VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45979

CVE-2026-45979

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: clean up the amdgpu_cs_parser_bos

In low memory conditions, kmalloc can fail. In such conditions unlock the mutex for a clean exit.

We do not need to amdgpu_bo_list_put as it's been handled in the amdgpu_cs_parser_fini.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null-pointer dereference in AMDGPU DRM driver when kmalloc fails during buffer object parsing can lead to a system crash.

Vulnerability

In the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, the function amdgpu_cs_parser_bos fails to handle a memory allocation failure from kmalloc. Under low memory conditions, kmalloc can return NULL, and the code path does not properly release the acquired mutex or clean up resources, leading to a potential null-pointer dereference. The affected versions include all kernels with the vulnerable code; the patch is applied in commit [stable tree] [1].

Exploitation

An attacker must have the ability to trigger a command submission (CS) on an AMDGPU device, which typically requires local user access and the ability to interact with the DRM subsystem. By exhausting system memory (e.g., via memory pressure or controlled allocation), the attacker can cause kmalloc to fail. The subsequent operations on the NULL pointer can trigger a kernel crash or potentially be leveraged for denial of service. No authentication or special privilege beyond local user access is required for the CS ioctl.

Impact

Successful exploitation leads to a denial of service (system crash) due to an invalid memory access. The vulnerability does not allow for privilege escalation or arbitrary code execution based on the available references. The crash can be triggered repeatedly, making the system unavailable.

Mitigation

The fix is included in the Linux kernel stable tree via commit f025a2b8d93358467b8e8f4b3a617e88c5f02fab [1]. Users should update to a kernel version containing this commit. No workaround is documented. The vulnerability is not listed in the KEV catalog.

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
f025a2b8d933

drm/amdgpu: clean up the amdgpu_cs_parser_bos

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitSunil KhatriFixed in 7.0via kernel-cna
commit
1 file changed · +4 3
  • drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c+4 3 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index d591dce0f3b3c7..f3b5bcdbf2ae6b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -892,8 +892,10 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
 		struct amdgpu_bo *bo = e->bo;
 
 		e->range = amdgpu_hmm_range_alloc(NULL);
-		if (unlikely(!e->range))
-			return -ENOMEM;
+		if (unlikely(!e->range)) {
+			r = -ENOMEM;
+			goto out_free_user_pages;
+		}
 
 		r = amdgpu_ttm_tt_get_user_pages(bo, e->range);
 		if (r)
-- 
cgit 1.3-korg
0905a1d4a550

drm/amdgpu: clean up the amdgpu_cs_parser_bos

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitSunil KhatriFixed in 6.19.4via kernel-cna
commit
1 file changed · +4 3
  • drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c+4 3 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index ecdfe6cb36ccdc..dac0b15823f2a6 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -892,8 +892,10 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
 		struct amdgpu_bo *bo = e->bo;
 
 		e->range = amdgpu_hmm_range_alloc(NULL);
-		if (unlikely(!e->range))
-			return -ENOMEM;
+		if (unlikely(!e->range)) {
+			r = -ENOMEM;
+			goto out_free_user_pages;
+		}
 
 		r = amdgpu_ttm_tt_get_user_pages(bo, e->range);
 		if (r)
-- 
cgit 1.3-korg
f025a2b8d933

drm/amdgpu: clean up the amdgpu_cs_parser_bos

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitSunil Khatrivia nvd-ref
commit
1 file changed · +4 3
  • drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c+4 3 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index d591dce0f3b3c7..f3b5bcdbf2ae6b 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -892,8 +892,10 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
 		struct amdgpu_bo *bo = e->bo;
 
 		e->range = amdgpu_hmm_range_alloc(NULL);
-		if (unlikely(!e->range))
-			return -ENOMEM;
+		if (unlikely(!e->range)) {
+			r = -ENOMEM;
+			goto out_free_user_pages;
+		}
 
 		r = amdgpu_ttm_tt_get_user_pages(bo, e->range);
 		if (r)
-- 
cgit 1.3-korg
0905a1d4a550

drm/amdgpu: clean up the amdgpu_cs_parser_bos

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitSunil Khatrivia nvd-ref
commit
1 file changed · +4 3
  • drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c+4 3 modified
    diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index ecdfe6cb36ccdc..dac0b15823f2a6 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -892,8 +892,10 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
 		struct amdgpu_bo *bo = e->bo;
 
 		e->range = amdgpu_hmm_range_alloc(NULL);
-		if (unlikely(!e->range))
-			return -ENOMEM;
+		if (unlikely(!e->range)) {
+			r = -ENOMEM;
+			goto out_free_user_pages;
+		}
 
 		r = amdgpu_ttm_tt_get_user_pages(bo, e->range);
 		if (r)
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing error-path cleanup in amdgpu_cs_parser_bos causes a mutex leak when kmalloc fails in amdgpu_hmm_range_alloc."

Attack vector

An attacker who can submit command submissions to the AMDGPU DRM driver can trigger this bug by inducing low memory conditions on the system, causing `kmalloc` inside `amdgpu_hmm_range_alloc` to fail. When the allocation fails, the function returns `-ENOMEM` directly without unlocking the mutex held by `amdgpu_cs_parser_bos`, leaving the mutex permanently locked. This blocks all future GPU command submissions from any process, resulting in a denial of service. No special privileges beyond access to the DRM device are required.

Affected code

The vulnerability is in the `amdgpu_cs_parser_bos` function within `drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c` [patch_id=2660768]. When `amdgpu_hmm_range_alloc(NULL)` returns NULL due to a kmalloc failure under low memory, the original code immediately returned `-ENOMEM` without releasing the mutex or cleaning up previously allocated resources.

What the fix does

The patch changes the error path from a direct `return -ENOMEM` to setting `r = -ENOMEM` and jumping to the `out_free_user_pages` label [patch_id=2660768]. This ensures the mutex is unlocked and any previously allocated resources are properly cleaned up before returning. The commit message also notes that `amdgpu_bo_list_put` is not needed here because it is already handled by `amdgpu_cs_parser_fini`.

Preconditions

  • authThe attacker must be able to submit command submissions to the AMDGPU DRM device (requires access to /dev/dri/card* or similar)
  • inputThe system must be under low memory conditions such that kmalloc inside amdgpu_hmm_range_alloc fails

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.