Bug 2492845 (CVE-2026-53144) - CVE-2026-53144 kernel: drm/amdkfd: fix NULL dereference in get_queue_ids()
Summary: CVE-2026-53144 kernel: drm/amdkfd: fix NULL dereference in get_queue_ids()
Keywords:
Status: NEW
Alias: CVE-2026-53144
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:08 UTC by OSIDB Bzimport
Modified: 2026-06-29 16:50 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:08:44 UTC
In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: fix NULL dereference in get_queue_ids()

When usr_queue_id_array is NULL and num_queues is non-zero,
get_queue_ids() returns NULL. The callers check only IS_ERR() on the
return value; since IS_ERR(NULL) == false the check passes, and
suspend_queues() calls q_array_invalidate() which immediately
dereferences NULL while iterating num_queues times.

Userspace can trigger this via kfd_ioctl_set_debug_trap() by supplying
num_queues > 0 with a zero queue_array_ptr, causing a kernel panic.

A NULL usr_queue_id_array with num_queues == 0 is a legitimate no-op
(q_array_invalidate never executes, and resume_queues already guards
all queue_ids dereferences behind a NULL check). Return ERR_PTR(-EINVAL)
only when num_queues is non-zero and the pointer is absent; both callers
already propagate IS_ERR() returns correctly to userspace.

(cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)

Comment 1 Mauro Matteo Cascella 2026-06-29 15:05:04 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062545-CVE-2026-53144-bd58@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.