drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
Summary
| CVE | CVE-2026-53143 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-25 09:16:31 UTC |
| Updated | 2026-06-25 09:16:31 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 The v11 MQD manager incorrectly assigned the CP-compute variants of checkpoint_mqd/restore_mqd for KFD_MQD_TYPE_SDMA queues. These functions use sizeof(struct v11_compute_mqd) (2048 bytes) instead of sizeof(struct v11_sdma_mqd) (512 bytes), causing a 1536-byte overflow. During CRIU checkpoint of an SDMA queue on Navi3x: - checkpoint_mqd() reads 2048 bytes from a 512-byte SDMA MQD buffer, leaking 1536 bytes of adjacent GTT memory to userspace During CRIU restore: - restore_mqd() writes 2048 bytes into a 512-byte SDMA MQD buffer, corrupting 1536 bytes of adjacent GTT memory (often the ring buffer or neighboring MQDs) This is a copy-paste regression unique to v11. All other ASIC backends (cik, vi, v9, v10, v12) correctly use the SDMA-specific variants. Add checkpoint_mqd_sdma() and restore_mqd_sdma() functions that properly handle the smaller v11_sdma_mqd structure, matching the pattern used in other MQD managers. (cherry picked from commit 6fa41db7ffdec97d62433adf03b7b9b759af8c2c) |
Risk And Classification
EPSS: 0.001850000 probability, percentile 0.082810000 (date 2026-06-25)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected cc009e613de6560eb499f8bc92c80a737752cb30 16dad1fb0d783a4008de30e32d0038c393de05b1 git | Not specified |
| CNA | Linux | Linux | affected cc009e613de6560eb499f8bc92c80a737752cb30 2c5b66c9b4057b385566940935ebc32f6e6ebfd2 git | Not specified |
| CNA | Linux | Linux | affected cc009e613de6560eb499f8bc92c80a737752cb30 d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64 git | Not specified |
| CNA | Linux | Linux | affected cc009e613de6560eb499f8bc92c80a737752cb30 d02f05d30f35b036f7cbaf72de634affb5b38ec6 git | Not specified |
| CNA | Linux | Linux | affected cc009e613de6560eb499f8bc92c80a737752cb30 352ea59028ea48a6fff77f19ae28f98f71946a80 git | Not specified |
| CNA | Linux | Linux | affected 5.19 | Not specified |
| CNA | Linux | Linux | unaffected 5.19 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.143 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.94 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.36 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.13 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/2c5b66c9b4057b385566940935ebc32f6e6ebfd2 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/352ea59028ea48a6fff77f19ae28f98f71946a80 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/16dad1fb0d783a4008de30e32d0038c393de05b1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/d02f05d30f35b036f7cbaf72de634affb5b38ec6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.