From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B5CD3E3D96 for ; Fri, 8 May 2026 13:26:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778246794; cv=none; b=nblDp7aD33jGgx1zqZMmzoE+R/VyzmJQq3RFcTzhw0g4xw2kkrxDWGr30xU0C4m2K75i/HMw37naCok3EXZe7BsygY/zPtLixn8LmTUryVCtwXuuUHtRV4BUQ6XrmjvCeo8ygRXKC/jVjLHugxWg7m9N7JTYHZrx0xs4NQxITUE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778246794; c=relaxed/simple; bh=mkhWYbYG2ro6bDHq35PoJTVNIJm4uu9JSXp9H/mdfMk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=pVF9jb+/ng2275YEy+HKE8SD0mbqx05BPFL+io3xGYFceASwoOZXWuGiiiuoC9M0TIyy5t6Cm4cYDVkXGmigLepSpZ2krN1g5QcXKAqd65PGOgAQ//UGQimKGAUBuQZZdrX+WzJeR9q+Sgjhq1uFG6PZLtVi1PhJwv8NpyNbOl0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=V0eu1Rux; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="V0eu1Rux" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1E3ADC2BCC7; Fri, 8 May 2026 13:26:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778246793; bh=mkhWYbYG2ro6bDHq35PoJTVNIJm4uu9JSXp9H/mdfMk=; h=From:To:Cc:Subject:Date:Reply-To:From; b=V0eu1RuxbpuJRnY6ZlTD6VAJVdK29UWeT6/HcuM/syvHKzdNSYad+cnLADZC604wZ wwVrR4XLxUx36j02JkMupOZsB0xLJh7fLC01HMlzBGvSXPK36KS04qxfmP9GjFdJti dyXkUM4akpqdiCKlMQTB0Wh3opi2jIG0gz5DOM8E= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43318: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Date: Fri, 8 May 2026 15:26:21 +0200 Message-ID: <2026050818-CVE-2026-43318-79ab@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3428; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=MuKUaMp9/1epEmLBMYXoX501I6tHXhUUFjgWaK5vZjE=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/n1SJn/nU9uBVylQv0+zkusd3z8zSD961vPZkSKXKp o7Xf7ZGd8SyMAgyMciKKbJ82cZzdH/FIUUvQ9vTMHNYmUCGMHBxCsBEet8xzOFrb5drfnyj9rI7 92fh6QtPXvihvJFhDnfN+gciSWeytyres86JqP/xfVu9PQA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table. The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpu_vm_handle_moved behave as if updating the page table immediately was correct but in this case it's not. An example is the following scenario, with 2 GPUs and glxgears running on GPU0 and Xorg running on GPU1, on a system where P2P PCI isn't supported: glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blit Xorg: copy of linear buffer The sequence of jobs would be: drm_sched_job_run # GPU0, frame rendering drm_sched_job_queue # GPU0, blit drm_sched_job_done # GPU0, frame rendering drm_sched_job_run # GPU0, blit move linear buffer for GPU1 access # amdgpu_dma_buf_move_notify -> update pt # GPU0 It this point the blit job on GPU0 is still running and would likely produce a page fault. The Linux kernel CVE team has assigned CVE-2026-43318 to this issue. Affected and fixed versions =========================== Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.12.75 with commit 82a7ea35a1526bef8ae170c33ff80e5db7728961 Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.18.16 with commit 89a9389ad70d3c69538e59d87df67d407aef4c26 Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.19.6 with commit 3307459eb3583115264421e859858d1f90f3694a Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 7.0 with commit b18fc0ab837381c1a6ef28386602cd888f2d9edf Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43318 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/82a7ea35a1526bef8ae170c33ff80e5db7728961 https://git.kernel.org/stable/c/89a9389ad70d3c69538e59d87df67d407aef4c26 https://git.kernel.org/stable/c/3307459eb3583115264421e859858d1f90f3694a https://git.kernel.org/stable/c/b18fc0ab837381c1a6ef28386602cd888f2d9edf