CVE-2026-31765

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB<br /> <br /> Currently, AMDGPU_VA_RESERVED_TRAP_SIZE is hardcoded to 8KB, while<br /> KFD_CWSR_TBA_TMA_SIZE is defined as 2 * PAGE_SIZE. On systems with<br /> 4K pages, both values match (8KB), so allocation and reserved space<br /> are consistent.<br /> <br /> However, on 64K page-size systems, KFD_CWSR_TBA_TMA_SIZE becomes 128KB,<br /> while the reserved trap area remains 8KB. This mismatch causes the<br /> kernel to crash when running rocminfo or rccl unit tests.<br /> <br /> Kernel attempted to read user page (2) - exploit attempt? (uid: 1001)<br /> BUG: Kernel NULL pointer dereference on read at 0x00000002<br /> Faulting instruction address: 0xc0000000002c8a64<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries<br /> CPU: 34 UID: 1001 PID: 9379 Comm: rocminfo Tainted: G E<br /> 6.19.0-rc4-amdgpu-00320-gf23176405700 #56 VOLUNTARY<br /> Tainted: [E]=UNSIGNED_MODULE<br /> Hardware name: IBM,9105-42A POWER10 (architected) 0x800200 0xf000006<br /> of:IBM,FW1060.30 (ML1060_896) hv:phyp pSeries<br /> NIP: c0000000002c8a64 LR: c00000000125dbc8 CTR: c00000000125e730<br /> REGS: c0000001e0957580 TRAP: 0300 Tainted: G E<br /> MSR: 8000000000009033 CR: 24008268<br /> XER: 00000036<br /> CFAR: c00000000125dbc4 DAR: 0000000000000002 DSISR: 40000000<br /> IRQMASK: 1<br /> GPR00: c00000000125d908 c0000001e0957820 c0000000016e8100<br /> c00000013d814540<br /> GPR04: 0000000000000002 c00000013d814550 0000000000000045<br /> 0000000000000000<br /> GPR08: c00000013444d000 c00000013d814538 c00000013d814538<br /> 0000000084002268<br /> GPR12: c00000000125e730 c000007e2ffd5f00 ffffffffffffffff<br /> 0000000000020000<br /> GPR16: 0000000000000000 0000000000000002 c00000015f653000<br /> 0000000000000000<br /> GPR20: c000000138662400 c00000013d814540 0000000000000000<br /> c00000013d814500<br /> GPR24: 0000000000000000 0000000000000002 c0000001e0957888<br /> c0000001e0957878<br /> GPR28: c00000013d814548 0000000000000000 c00000013d814540<br /> c0000001e0957888<br /> NIP [c0000000002c8a64] __mutex_add_waiter+0x24/0xc0<br /> LR [c00000000125dbc8] __mutex_lock.constprop.0+0x318/0xd00<br /> Call Trace:<br /> 0xc0000001e0957890 (unreliable)<br /> __mutex_lock.constprop.0+0x58/0xd00<br /> amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x6fc/0xb60 [amdgpu]<br /> kfd_process_alloc_gpuvm+0x54/0x1f0 [amdgpu]<br /> kfd_process_device_init_cwsr_dgpu+0xa4/0x1a0 [amdgpu]<br /> kfd_process_device_init_vm+0xd8/0x2e0 [amdgpu]<br /> kfd_ioctl_acquire_vm+0xd0/0x130 [amdgpu]<br /> kfd_ioctl+0x514/0x670 [amdgpu]<br /> sys_ioctl+0x134/0x180<br /> system_call_exception+0x114/0x300<br /> system_call_vectored_common+0x15c/0x2ec<br /> <br /> This patch changes AMDGPU_VA_RESERVED_TRAP_SIZE to 64 KB and<br /> KFD_CWSR_TBA_TMA_SIZE to the AMD GPU page size. This means we reserve<br /> 64 KB for the trap in the address space, but only allocate 8 KB within<br /> it. With this approach, the allocation size never exceeds the reserved<br /> area.<br /> <br /> (cherry picked from commit 31b8de5e55666f26ea7ece5f412b83eab3f56dbb)