the Linux kernel, the following vulnerability has been resolved: fbdev: simplefb: Fix use...

https://github.com/advisories/GHSA-5hpm-4x7m-g857

In the Linux kernel, the following vulnerability has been resolved:

fbdev: simplefb: Fix use after free in simplefb_detach_genpds()

The pm_domain cleanup can not be devres managed as it uses struct simplefb_par which is allocated within struct fb_info by framebuffer_alloc(). This allocation is explicitly freed by unregister_framebuffer() in simplefb_remove(). Devres managed cleanup runs after the device remove call and thus can no longer access struct simplefb_par. Call simplefb_detach_genpds() explicitly from simplefb_destroy() like the cleanup functions for clocks and regulators.

Fixes an use after free on M2 Mac mini during aperture_remove_conflicting_devices() using the downstream asahi kernel with Debian's kernel config. For unknown reasons this started to consistently dereference an invalid pointer in v6.16.3 based kernels.

[ 6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220 [ 6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227 [ 6.750697] [ 6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S 6.16.3-asahi+ #16 PREEMPTLAZY [ 6.752186] Tainted: [S]=CPU_OUT_OF_SPEC [ 6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT) [ 6.752189] Call trace: [ 6.752190] show_stack+0x34/0x98 (C) [ 6.752194] dump_stack_lvl+0x60/0x80 [ 6.752197] print_report+0x17c/0x4d8 [ 6.752201] kasan_report+0xb4/0x100 [ 6.752206] __asan_report_load4_noabort+0x20/0x30 [ 6.752209] simplefb_detach_genpds+0x58/0x220 [ 6.752213] devm_action_release+0x50/0x98 [ 6.752216] release_nodes+0xd0/0x2c8 [ 6.752219] devres_release_all+0xfc/0x178 [ 6.752221] device_unbind_cleanup+0x28/0x168 [ 6.752224] device_release_driver_internal+0x34c/0x470 [ 6.752228] device_release_driver+0x20/0x38 [ 6.752231] bus_remove_device+0x1b0/0x380 [ 6.752234] device_del+0x314/0x820 [ 6.752238] platform_device_del+0x3c/0x1e8 [ 6.752242] platform_device_unregister+0x20/0x50 [ 6.752246] aperture_detach_platform_device+0x1c/0x30 [ 6.752250] aperture_detach_devices+0x16c/0x290 [ 6.752253] aperture_remove_conflicting_devices+0x34/0x50 ... [ 6.752343] [ 6.967409] Allocated by task 62: [ 6.970724] kasan_save_stack+0x3c/0x70 [ 6.974560] kasan_save_track+0x20/0x40 [ 6.978397] kasan_save_alloc_info+0x40/0x58 [ 6.982670] __kasan_kmalloc+0xd4/0xd8 [ 6.986420] __kmalloc_noprof+0x194/0x540 [ 6.990432] framebuffer_alloc+0xc8/0x130 [ 6.994444] simplefb_probe+0x258/0x2378 ... [ 7.054356] [ 7.055838] Freed by task 227: [ 7.058891] kasan_save_stack+0x3c/0x70 [ 7.062727] kasan_save_track+0x20/0x40 [ 7.066565] kasan_save_free_info+0x4c/0x80 [ 7.070751] __kasan_slab_free+0x6c/0xa0 [ 7.074675] kfree+0x10c/0x380 [ 7.077727] framebuffer_release+0x5c/0x90 [ 7.081826] simplefb_destroy+0x1b4/0x2c0 [ 7.085837] put_fb_info+0x98/0x100 [ 7.089326] unregister_framebuffer+0x178/0x320 [ 7.093861] simplefb_remove+0x3c/0x60 [ 7.097611] platform_remove+0x60/0x98 [ 7.101361] device_remove+0xb8/0x160 [ 7.105024] device_release_driver_internal+0x2fc/0x470 [ 7.110256] device_release_driver+0x20/0x38 [ 7.114529] bus_remove_device+0x1b0/0x380 [ 7.118628] device_del+0x314/0x820 [ 7.122116] platform_device_del+0x3c/0x1e8 [ 7.126302] platform_device_unregister+0x20/0x50 [ 7.131012] aperture_detach_platform_device+0x1c/0x30 [ 7.136157] aperture_detach_devices+0x16c/0x290 [ 7.140779] aperture_remove_conflicting_devices+0x34/0x50 ...

