{"id":"CVE-2025-22093","summary":"drm/amd/display: avoid NPD when ASIC does not support DMUB","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: avoid NPD when ASIC does not support DMUB\n\nctx-\u003edmub_srv will de NULL if the ASIC does not support DMUB, which is\ntested in dm_dmub_sw_init.\n\nHowever, it will be dereferenced in dmub_hw_lock_mgr_cmd if\nshould_use_dmub_lock returns true.\n\nThis has been the case since dmub support has been added for PSR1.\n\nFix this by checking for dmub_srv in should_use_dmub_lock.\n\n[   37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058\n[   37.447808] #PF: supervisor read access in kernel mode\n[   37.452959] #PF: error_code(0x0000) - not-present page\n[   37.458112] PGD 0 P4D 0\n[   37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n[   37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88\n[   37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023\n[   37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0\n[   37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 \u003c48\u003e 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5\n[   37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202\n[   37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358\n[   37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000\n[   37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5\n[   37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000\n[   37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000\n[   37.551725] FS:  0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000\n[   37.559814] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0\n[   37.572697] Call Trace:\n[   37.575152]  \u003cTASK\u003e\n[   37.577258]  ? __die_body+0x66/0xb0\n[   37.580756]  ? page_fault_oops+0x3e7/0x4a0\n[   37.584861]  ? exc_page_fault+0x3e/0xe0\n[   37.588706]  ? exc_page_fault+0x5c/0xe0\n[   37.592550]  ? asm_exc_page_fault+0x22/0x30\n[   37.596742]  ? dmub_hw_lock_mgr_cmd+0x77/0xb0\n[   37.601107]  dcn10_cursor_lock+0x1e1/0x240\n[   37.605211]  program_cursor_attributes+0x81/0x190\n[   37.609923]  commit_planes_for_stream+0x998/0x1ef0\n[   37.614722]  update_planes_and_stream_v2+0x41e/0x5c0\n[   37.619703]  dc_update_planes_and_stream+0x78/0x140\n[   37.624588]  amdgpu_dm_atomic_commit_tail+0x4362/0x49f0\n[   37.629832]  ? srso_return_thunk+0x5/0x5f\n[   37.633847]  ? mark_held_locks+0x6d/0xd0\n[   37.637774]  ? _raw_spin_unlock_irq+0x24/0x50\n[   37.642135]  ? srso_return_thunk+0x5/0x5f\n[   37.646148]  ? lockdep_hardirqs_on+0x95/0x150\n[   37.650510]  ? srso_return_thunk+0x5/0x5f\n[   37.654522]  ? _raw_spin_unlock_irq+0x2f/0x50\n[   37.658883]  ? srso_return_thunk+0x5/0x5f\n[   37.662897]  ? wait_for_common+0x186/0x1c0\n[   37.666998]  ? srso_return_thunk+0x5/0x5f\n[   37.671009]  ? drm_crtc_next_vblank_start+0xc3/0x170\n[   37.675983]  commit_tail+0xf5/0x1c0\n[   37.679478]  drm_atomic_helper_commit+0x2a2/0x2b0\n[   37.684186]  drm_atomic_commit+0xd6/0x100\n[   37.688199]  ? __cfi___drm_printfn_info+0x10/0x10\n[   37.692911]  drm_atomic_helper_update_plane+0xe5/0x130\n[   37.698054]  drm_mode_cursor_common+0x501/0x670\n[   37.702600]  ? __cfi_drm_mode_cursor_ioctl+0x10/0x10\n[   37.707572]  drm_mode_cursor_ioctl+0x48/0x70\n[   37.711851]  drm_ioctl_kernel+0xf2/0x150\n[   37.715781]  drm_ioctl+0x363/0x590\n[   37.719189]  ? __cfi_drm_mode_cursor_ioctl+0x10/0x10\n[   37.724165]  amdgpu_drm_ioctl+0x41/0x80\n[   37.728013]  __se_sys_ioctl+0x7f/0xd0\n[   37.731685]  do_syscall_64+0x87/0x100\n[   37.735355]  ? vma_end_read+0x12/0xe0\n[   37.739024]  ? srso_return_thunk+0x5/0x5f\n[   37.743041]  ? find_held_lock+0x47/0xf0\n[   37.746884]  ? vma_end_read+0x12/0xe0\n[   37.750552]  ? srso_return_thunk+0x5/0\n---truncated---","modified":"2026-03-20T12:41:19.243793Z","published":"2025-04-16T14:12:44.802Z","related":["MGASA-2025-0142","MGASA-2025-0146","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22093.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3453bcaf2ca92659346bf8504c2b52b3993fbd79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/35ad39afd007eddf34b3307bebb715c26891cc96"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42d9d7bed270247f134190ba0cb05bbd072f58c2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5e4b1e04740cdb28de189285007366d99a92f1ce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d953e2cd59ab466569c6f9da460e01caf1c83559"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22093.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22093"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b7d2461858ac75c9d6bc4ab8af1a738d0814b716"},{"fixed":"d953e2cd59ab466569c6f9da460e01caf1c83559"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"758abba3dd413dc5de2016f8588403294263a30a"},{"fixed":"b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4b46fc30b37e457d25cf3908c0c4dc3fbedd2044"},{"fixed":"3453bcaf2ca92659346bf8504c2b52b3993fbd79"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b5c764d6ed556c4e81fbe3fd976da77ec450c08e"},{"fixed":"5e4b1e04740cdb28de189285007366d99a92f1ce"},{"fixed":"35ad39afd007eddf34b3307bebb715c26891cc96"},{"fixed":"42d9d7bed270247f134190ba0cb05bbd072f58c2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22093.json"}}],"schema_version":"1.7.5"}