Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix zero-size GDS range init on RDNA4

RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory
resources. The gfx_v12_0 initialisation code correctly leaves
adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at
zero to reflect this.

amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for
each of these resources regardless of size. When the size is zero,
amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(),
which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires
DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is
zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT.

Guard against this by returning 0 early from
amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM
resource manager registration for hardware resources that are absent,
without affecting any other GPU type.

DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in
the kernel config. This is apparently rarely enabled as these chips
have been in the market for over a year and this issue was only reported
now.

Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html
(cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)
Published: 2026-06-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug lies in the AMDGPU driver for RDNA4 (GFX12) devices, where a zero‑size GDS, GWS, or OA on‑chip memory region is incorrectly initialized. The init code unconditionally creates a TTM range manager for every resource, even when the size is zero. When the size is zero, the manager initialization triggers an assertion that crashes the kernel during module loading. The result is a kernel panic or crash, effectively denying service on systems using affected GPUs. The weakness can be classified as an improper initialization of hardware resources.

Affected Systems

All Linux kernel builds that ship an unpatched AMDGPU driver on RDNA4 hardware, such as Radeon RX 9070 XT and similar GPUs. The exact kernel version range is not specified, but any kernel that has the unrevised amdgpu_ttm_init_on_chip implementation before the commit that introduced the early return is vulnerable. Users of newer kernel releases that contain the patch are not affected.

Risk and Exploitability

Because the defect is triggered by loading or initializing the amdgpu driver module, the attack requires local privilege to load the module or to boot into a kernel that executes it. The vulnerability has a high impact (kernel crash) but a low exploitation complexity and currently has no publicly disclosed exploitation technique. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating limited exploitation risk at present. Nonetheless, failure to patch leaves a system vulnerable to intentional denial of service by any local or remote attacker who can load the AMDGPU module.

Generated by OpenCVE AI on June 8, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the fix for this AMDGPU bug (commit 5719ce5 or later).
  • If a kernel update is not immediately available, prevent the problematic module from loading by blacklisting it with a modprobe configuration file such as /etc/modprobe.d/blacklist-amdgpu.conf containing the line blacklist amdgpu.
  • Monitor /var/log/kern.log (or equivalent) for kernel panic messages after module loading; consider setting CONFIG_DRM_DEBUG_MM to n to avoid the assertion in debug builds.

Generated by OpenCVE AI on June 8, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix zero-size GDS range init on RDNA4 RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory resources. The gfx_v12_0 initialisation code correctly leaves adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at zero to reflect this. amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for each of these resources regardless of size. When the size is zero, amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(), which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT. Guard against this by returning 0 early from amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM resource manager registration for hardware resources that are absent, without affecting any other GPU type. DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in the kernel config. This is apparently rarely enabled as these chips have been in the market for over a year and this issue was only reported now. Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html (cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d)
Title drm/amdgpu: fix zero-size GDS range init on RDNA4
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-08T15:41:18.672Z

Reserved: 2026-05-13T15:03:33.109Z

Link: CVE-2026-46276

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:45.103

Modified: 2026-06-08T17:16:45.103

Link: CVE-2026-46276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T18:30:16Z

Weaknesses