{"id":"CVE-2025-40037","summary":"fbdev: simplefb: Fix use after free in simplefb_detach_genpds()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: simplefb: Fix use after free in simplefb_detach_genpds()\n\nThe pm_domain cleanup can not be devres managed as it uses struct\nsimplefb_par which is allocated within struct fb_info by\nframebuffer_alloc(). This allocation is explicitly freed by\nunregister_framebuffer() in simplefb_remove().\nDevres managed cleanup runs after the device remove call and thus can no\nlonger access struct simplefb_par.\nCall simplefb_detach_genpds() explicitly from simplefb_destroy() like\nthe cleanup functions for clocks and regulators.\n\nFixes an use after free on M2 Mac mini during\naperture_remove_conflicting_devices() using the downstream asahi kernel\nwith Debian's kernel config. For unknown reasons this started to\nconsistently dereference an invalid pointer in v6.16.3 based kernels.\n\n[    6.736134] BUG: KASAN: slab-use-after-free in simplefb_detach_genpds+0x58/0x220\n[    6.743545] Read of size 4 at addr ffff8000304743f0 by task (udev-worker)/227\n[    6.750697]\n[    6.752182] CPU: 6 UID: 0 PID: 227 Comm: (udev-worker) Tainted: G S                  6.16.3-asahi+ #16 PREEMPTLAZY\n[    6.752186] Tainted: [S]=CPU_OUT_OF_SPEC\n[    6.752187] Hardware name: Apple Mac mini (M2, 2023) (DT)\n[    6.752189] Call trace:\n[    6.752190]  show_stack+0x34/0x98 (C)\n[    6.752194]  dump_stack_lvl+0x60/0x80\n[    6.752197]  print_report+0x17c/0x4d8\n[    6.752201]  kasan_report+0xb4/0x100\n[    6.752206]  __asan_report_load4_noabort+0x20/0x30\n[    6.752209]  simplefb_detach_genpds+0x58/0x220\n[    6.752213]  devm_action_release+0x50/0x98\n[    6.752216]  release_nodes+0xd0/0x2c8\n[    6.752219]  devres_release_all+0xfc/0x178\n[    6.752221]  device_unbind_cleanup+0x28/0x168\n[    6.752224]  device_release_driver_internal+0x34c/0x470\n[    6.752228]  device_release_driver+0x20/0x38\n[    6.752231]  bus_remove_device+0x1b0/0x380\n[    6.752234]  device_del+0x314/0x820\n[    6.752238]  platform_device_del+0x3c/0x1e8\n[    6.752242]  platform_device_unregister+0x20/0x50\n[    6.752246]  aperture_detach_platform_device+0x1c/0x30\n[    6.752250]  aperture_detach_devices+0x16c/0x290\n[    6.752253]  aperture_remove_conflicting_devices+0x34/0x50\n...\n[    6.752343]\n[    6.967409] Allocated by task 62:\n[    6.970724]  kasan_save_stack+0x3c/0x70\n[    6.974560]  kasan_save_track+0x20/0x40\n[    6.978397]  kasan_save_alloc_info+0x40/0x58\n[    6.982670]  __kasan_kmalloc+0xd4/0xd8\n[    6.986420]  __kmalloc_noprof+0x194/0x540\n[    6.990432]  framebuffer_alloc+0xc8/0x130\n[    6.994444]  simplefb_probe+0x258/0x2378\n...\n[    7.054356]\n[    7.055838] Freed by task 227:\n[    7.058891]  kasan_save_stack+0x3c/0x70\n[    7.062727]  kasan_save_track+0x20/0x40\n[    7.066565]  kasan_save_free_info+0x4c/0x80\n[    7.070751]  __kasan_slab_free+0x6c/0xa0\n[    7.074675]  kfree+0x10c/0x380\n[    7.077727]  framebuffer_release+0x5c/0x90\n[    7.081826]  simplefb_destroy+0x1b4/0x2c0\n[    7.085837]  put_fb_info+0x98/0x100\n[    7.089326]  unregister_framebuffer+0x178/0x320\n[    7.093861]  simplefb_remove+0x3c/0x60\n[    7.097611]  platform_remove+0x60/0x98\n[    7.101361]  device_remove+0xb8/0x160\n[    7.105024]  device_release_driver_internal+0x2fc/0x470\n[    7.110256]  device_release_driver+0x20/0x38\n[    7.114529]  bus_remove_device+0x1b0/0x380\n[    7.118628]  device_del+0x314/0x820\n[    7.122116]  platform_device_del+0x3c/0x1e8\n[    7.126302]  platform_device_unregister+0x20/0x50\n[    7.131012]  aperture_detach_platform_device+0x1c/0x30\n[    7.136157]  aperture_detach_devices+0x16c/0x290\n[    7.140779]  aperture_remove_conflicting_devices+0x34/0x50\n...","modified":"2026-03-20T12:43:09.135006Z","published":"2025-10-28T11:48:18.274Z","related":["SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4141-1","openSUSE-SU-2025:15702-1","openSUSE-SU-2025:20091-1","openSUSE-SU-2026:10301-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40037.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/b1deb39cfd614fb2f278b71011692a8dbf0f05ba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353"},{"type":"WEB","url":"https://git.kernel.org/stable/c/da1bb9135213744e7ec398826c8f2e843de4fb94"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40037.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40037"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"92a511a568e44cf11681a2223cae4d576a1a515d"},{"fixed":"b1deb39cfd614fb2f278b71011692a8dbf0f05ba"},{"fixed":"b6ff0d8de8452ec0e18e5bd7394c2a23e7ff7353"},{"fixed":"da1bb9135213744e7ec398826c8f2e843de4fb94"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40037.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.8.0"},{"fixed":"6.12.53"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40037.json"}}],"schema_version":"1.7.5"}