HIGH
drm/amdgpu VM Race
CVE-2026-43370
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.0HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix use-after-free race in VM acquire Replace non-atomic vm->process_info assignment with cmpxchg() to prevent race when parent/child processes sharing a drm_file both try to acquire the same VM after fork(). (cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618)
02KernelScan AI Analysis
Risk summary
A race condition in AMD GPU driver VM acquisition allows concurrent parent/child processes to corrupt kernel memory after fork(). This can lead to use-after-free conditions enabling arbitrary kernel memory access or system crashes. Systems with AMD GPUs and multi-process GPU workloads are at risk.
Vulnerability analysis
The vulnerability stems from non-atomic assignment of vm->process_info in init_kfd_vm(). When processes fork() and both parent/child attempt to acquire the same GPU VM simultaneously, a race condition occurs where one process's process_info can overwrite another's, creating a use-after-free scenario. The fix replaces the assignment with atomic cmpxchg() to ensure only one process can successfully acquire the VM. Attack surface is local, requiring access to AMD GPU device files (/dev/dri/renderD* or /dev/kfd), typically available to users in the render group.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | ae87aea330c2 |
| 5.15 | 5.15.203 | 46d309996bd9 |
| 6.1 | 6.1.167 | e61e355cbe49 |
| 6.12 | 6.12.78 | 904025fa8bba |
| 6.18 | 6.18.19 | 7885eb335d8f |
| 6.19 | 6.19.9 | 94b7782d0c80 |
| 6.6 | 6.6.130 | c658c1c85ec2 |
| mainline | 7.0 | 2c1030f2e848 |