CVE-2026-46276
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix zero-size GDS range init on RDNA4
RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory resources. The gfx_v12_0 initialisation code correctly leaves adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at zero to reflect this.
amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for each of these resources regardless of size. When the size is zero, amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(), which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires DRM_MM_BUG_ON(start + size <= start) – trivially true when size is zero – crashing the kernel during modprobe of amdgpu on an RX 9070 XT.
Guard against this by returning 0 early from amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM resource manager registration for hardware resources that are absent, without affecting any other GPU type.
DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in the kernel config. This is apparently rarely enabled as these chips have been in the market for over a year and this issue was only reported now.
Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html (cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < 1f5d33e7b0a9a2a140f46e22fb52eede323c5946 | affected |
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < 9bc925759c05feae7dfa9570e77131d54729c8ea | affected |
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < 36f9602fb22ede69fcc8b422be0cf8105bf655ad | affected |
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < be0376affcafa0bbb371bb501579a825eae32281 | affected |
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < 0e21db1a77967bc15df662efdca8ea8a61d124ea | affected |
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < 30c000a49094ec568c9b51b7421f7a4a3f0b0298 | affected |
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < 3e26c76891ab99fa173e9c501119fbb5c9f4600f | affected |
| Linux | Linux | c832c346cdf9022872655be621880e0f66f4135d < 095a8b0ad3c3b5cdc3850d961adb8a8f735220bb | affected |
| Linux | Linux | 4.20 | affected |
| Linux | Linux | 0 < 4.20 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.86 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.27 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.4 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/1f5d33e7b0a9a2a140f46e22fb52eede323c5946
- https://git.kernel.org/stable/c/9bc925759c05feae7dfa9570e77131d54729c8ea
- https://git.kernel.org/stable/c/36f9602fb22ede69fcc8b422be0cf8105bf655ad
- https://git.kernel.org/stable/c/be0376affcafa0bbb371bb501579a825eae32281
- https://git.kernel.org/stable/c/0e21db1a77967bc15df662efdca8ea8a61d124ea
- https://git.kernel.org/stable/c/30c000a49094ec568c9b51b7421f7a4a3f0b0298
- https://git.kernel.org/stable/c/3e26c76891ab99fa173e9c501119fbb5c9f4600f
- https://git.kernel.org/stable/c/095a8b0ad3c3b5cdc3850d961adb8a8f735220bb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.