CVE-2026-31766

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: validate doorbell_offset in user queue creation

amdgpu_userq_get_doorbell_index() passes the user-provided doorbell_offset to amdgpu_doorbell_index_on_bar() without bounds checking. An arbitrarily large doorbell_offset can cause the calculated doorbell index to fall outside the allocated doorbell BO, potentially corrupting kernel doorbell space.

Validate that doorbell_offset falls within the doorbell BO before computing the BAR index, using u64 arithmetic to prevent overflow.

(cherry picked from commit de1ef4ffd70e1d15f0bf584fd22b1f28cbd5e2ec)

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf09c1e6077abd1bc2ddd2b97e1135215801ca7f9 < 3543005a42d7e8e12b21897ef6798541bf7cbcd3affected
LinuxLinuxf09c1e6077abd1bc2ddd2b97e1135215801ca7f9 < 86b732fbc37ce4fb76cdd4af0fb7e30a6acdbce6affected
LinuxLinuxf09c1e6077abd1bc2ddd2b97e1135215801ca7f9 < a018d1819f158991b7308e4f74609c6c029b670caffected
LinuxLinux6.16affected
LinuxLinux0 < 6.16unaffected
LinuxLinux6.18.22 <= 6.18.*unaffected
LinuxLinux6.19.12 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References