Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2026-23163

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/02/2026
Last modified:
18/02/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: fix NULL pointer dereference in amdgpu_gmc_filter_faults_remove<br /> <br /> On APUs such as Raven and Renoir (GC 9.1.0, 9.2.2, 9.3.0), the ih1 and<br /> ih2 interrupt ring buffers are not initialized. This is by design, as<br /> these secondary IH rings are only available on discrete GPUs. See<br /> vega10_ih_sw_init() which explicitly skips ih1/ih2 initialization when<br /> AMD_IS_APU is set.<br /> <br /> However, amdgpu_gmc_filter_faults_remove() unconditionally uses ih1 to<br /> get the timestamp of the last interrupt entry. When retry faults are<br /> enabled on APUs (noretry=0), this function is called from the SVM page<br /> fault recovery path, resulting in a NULL pointer dereference when<br /> amdgpu_ih_decode_iv_ts_helper() attempts to access ih-&gt;ring[].<br /> <br /> The crash manifests as:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000004<br /> RIP: 0010:amdgpu_ih_decode_iv_ts_helper+0x22/0x40 [amdgpu]<br /> Call Trace:<br /> amdgpu_gmc_filter_faults_remove+0x60/0x130 [amdgpu]<br /> svm_range_restore_pages+0xae5/0x11c0 [amdgpu]<br /> amdgpu_vm_handle_fault+0xc8/0x340 [amdgpu]<br /> gmc_v9_0_process_interrupt+0x191/0x220 [amdgpu]<br /> amdgpu_irq_dispatch+0xed/0x2c0 [amdgpu]<br /> amdgpu_ih_process+0x84/0x100 [amdgpu]<br /> <br /> This issue was exposed by commit 1446226d32a4 ("drm/amdgpu: Remove GC HW<br /> IP 9.3.0 from noretry=1") which changed the default for Renoir APU from<br /> noretry=1 to noretry=0, enabling retry fault handling and thus<br /> exercising the buggy code path.<br /> <br /> Fix this by adding a check for ih1.ring_size before attempting to use<br /> it. Also restore the soft_ih support from commit dd299441654f ("drm/amdgpu:<br /> Rework retry fault removal"). This is needed if the hardware doesn&amp;#39;t<br /> support secondary HW IH rings.<br /> <br /> v2: additional updates (Alex)<br /> <br /> (cherry picked from commit 6ce8d536c80aa1f059e82184f0d1994436b1d526)

Impact

References to Advisories, Solutions, and Tools