CVE-2026-43318: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify

Invalidating a dmabuf will impact other users of the shared BO.
In the scenario where process A moves the BO, it needs to inform
process B about the move and process B will need to update its
page table.

The commit fixes a synchronisation bug caused by the use of the
ticket: it made amdgpu_vm_handle_moved behave as if updating
the page table immediately was correct but in this case it's not.

An example is the following scenario, with 2 GPUs and glxgears
running on GPU0 and Xorg running on GPU1, on a system where P2P
PCI isn't supported:

glxgears:
  export linear buffer from GPU0 and import using GPU1
  submit frame rendering to GPU0
  submit tiled->linear blit
Xorg:
  copy of linear buffer

The sequence of jobs would be:
  drm_sched_job_run                       # GPU0, frame rendering
  drm_sched_job_queue                     # GPU0, blit
  drm_sched_job_done                      # GPU0, frame rendering
  drm_sched_job_run                       # GPU0, blit
  move linear buffer for GPU1 access      #
  amdgpu_dma_buf_move_notify -> update pt # GPU0

It this point the blit job on GPU0 is still running and would
likely produce a page fault.

The Linux kernel CVE team has assigned CVE-2026-43318 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.12.75 with commit 82a7ea35a1526bef8ae170c33ff80e5db7728961
	Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.18.16 with commit 89a9389ad70d3c69538e59d87df67d407aef4c26
	Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.19.6 with commit 3307459eb3583115264421e859858d1f90f3694a
	Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 7.0 with commit b18fc0ab837381c1a6ef28386602cd888f2d9edf

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43318
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/82a7ea35a1526bef8ae170c33ff80e5db7728961
	https://git.kernel.org/stable/c/89a9389ad70d3c69538e59d87df67d407aef4c26
	https://git.kernel.org/stable/c/3307459eb3583115264421e859858d1f90f3694a
	https://git.kernel.org/stable/c/b18fc0ab837381c1a6ef28386602cd888f2d9edf