Linux Kernel APU NULL Pointer Dereference Vulnerability in AMDGPU Component

A NULL pointer dereference vulnerability has been identified in the Linux kernel's AMDGPU component, specifically on Accelerated Processing Units (APUs) like Raven and Renoir, within Graphics Core versions 9.1.0, 9.2.2, and 9.3.0. The issue arises because the ih1 and ih2 interrupt ring buffers are not initialized on these APUs, as these secondary interrupt rings are only available on discrete GPUs. The function 'amdgpu_gmc_filter_faults_remove()' improperly relies on ih1 to retrieve the timestamp of the last interrupt entry. When retry faults are enabled on APUs, this function is invoked during the SVM page fault recovery process, leading to a NULL pointer dereference when it tries to access the uninitialized interrupt ring. This flaw causes a kernel crash, which can be observed as a NULL pointer dereference error in the system logs.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, causing a denial of service by interrupting normal system operations.

Reproduction

The vulnerability can be reproduced on a system running a Linux kernel version that includes this vulnerability, on an APU such as Raven or Renoir. The 'noretry' setting must be configured to '0' to enable retry fault handling, which activates the faulty code path. Once these conditions are met, the vulnerability can be triggered by causing a page fault that is handled by the SVM range restoration process, which will attempt to access the uninitialized interrupt ring, resulting in a NULL pointer dereference and a kernel crash.

Remediation

Users can upgrade to a patched version of the Linux kernel where this vulnerability has been addressed. The specific commit that fixes this issue is included in the Linux kernel stable tree.