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2025-40037

git.kernel.org

https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba

git.kernel.org

https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353

git.kernel.org

https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94

github.com

https://github.com/advisories/GHSA-5hpm-4x7m-g857

JSON source

Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "cveMetadata": {
    "cveId": "CVE-2025-40037",
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "dateUpdated": "2025-10-28T11:48:18.274Z",
    "dateReserved": "2025-04-16T07:20:57.153Z",
    "datePublished": "2025-10-28T11:48:18.274Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux",
        "dateUpdated": "2025-10-28T11:48:18.274Z"
      },
      "title": "fbdev: simplefb: Fix use after free in simplefb_detach_genpds()",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: simplefb: Fix use after free in simplefb_detach_genpds()\n\nThe pm_domain cleanup can not be devres managed as it uses struct\nsimplefb_par which is allocated within struct fb_info by\nframebuffer_alloc(). This allocation is explicitly freed by\nunregister_framebuffer() in simplefb_remove().\nDevres managed cleanup runs after the device remove call and thus can no\nlonger access struct simplefb_par.\nCall simplefb_detach_genpds() explicitly from simplefb_destroy() like\nthe cleanup functions for clocks and regulators.\n\nFixes an use after free on M2 Mac mini during\naperture_remove_conflicting_devices() using the downstream asahi kernel\nwith Debian's kernel config. For unknown reasons this started to\nconsistently dereference an invalid pointer in v6.16.3 based kernels.\n\n[    6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220\n[    6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227\n[    6.750697]\n[    6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S                  6.16.3-asahi+ #16 PREEMPTLAZY\n[    6.752186] Tainted: [S]=CPU_OUT_OF_SPEC\n[    6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)\n[    6.752189] Call trace:\n[    6.752190]  show_stack+0x34/0x98 (C)\n[    6.752194]  dump_stack_lvl+0x60/0x80\n[    6.752197]  print_report+0x17c/0x4d8\n[    6.752201]  kasan_report+0xb4/0x100\n[    6.752206]  __asan_report_load4_noabort+0x20/0x30\n[    6.752209]  simplefb_detach_genpds+0x58/0x220\n[    6.752213]  devm_action_release+0x50/0x98\n[    6.752216]  release_nodes+0xd0/0x2c8\n[    6.752219]  devres_release_all+0xfc/0x178\n[    6.752221]  device_unbind_cleanup+0x28/0x168\n[    6.752224]  device_release_driver_internal+0x34c/0x470\n[    6.752228]  device_release_driver+0x20/0x38\n[    6.752231]  bus_remove_device+0x1b0/0x380\n[    6.752234]  device_del+0x314/0x820\n[    6.752238]  platform_device_del+0x3c/0x1e8\n[    6.752242]  platform_device_unregister+0x20/0x50\n[    6.752246]  aperture_detach_platform_device+0x1c/0x30\n[    6.752250]  aperture_detach_devices+0x16c/0x290\n[    6.752253]  aperture_remove_conflicting_devices+0x34/0x50\n...\n[    6.752343]\n[    6.967409] Allocated by task 62:\n[    6.970724]  kasan_save_stack+0x3c/0x70\n[    6.974560]  kasan_save_track+0x20/0x40\n[    6.978397]  kasan_save_alloc_info+0x40/0x58\n[    6.982670]  __kasan_kmalloc+0xd4/0xd8\n[    6.986420]  __kmalloc_noprof+0x194/0x540\n[    6.990432]  framebuffer_alloc+0xc8/0x130\n[    6.994444]  simplefb_probe+0x258/0x2378\n...\n[    7.054356]\n[    7.055838] Freed by task 227:\n[    7.058891]  kasan_save_stack+0x3c/0x70\n[    7.062727]  kasan_save_track+0x20/0x40\n[    7.066565]  kasan_save_free_info+0x4c/0x80\n[    7.070751]  __kasan_slab_free+0x6c/0xa0\n[    7.074675]  kfree+0x10c/0x380\n[    7.077727]  framebuffer_release+0x5c/0x90\n[    7.081826]  simplefb_destroy+0x1b4/0x2c0\n[    7.085837]  put_fb_info+0x98/0x100\n[    7.089326]  unregister_framebuffer+0x178/0x320\n[    7.093861]  simplefb_remove+0x3c/0x60\n[    7.097611]  platform_remove+0x60/0x98\n[    7.101361]  device_remove+0xb8/0x160\n[    7.105024]  device_release_driver_internal+0x2fc/0x470\n[    7.110256]  device_release_driver+0x20/0x38\n[    7.114529]  bus_remove_device+0x1b0/0x380\n[    7.118628]  device_del+0x314/0x820\n[    7.122116]  platform_device_del+0x3c/0x1e8\n[    7.126302]  platform_device_unregister+0x20/0x50\n[    7.131012]  aperture_detach_platform_device+0x1c/0x30\n[    7.136157]  aperture_detach_devices+0x16c/0x290\n[    7.140779]  aperture_remove_conflicting_devices+0x34/0x50\n..."
        }
      ],
      "affected": [
        {
          "vendor": "Linux",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/simplefb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "92a511a568e44cf11681a2223cae4d576a1a515d",
              "status": "affected",
              "versionType": "git",
              "lessThan": "b1deb39cfd614fb2f278b71011692a8dbf0f05ba"
            },
            {
              "version": "92a511a568e44cf11681a2223cae4d576a1a515d",
              "status": "affected",
              "versionType": "git",
              "lessThan": "b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353"
            },
            {
              "version": "92a511a568e44cf11681a2223cae4d576a1a515d",
              "status": "affected",
              "versionType": "git",
              "lessThan": "da1bb9135213744e7ec398826c8f2e843de4fb94"
            }
          ]
        },
        {
          "vendor": "Linux",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/simplefb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "6.8",
              "status": "affected"
            },
            {
              "version": "0",
              "status": "unaffected",
              "versionType": "semver",
              "lessThan": "6.8"
            },
            {
              "version": "6.12.53",
              "status": "unaffected",
              "versionType": "semver",
              "lessThanOrEqual": "6.12.*"
            },
            {
              "version": "6.17.3",
              "status": "unaffected",
              "versionType": "semver",
              "lessThanOrEqual": "6.17.*"
            },
            {
              "version": "6.18-rc1",
              "status": "unaffected",
              "versionType": "original_commit_for_fix",
              "lessThanOrEqual": "*"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353"
        },
        {
          "url": "https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94"
        }
      ]
    }
  }
}

Mitre source

https://cveawg.mitre.org/api/cve/CVE-2025-40037