Description
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED

[Why]
dcn32_validate_bandwidth() wraps dcn32_internal_validate_bw() with
DC_FP_START()/DC_FP_END(). In x86 non-RT, DC_FP_START takes fpregs_lock(),
which disables local softirqs.

The DML1 path through dcn32_enable_phantom_plane() calls kvzalloc() to
allocate ~335 KiB for dc_plane_state. This triggers the vmalloc path,
which calls BUG_ON(in_interrupt()) because it's invoked within the
FPU-enabled (softirq disabled) region, leading to a kernel crash.

[How]
Wrap the dc_state_create_phantom_plane() call with the
DC_RUN_WITH_PREEMPTION_ENABLED() macro to allow preemption during
this memory allocation.

(cherry picked from commit 885ccbef7b94a8b38f69c4211c679021aa27ad11)
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the AMD DRM driver attempts to allocate memory for a phantom plane while the FPU is disabled and softirqs are turned off. Because the vmalloc implementation contains a BUG_ON that asserts the current context must not be an interrupt, the kernel panics and crashes, producing an immediate denial of service. The flaw originates from a misuse of kernel APIs that violate a preemption and interrupt context invariant. This is a CWE-663 weakness: Improper Release of Incomplete Lock.

Affected Systems

All Linux systems using an x86, non‑RT kernel version that lacks the commit adding DC_RUN_WITH_PREEMPTION_ENABLED to the dcn32_enable_phantom_plane path are affected. This includes any distribution that bundles the AMD display driver code for DML1 before the patch commit 885ccbef7b94a8b38f69c4211c679021aa27ad11.

Risk and Exploitability

Based on the description, the attacker most likely needs to trigger the phantom‑plane allocation by interacting with the graphics stack, so the attack vector is inferred to be local privileged access or user interaction. Exploit requires triggering the phantom‑plane allocation path, which typically occurs when a display device is connected or driver interfaces are exercised. The crash is deterministic and the attacker needs local, privileged execution or access to the graphics subsystem. The CVSS score of 5.5 indicates a medium severity, and the EPSS score is < 1%, with no listing in the CISA KEV, implying no known exploitation in the wild. Thus, the risk is moderate to high for systems that expose the graphics subsystem to untrusted users, but lower for strictly isolated, hardened environments.

Generated by OpenCVE AI on June 29, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install a Linux kernel that includes commit 885ccbef7b94a8b38f69c4211c679021aa27ad11 or a later release that wraps the allocation with DC_RUN_WITH_PREEMPTION_ENABLED and removes the BUG_ON.
  • Reboot the system to load the updated kernel and ensure the new driver code is active.
  • If an immediate kernel upgrade cannot be performed, temporarily disable the AMD DRM driver (e.g., blacklist the amdgpu or drm module) or avoid connecting display hardware that triggers the phantom‑plane path until the patch is applied.

Generated by OpenCVE AI on June 29, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-391

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-663
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-391

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED [Why] dcn32_validate_bandwidth() wraps dcn32_internal_validate_bw() with DC_FP_START()/DC_FP_END(). In x86 non-RT, DC_FP_START takes fpregs_lock(), which disables local softirqs. The DML1 path through dcn32_enable_phantom_plane() calls kvzalloc() to allocate ~335 KiB for dc_plane_state. This triggers the vmalloc path, which calls BUG_ON(in_interrupt()) because it's invoked within the FPU-enabled (softirq disabled) region, leading to a kernel crash. [How] Wrap the dc_state_create_phantom_plane() call with the DC_RUN_WITH_PREEMPTION_ENABLED() macro to allow preemption during this memory allocation. (cherry picked from commit 885ccbef7b94a8b38f69c4211c679021aa27ad11)
Title drm/amd/display: Wrap DCN32 phantom-plane allocation in DC_RUN_WITH_PREEMPTION_ENABLED
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:40:46.328Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53285

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53285 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:00:05Z

Weaknesses
  • CWE-663

    Use of a Non-reentrant Function in a Concurrent Context