CVE-2025-38521: 
Linux Debian vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2025-38521) has been identified and resolved in the drm/imagination component. The issue was discovered on August 16, 2025, and involves a kernel crash scenario that occurs during the GPU hard reset sequence (NVD).

The vulnerability stems from improper usage of pmruntimeforcesuspend() and pmruntimeforceresume() functions during GPU hard reset operations. These functions should only be used during system-wide PM transitions to sleep states. The core issue arises when pmruntimeforcesuspend() evaluates internal runtime PM state (specifically when usage count is <= 1), causing pmruntimeforceresume() to potentially skip device resumption. This results in the runtime PM resume callback pvrpowerdevice_resume() not being executed, leaving GPU clocks disabled and causing a kernel crash on subsequent GPU register access attempts during power-on sequences (NVD).

When exploited, this vulnerability leads to kernel crashes during GPU operations, specifically when attempting to access GPU registers as part of the power-on sequence. This can result in system instability and potential denial of service conditions (NVD).

The issue has been fixed by replacing calls to pmruntimeforcesuspend() and pmruntimeforceresume() with direct calls to the driver's runtime PM callbacks, pvrpowerdevicesuspend() and pvrpowerdeviceresume(). This ensures proper re-enabling of GPU clocks and prevents kernel crashes (NVD).