Unrated severityNVD Advisory· Published May 28, 2026

CVE-2026-46220

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread.

Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace.

The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it.

(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A misaligned fence address in AMDGPU SDMA4 ring emission can be triggered from userspace via crafted CS IOCTL, causing kernel panic; fixed by replacing BUG_ON with WARN_ON.

Vulnerability

In the Linux kernel's drm/amdgpu/sdma4 driver, the function sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread. The vulnerability affects kernel versions prior to the commit that replaces the BUG_ON calls with WARN_ON [1].

Exploitation

An unprivileged user can submit a crafted command submission (CS) IOCTL with a misaligned fence address. This triggers the BUG_ON assertions in the ring emission callback, leading to a kernel panic. No special privileges or user interaction beyond the ability to submit DRM IOCTLs are required.

Impact

Successful exploitation results in a denial of service (kernel panic) from userspace. The attacker gains no code execution or data access, but can crash the system.

Mitigation

The fix replaces both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. The commit b90250bd933a (cherry-picked) addresses this [1]. Users should apply the kernel patch or update to a version containing this fix. No workaround is mentioned; the CS IOCTL path is the correct place to filter invalid submissions.

References

Making sure you're not a bot!

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

SUSE S.A./Linux Enterprise Debuginfoinferred
Linux/Kernelllm-fuzzy

Patches

d331fb241a46

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"John B. Moore"Apr 27, 2026Fixed in 6.12.90via kernel-cna

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index 23ef4eb36b407a..37bb0857d8f888 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

4f7ca00fa91d

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"John B. Moore"Apr 27, 2026Fixed in 6.6.140via kernel-cna

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index 0ba9a3d3312f5a..6a26428572ec44 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -841,7 +841,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -851,7 +851,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

78d2e624fa07

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"John B. Moore"Apr 27, 2026Fixed in 7.1-rc3via kernel-cna

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index 44f0f23e114843..e64f2f6df9a9e2 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -889,7 +889,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -899,7 +899,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

0b91ea46bb68

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"John B. Moore"Apr 27, 2026Fixed in 6.18.32via kernel-cna

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index f38004e6064e5c..4d0dc58c904584 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

a4fd82fb0757

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"John B. Moore"Apr 27, 2026Fixed in 7.0.9via kernel-cna

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index f38004e6064e5c..4d0dc58c904584 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

b90250bd933a

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://github.com/torvalds/linuxJohn B. MooreApr 27, 2026via text-mined

commit

1 file changed · +2 −2

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −2 modified

@@ -889,7 +889,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -899,7 +899,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));

d331fb241a46

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git"John B. Moore"Apr 27, 2026via nvd-ref

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index 23ef4eb36b407a..37bb0857d8f888 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

a4fd82fb0757

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git"John B. Moore"Apr 27, 2026via nvd-ref

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index f38004e6064e5c..4d0dc58c904584 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

78d2e624fa07

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git"John B. Moore"Apr 27, 2026via nvd-ref

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index 44f0f23e114843..e64f2f6df9a9e2 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -889,7 +889,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -899,7 +899,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

4f7ca00fa91d

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git"John B. Moore"Apr 27, 2026via nvd-ref

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index 0ba9a3d3312f5a..6a26428572ec44 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -841,7 +841,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -851,7 +851,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

0b91ea46bb68

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git"John B. Moore"Apr 27, 2026via nvd-ref

commit

1 file changed · +2 −3

drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c+2 −3 modified

diff --git a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
index f38004e6064e5c..4d0dc58c904584 100644
--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 	/* write the fence */
 	amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 	/* zero in first two bits */
-	BUG_ON(addr & 0x3);
+	WARN_ON(addr & 0x3);
 	amdgpu_ring_write(ring, lower_32_bits(addr));
 	amdgpu_ring_write(ring, upper_32_bits(addr));
 	amdgpu_ring_write(ring, lower_32_bits(seq));
@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(struct amdgpu_ring *ring, u64 addr, u64 se
 		addr += 4;
 		amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
 		/* zero in first two bits */
-		BUG_ON(addr & 0x3);
+		WARN_ON(addr & 0x3);
 		amdgpu_ring_write(ring, lower_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(addr));
 		amdgpu_ring_write(ring, upper_32_bits(seq));
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The function sdma_v4_0_ring_emit_fence() uses BUG_ON() assertions reachable from unprivileged userspace, allowing a crafted DRM_IOCTL_AMDGPU_CS submission to trigger a kernel panic."

Attack vector

An unprivileged local attacker can trigger a kernel panic by submitting a crafted `DRM_IOCTL_AMDGPU_CS` IOCTL that causes a misaligned fence writeback address to reach `sdma_v4_0_ring_emit_fence()`. The two `BUG_ON(addr & 0x3)` assertions in that function will fire on a non-dword-aligned address, immediately crashing the kernel in a scheduler worker thread. No special privileges are required beyond access to the AMDGPU DRM device. [patch_id=2899138]

Affected code

The vulnerability is in the function `sdma_v4_0_ring_emit_fence()` in `drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c`. Two `BUG_ON(addr & 0x3)` assertions that verify fence writeback addresses are dword-aligned can be reached from unprivileged userspace via crafted `DRM_IOCTL_AMDGPU_CS` submissions, causing a fatal kernel panic in a scheduler worker thread. [patch_id=2899138]

What the fix does

The patch replaces both `BUG_ON(addr & 0x3)` calls with `WARN_ON(addr & 0x3)` in `sdma_v4_0_ring_emit_fence()`. `BUG_ON()` triggers a fatal kernel panic when the condition is true, whereas `WARN_ON()` only logs a kernel warning and continues execution. This prevents an unprivileged userspace process from crashing the entire system via a crafted DRM IOCTL. The commit message notes that the CS IOCTL path is the correct place to filter invalid submissions, not the ring emission callback. [patch_id=2899138]

Preconditions

authThe attacker must have access to the AMDGPU DRM device (e.g., /dev/dri/card*) and be able to issue DRM_IOCTL_AMDGPU_CS IOCTLs.
inputThe attacker must submit a crafted command submission that results in a misaligned (non-dword-aligned) fence writeback address.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000