CVE-2026-43318

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify

Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table.

The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpu_vm_handle_moved behave as if updating the page table immediately was correct but in this case it's not.

An example is the following scenario, with 2 GPUs and glxgears running on GPU0 and Xorg running on GPU1, on a system where P2P PCI isn't supported:

glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blit Xorg: copy of linear buffer

The sequence of jobs would be: drm_sched_job_run # GPU0, frame rendering drm_sched_job_queue # GPU0, blit drm_sched_job_done # GPU0, frame rendering drm_sched_job_run # GPU0, blit move linear buffer for GPU1 access # amdgpu_dma_buf_move_notify -> update pt # GPU0

It this point the blit job on GPU0 is still running and would likely produce a page fault.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa448cb003edcb4b63d0a9c95f3faab724e6150fb < 82a7ea35a1526bef8ae170c33ff80e5db7728961affected
LinuxLinuxa448cb003edcb4b63d0a9c95f3faab724e6150fb < 89a9389ad70d3c69538e59d87df67d407aef4c26affected
LinuxLinuxa448cb003edcb4b63d0a9c95f3faab724e6150fb < 3307459eb3583115264421e859858d1f90f3694aaffected
LinuxLinuxa448cb003edcb4b63d0a9c95f3faab724e6150fb < b18fc0ab837381c1a6ef28386602cd888f2d9edfaffected
LinuxLinux5.7affected
LinuxLinux0 < 5.7unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.16 <= 6.18.*unaffected
LinuxLinux6.19.6 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References