VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45976

CVE-2026-45976

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

When amdgpu_nbio_ras_sw_init() fails in amdgpu_ras_init(), the function returns directly without freeing the allocated con structure, leading to a memory leak.

Fix this by jumping to the release_con label to properly clean up the allocated memory before returning the error code.

Compile tested only. Issue found using a prototype static analysis tool and code review.

Affected products

1

Patches

10
ee41e5b63c82

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 29, 2026Fixed in 7.0via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index f582113d78b74c..b28fcf932f7ea2 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -4352,7 +4352,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
f8a5426652bd

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 29, 2026Fixed in 6.6.128via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index 7cba98f8bbdca8..4214bbd7a1a236 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -2673,7 +2673,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
c11cd77a1811

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 29, 2026Fixed in 6.12.75via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index d9cdc89d4cde18..bf563904b3fa90 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -3643,7 +3643,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
2fef8c2ac67e

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 29, 2026Fixed in 6.18.14via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index e0ee211508607e..3fd19859055a57 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -4137,7 +4137,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
3f43e7812b30

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanJan 29, 2026Fixed in 6.19.4via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index 2a6cf7963dde22..8de9f68f7bea66 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -4343,7 +4343,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
c11cd77a1811

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 29, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index d9cdc89d4cde18..bf563904b3fa90 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -3643,7 +3643,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
f8a5426652bd

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 29, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index 7cba98f8bbdca8..4214bbd7a1a236 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -2673,7 +2673,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
3f43e7812b30

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 29, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index 2a6cf7963dde22..8de9f68f7bea66 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -4343,7 +4343,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
2fef8c2ac67e

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 29, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index e0ee211508607e..3fd19859055a57 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -4137,7 +4137,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg
ee41e5b63c82

drm/amdgpu: Fix memory leak in amdgpu_ras_init()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitZilin GuanJan 29, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c+1 2 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
index f582113d78b74c..b28fcf932f7ea2 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c
@@ -4352,7 +4352,7 @@ int amdgpu_ras_init(struct amdgpu_device *adev)
 	 * to handle fatal error */
 	r = amdgpu_nbio_ras_sw_init(adev);
 	if (r)
-		return r;
+		goto release_con;
 
 	if (adev->nbio.ras &&
 	    adev->nbio.ras->init_ras_controller_interrupt) {
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing error-path cleanup: when amdgpu_nbio_ras_sw_init() fails, the function returns directly without freeing the previously allocated 'con' structure, causing a memory leak."

Attack vector

An attacker does not directly trigger this bug; it is a driver-internal memory leak that occurs during GPU initialization when the amdgpu_nbio_ras_sw_init() call fails. The failure path in amdgpu_ras_init() (in drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c) returns the error code without freeing the 'con' structure that was allocated earlier in the function [patch_id=2660801]. No special network or user input is required — the leak manifests during normal kernel module loading if the NBIO RAS software initialization returns an error.

Affected code

The vulnerable code is in the amdgpu_ras_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c. The error path after the call to amdgpu_nbio_ras_sw_init() (around line 4352 in the patched version) returned the error code directly instead of jumping to the release_con cleanup label [patch_id=2660801].

What the fix does

The patch changes the error return on line 4352 from "return r" to "goto release_con" [patch_id=2660801]. The release_con label already exists in the function and properly frees the 'con' structure before returning. This ensures that when amdgpu_nbio_ras_sw_init() fails, the allocated memory is cleaned up instead of being leaked. The fix is minimal — a single-line change that redirects the error path to the existing cleanup code.

Preconditions

  • configThe amdgpu kernel module must be loaded on a system where amdgpu_nbio_ras_sw_init() returns a non-zero error code during initialization.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.