* CVE-2026-43318: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify
@ 2026-05-08 13:26 Greg Kroah-Hartman
0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2026-05-08 13:26 UTC (permalink / raw)
To: linux-cve-announce; +Cc: Greg Kroah-Hartman
From: Greg Kroah-Hartman <gregkh@kernel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify
Invalidating a dmabuf will impact other users of the shared BO.
In the scenario where process A moves the BO, it needs to inform
process B about the move and process B will need to update its
page table.
The commit fixes a synchronisation bug caused by the use of the
ticket: it made amdgpu_vm_handle_moved behave as if updating
the page table immediately was correct but in this case it's not.
An example is the following scenario, with 2 GPUs and glxgears
running on GPU0 and Xorg running on GPU1, on a system where P2P
PCI isn't supported:
glxgears:
export linear buffer from GPU0 and import using GPU1
submit frame rendering to GPU0
submit tiled->linear blit
Xorg:
copy of linear buffer
The sequence of jobs would be:
drm_sched_job_run # GPU0, frame rendering
drm_sched_job_queue # GPU0, blit
drm_sched_job_done # GPU0, frame rendering
drm_sched_job_run # GPU0, blit
move linear buffer for GPU1 access #
amdgpu_dma_buf_move_notify -> update pt # GPU0
It this point the blit job on GPU0 is still running and would
likely produce a page fault.
The Linux kernel CVE team has assigned CVE-2026-43318 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.12.75 with commit 82a7ea35a1526bef8ae170c33ff80e5db7728961
Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.18.16 with commit 89a9389ad70d3c69538e59d87df67d407aef4c26
Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 6.19.6 with commit 3307459eb3583115264421e859858d1f90f3694a
Issue introduced in 5.7 with commit a448cb003edcb4b63d0a9c95f3faab724e6150fb and fixed in 7.0 with commit b18fc0ab837381c1a6ef28386602cd888f2d9edf
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-43318
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/82a7ea35a1526bef8ae170c33ff80e5db7728961
https://git.kernel.org/stable/c/89a9389ad70d3c69538e59d87df67d407aef4c26
https://git.kernel.org/stable/c/3307459eb3583115264421e859858d1f90f3694a
https://git.kernel.org/stable/c/b18fc0ab837381c1a6ef28386602cd888f2d9edf
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-08 13:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 13:26 CVE-2026-43318: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox