CVE-2026-23163
Description
In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: fix null pointer dereference in amdgpu_gmc_filter_faults_removeOn APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 andih2 interrupt ring buffers are not initialized. This is by design, asthese secondary IH rings are only available on discrete GPUs. Seevega10_ih_sw_init() which explicitly skips ih1/ih2 initialization whenAMD_IS_APU is set.However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 toget the timestamp of the last interrupt entry. When retry faults areenabled on APUs (noretry=0), this function is called from the SVM pagefault recovery path, resulting in a null pointer dereference whenamdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[].The crash manifests as: BUG: kernel null pointer dereference, address: 0000000000000004 RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu] Call Trace: amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu] svm_range_restore_pages+0xae5/0x11c0 [amdgpu] amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu] gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu] amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu] amdgpu_ih_process+0x84/0x100 [amdgpu]This issue was exposed by commit 1446226d32a4 (drm/amdgpu: Remove GC HWIP 9.3.0 from noretry=1) which changed the default for Renoir APU fromnoretry=1 to noretry=0, enabling retry fault handling and thusexercising the buggy code path.Fix this by adding a check for ih1.ring_size before attempting to useit. Also restore the soft_ih support from commit dd299441654f (drm/amdgpu:Rework retry fault removal). This is needed if the hardware doesntsupport secondary HW IH rings.v2: additional updates (Alex)(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
Risk Information
Associated Vulnerability
No records foundPatch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234