CVE-2026-46276
Description
Linux kernel vulnerability in amdgpu driver causes kernel crashes on RDNA4 hardware during modprobe.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel vulnerability in amdgpu driver causes kernel crashes on RDNA4 hardware during modprobe.
Vulnerability
The Linux kernel's drm/amdgpu driver contains a vulnerability that affects RDNA4 (GFX 12) hardware, such as the RX 9070 XT. RDNA4 hardware lacks GDS, GWS, and OA on-chip memory resources, and the initialization code correctly sets their sizes to zero. However, the amdgpu_ttm_init() function unconditionally calls amdgpu_ttm_init_on_chip() for these resources. When the size is zero, amdgpu_ttm_init_on_chip() calls ttm_range_man_init() which then calls drm_mm_init(mm, 0, 0). This triggers a DRM_MM_BUG_ON(start + size <= start) assertion, crashing the kernel during amdgpu module loading. This issue is only triggered if CONFIG_DRM_DEBUG_MM is enabled in the kernel configuration [1].
Exploitation
An attacker with the ability to load the amdgpu kernel module on a system with RDNA4 hardware and CONFIG_DRM_DEBUG_MM enabled can trigger this vulnerability. The exploitation requires the amdgpu module to be probed, which typically occurs during system boot or when a compatible graphics card is detected. The vulnerability is triggered automatically by the initialization code path when the module is loaded, without requiring specific user interaction beyond the initial module probe [1].
Impact
Successful exploitation of this vulnerability results in a kernel crash, leading to a denial of service. The system becomes unresponsive and requires a reboot. The crash occurs during the amdgpu module's initialization phase, specifically when setting up memory management resources for RDNA4 hardware. This prevents the graphics driver from loading correctly, rendering the affected hardware unusable until the system is rebooted and the vulnerability is mitigated [1].
Mitigation
A fix for this vulnerability has been implemented by returning early from amdgpu_ttm_init_on_chip() when the size of the on-chip resource is zero. This prevents the drm_mm_init() function from being called with zero size, thus avoiding the kernel crash. The fix is available in the Linux kernel via commit 5719ce5865279cad4fd5f01011fe037168503f2d and has been cherry-picked for stable branches [1]. Users should update their Linux kernel to a version containing this fix. No workarounds are available other than applying the patch or avoiding the use of RDNA4 hardware with affected kernel versions.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
170e21db1a7796drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index af729cd521edf..40dd04a4f7df9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
095a8b0ad3c3drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 0dc68fb9d88e5..3d2e00efc7415 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
30c000a49094drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 4183e5301cffc..d629c5f73bf59 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
36f9602fb22edrm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 4133afde22b44..4e50b30880864 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -76,6 +76,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
1f5d33e7b0a9drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 02fdee7820a92..0faa5ad26d611 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -71,6 +71,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
be0376affcafdrm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index c56405b490509..96c98417c29de 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
3e26c76891abdrm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 0ccb31788b20b..95060217e3b02 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
9bc925759c05drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index c3bd765748771..7b3293b37144d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -71,6 +71,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
5719ce586527drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −0
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −0 modified@@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); }
9bc925759c05drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index c3bd765748771..7b3293b37144d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -71,6 +71,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
095a8b0ad3c3drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 0dc68fb9d88e5..3d2e00efc7415 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
1f5d33e7b0a9drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 02fdee7820a92..0faa5ad26d611 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -71,6 +71,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
0e21db1a7796drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index af729cd521edf..40dd04a4f7df9 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
3e26c76891abdrm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 0ccb31788b20b..95060217e3b02 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
36f9602fb22edrm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 4133afde22b44..4e50b30880864 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -76,6 +76,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
30c000a49094drm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index 4183e5301cffc..d629c5f73bf59 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
be0376affcafdrm/amdgpu: fix zero-size GDS range init on RDNA4
1 file changed · +3 −1
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c+3 −1 modifieddiff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c index c56405b490509..96c98417c29de 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c @@ -75,6 +75,9 @@ static int amdgpu_ttm_init_on_chip(struct amdgpu_device *adev, unsigned int type, uint64_t size_in_page) { + if (!size_in_page) + return 0; + return ttm_range_man_init(&adev->mman.bdev, type, false, size_in_page); } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The amdgpu_ttm_init_on_chip function incorrectly initializes TTM resource managers with a size of zero, leading to a kernel crash."
Attack vector
An attacker can trigger this vulnerability by loading the amdgpu kernel module on a system with RDNA4 (GFX 12) hardware. This hardware configuration results in zero-sized GDS, GWS, and OA resources. The subsequent initialization process calls `ttm_range_man_init` with a zero size, which then calls `drm_mm_init(mm, 0, 0)`. This triggers a `DRM_MM_BUG_ON` assertion, crashing the kernel.
Affected code
The vulnerability resides in the `amdgpu_ttm_init_on_chip` function within the `drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c` file [patch_id=5239438]. This function is responsible for initializing TTM resource managers for on-chip memory resources.
What the fix does
The patch adds a check at the beginning of the `amdgpu_ttm_init_on_chip` function to immediately return 0 if `size_in_page` is zero [patch_id=5239438]. This prevents the function from calling `ttm_range_man_init` with a zero size, thereby avoiding the `drm_mm_init(mm, 0, 0)` call and the subsequent kernel crash. This fix ensures that TTM resource manager registration is skipped for hardware resources that are absent, without affecting other GPU types.
Preconditions
- configThe system must have RDNA4 (GFX 12) hardware.
- configThe kernel must be configured with CONFIG_DRM_DEBUG_MM enabled for the DRM_MM_BUG_ON assertion to trigger a crash.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/095a8b0ad3c3b5cdc3850d961adb8a8f735220bbnvd
- git.kernel.org/stable/c/0e21db1a77967bc15df662efdca8ea8a61d124eanvd
- git.kernel.org/stable/c/1f5d33e7b0a9a2a140f46e22fb52eede323c5946nvd
- git.kernel.org/stable/c/30c000a49094ec568c9b51b7421f7a4a3f0b0298nvd
- git.kernel.org/stable/c/36f9602fb22ede69fcc8b422be0cf8105bf655adnvd
- git.kernel.org/stable/c/3e26c76891ab99fa173e9c501119fbb5c9f4600fnvd
- git.kernel.org/stable/c/9bc925759c05feae7dfa9570e77131d54729c8eanvd
- git.kernel.org/stable/c/be0376affcafa0bbb371bb501579a825eae32281nvd
News mentions
0No linked articles in our index yet.