drm/amdgpu: fix zero-size GDS range init on RDNA4
Summary
| CVE | CVE-2026-46276 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-08 17:16:45 UTC |
| Updated | 2026-07-08 14:55:24 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix zero-size GDS range init on RDNA4 RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory resources. The gfx_v12_0 initialisation code correctly leaves adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at zero to reflect this. amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for each of these resources regardless of size. When the size is zero, amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(), which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT. Guard against this by returning 0 early from amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM resource manager registration for hardware resources that are absent, without affecting any other GPU type. DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in the kernel config. This is apparently rarely enabled as these chips have been in the market for over a year and this issue was only reported now. Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html (cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d) |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.001230000 probability, percentile 0.024080000 (date 2026-07-09)
Problem Types: NVD-CWE-noinfo
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d 1f5d33e7b0a9a2a140f46e22fb52eede323c5946 git | Not specified |
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d 9bc925759c05feae7dfa9570e77131d54729c8ea git | Not specified |
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d 36f9602fb22ede69fcc8b422be0cf8105bf655ad git | Not specified |
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d be0376affcafa0bbb371bb501579a825eae32281 git | Not specified |
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d 0e21db1a77967bc15df662efdca8ea8a61d124ea git | Not specified |
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d 30c000a49094ec568c9b51b7421f7a4a3f0b0298 git | Not specified |
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d 3e26c76891ab99fa173e9c501119fbb5c9f4600f git | Not specified |
| CNA | Linux | Linux | affected c832c346cdf9022872655be621880e0f66f4135d 095a8b0ad3c3b5cdc3850d961adb8a8f735220bb git | Not specified |
| CNA | Linux | Linux | affected 4.20 | Not specified |
| CNA | Linux | Linux | unaffected 4.20 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.140 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.86 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.27 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.4 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/9bc925759c05feae7dfa9570e77131d54729c8ea | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/0e21db1a77967bc15df662efdca8ea8a61d124ea | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/1f5d33e7b0a9a2a140f46e22fb52eede323c5946 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/be0376affcafa0bbb371bb501579a825eae32281 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/30c000a49094ec568c9b51b7421f7a4a3f0b0298 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/36f9602fb22ede69fcc8b422be0cf8105bf655ad | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/095a8b0ad3c3b5cdc3850d961adb8a8f735220bb | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3e26c76891ab99fa173e9c501119fbb5c9f4600f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.