| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2026021418-CVE-2026-23163-abc8@gregkh>
Date: Sat, 14 Feb 2026 17:04:29 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2026-23163: drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and
ih2 interrupt ring buffers are not initialized. This is by design, as
these secondary IH rings are only available on discrete GPUs. See
vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when
AMD_IS_APU is set.
However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to
get the timestamp of the last interrupt entry. When retry faults are
enabled on APUs (noretry=0), this function is called from the SVM page
fault recovery path, resulting in a NULL pointer dereference when
amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[].
The crash manifests as:
BUG: kernel NULL pointer dereference, address: 0000000000000004
RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]
Call Trace:
amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]
svm_range_restore_pages+0xae5/0x11c0 [amdgpu]
amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]
gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]
amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]
amdgpu_ih_process+0x84/0x100 [amdgpu]
This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HW
IP 9.3.0 from noretry=1") which changed the default for Renoir APU from
noretry=1 to noretry=0, enabling retry fault handling and thus
exercising the buggy code path.
Fix this by adding a check for ih1.ring_size before attempting to use
it. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu:
Rework retry fault removal"). This is needed if the hardware doesn't
support secondary HW IH rings.
v2: additional updates (Alex)
(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
The Linux kernel CVE team has assigned CVE-2026-23163 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.4 with commit dd299441654fd8209056c7985ddf2373ebaba6ed and fixed in 6.6.123 with commit c74e2dbb5316898fb2113a8ea3a93b27698dbf68
Issue introduced in 6.4 with commit dd299441654fd8209056c7985ddf2373ebaba6ed and fixed in 6.12.69 with commit 7611d7faccc1218be477671f892a89b25c0cb352
Issue introduced in 6.4 with commit dd299441654fd8209056c7985ddf2373ebaba6ed and fixed in 6.18.9 with commit ac251d17d8af58ddc3daba65eaf0a99e63dc4284
Issue introduced in 6.4 with commit dd299441654fd8209056c7985ddf2373ebaba6ed and fixed in 6.19 with commit 8b1ecc9377bc641533cd9e76dfa3aee3cd04a007
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-23163
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c74e2dbb5316898fb2113a8ea3a93b27698dbf68
https://git.kernel.org/stable/c/7611d7faccc1218be477671f892a89b25c0cb352
https://git.kernel.org/stable/c/ac251d17d8af58ddc3daba65eaf0a99e63dc4284
https://git.kernel.org/stable/c/8b1ecc9377bc641533cd9e76dfa3aee3cd04a007
Powered by blists - more mailing lists