CVE-2026-23163 (GCVE-0-2026-23163)

Vulnerability from cvelistv5 – Published: 2026-02-14 16:01 – Updated: 2026-02-14 16:01
VLAI?
Title
drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and ih2 interrupt ring buffers are not initialized. This is by design, as these secondary IH rings are only available on discrete GPUs. See vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when AMD_IS_APU is set. However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to get the timestamp of the last interrupt entry. When retry faults are enabled on APUs (noretry=0), this function is called from the SVM page fault recovery path, resulting in a NULL pointer dereference when amdgpu_ih_decode_iv_ts_helper() attempts to access ih->ring[]. The crash manifests as: BUG: kernel NULL pointer dereference, address: 0000000000000004 RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu] Call Trace: amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu] svm_range_restore_pages+0xae5/0x11c0 [amdgpu] amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu] gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu] amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu] amdgpu_ih_process+0x84/0x100 [amdgpu] This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1") which changed the default for Renoir APU from noretry=1 to noretry=0, enabling retry fault handling and thus exercising the buggy code path. Fix this by adding a check for ih1.ring_size before attempting to use it. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu: Rework retry fault removal"). This is needed if the hardware doesn't support secondary HW IH rings. v2: additional updates (Alex) (cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < c74e2dbb5316898fb2113a8ea3a93b27698dbf68 (git)
Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < 7611d7faccc1218be477671f892a89b25c0cb352 (git)
Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < ac251d17d8af58ddc3daba65eaf0a99e63dc4284 (git)
Affected: dd299441654fd8209056c7985ddf2373ebaba6ed , < 8b1ecc9377bc641533cd9e76dfa3aee3cd04a007 (git)
Create a notification for this product.
    Linux Linux Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.123 , ≤ 6.6.* (semver)
Unaffected: 6.12.69 , ≤ 6.12.* (semver)
Unaffected: 6.18.9 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c74e2dbb5316898fb2113a8ea3a93b27698dbf68",
              "status": "affected",
              "version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
              "versionType": "git"
            },
            {
              "lessThan": "7611d7faccc1218be477671f892a89b25c0cb352",
              "status": "affected",
              "version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
              "versionType": "git"
            },
            {
              "lessThan": "ac251d17d8af58ddc3daba65eaf0a99e63dc4284",
              "status": "affected",
              "version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
              "versionType": "git"
            },
            {
              "lessThan": "8b1ecc9377bc641533cd9e76dfa3aee3cd04a007",
              "status": "affected",
              "version": "dd299441654fd8209056c7985ddf2373ebaba6ed",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_gmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.69",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.123",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.69",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove\n\nOn APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and\nih2 interrupt ring buffers are not initialized. This is by design, as\nthese secondary IH rings are only available on discrete GPUs. See\nvega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when\nAMD_IS_APU is set.\n\nHowever, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to\nget the timestamp of the last interrupt entry. When retry faults are\nenabled on APUs (noretry=0), this function is called from the SVM page\nfault recovery path, resulting in a NULL pointer dereference when\namdgpu_ih_decode_iv_ts_helper() attempts to access ih-\u003ering[].\n\nThe crash manifests as:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000004\n  RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]\n  Call Trace:\n   amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]\n   svm_range_restore_pages+0xae5/0x11c0 [amdgpu]\n   amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]\n   gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]\n   amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]\n   amdgpu_ih_process+0x84/0x100 [amdgpu]\n\nThis issue was exposed by commit 1446226d32a4 (\"drm/amdgpu: Remove GC HW\nIP 9.3.0 from noretry=1\") which changed the default for Renoir APU from\nnoretry=1 to noretry=0, enabling retry fault handling and thus\nexercising the buggy code path.\n\nFix this by adding a check for ih1.ring_size before attempting to use\nit. Also restore the soft_ih support from commit dd299441654f (\"drm/amdgpu:\nRework retry fault removal\").  This is needed if the hardware doesn\u0027t\nsupport secondary HW IH rings.\n\nv2: additional updates (Alex)\n\n(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-14T16:01:27.912Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c74e2dbb5316898fb2113a8ea3a93b27698dbf68"
        },
        {
          "url": "https://git.kernel.org/stable/c/7611d7faccc1218be477671f892a89b25c0cb352"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac251d17d8af58ddc3daba65eaf0a99e63dc4284"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b1ecc9377bc641533cd9e76dfa3aee3cd04a007"
        }
      ],
      "title": "drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23163",
    "datePublished": "2026-02-14T16:01:27.912Z",
    "dateReserved": "2026-01-13T15:37:45.980Z",
    "dateUpdated": "2026-02-14T16:01:27.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23163\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-14T16:15:56.483\",\"lastModified\":\"2026-02-14T16:15:56.483\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove\\n\\nOn APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and\\nih2 interrupt ring buffers are not initialized. This is by design, as\\nthese secondary IH rings are only available on discrete GPUs. See\\nvega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when\\nAMD_IS_APU is set.\\n\\nHowever, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to\\nget the timestamp of the last interrupt entry. When retry faults are\\nenabled on APUs (noretry=0), this function is called from the SVM page\\nfault recovery path, resulting in a NULL pointer dereference when\\namdgpu_ih_decode_iv_ts_helper() attempts to access ih-\u003ering[].\\n\\nThe crash manifests as:\\n\\n  BUG: kernel NULL pointer dereference, address: 0000000000000004\\n  RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]\\n  Call Trace:\\n   amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]\\n   svm_range_restore_pages+0xae5/0x11c0 [amdgpu]\\n   amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]\\n   gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]\\n   amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]\\n   amdgpu_ih_process+0x84/0x100 [amdgpu]\\n\\nThis issue was exposed by commit 1446226d32a4 (\\\"drm/amdgpu: Remove GC HW\\nIP 9.3.0 from noretry=1\\\") which changed the default for Renoir APU from\\nnoretry=1 to noretry=0, enabling retry fault handling and thus\\nexercising the buggy code path.\\n\\nFix this by adding a check for ih1.ring_size before attempting to use\\nit. Also restore the soft_ih support from commit dd299441654f (\\\"drm/amdgpu:\\nRework retry fault removal\\\").  This is needed if the hardware doesn\u0027t\\nsupport secondary HW IH rings.\\n\\nv2: additional updates (Alex)\\n\\n(cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7611d7faccc1218be477671f892a89b25c0cb352\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8b1ecc9377bc641533cd9e76dfa3aee3cd04a007\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ac251d17d8af58ddc3daba65eaf0a99e63dc4284\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c74e2dbb5316898fb2113a8ea3a93b27698dbf68\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.