Linux Kernel AMDGPU NULL Pointer Dereference Vulnerability on 64K Page Systems

A vulnerability in the Linux kernel's AMDGPU driver can lead to a NULL pointer dereference, causing a kernel crash. This issue arises on systems with 64K page sizes, where the reserved trap area is incorrectly set to 8KB. This mismatch becomes problematic when the kernel attempts to read user page 2, particularly during the execution of 'rocminfo' or 'rccl' unit tests. The crash occurs because the kernel accesses a bad memory area, triggering a segmentation fault. The vulnerability is linked to the hardcoded value of 'AMDGPU_VA_RESERVED_TRAP_SIZE', which fails to align with the larger memory requirements of 64K page systems.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, causing a denial of service by interrupting normal system operations.

Reproduction

The vulnerability can be reproduced on a system with a 64K page size by running the 'rocminfo' or 'rccl' unit tests. The kernel will crash, displaying an 'Oops' message indicating a NULL pointer dereference error. This crash can be observed in the kernel logs, where the faulting instruction address and the signal number corresponding to the segmentation fault will be recorded.

Remediation

The vulnerability has been addressed by changing the 'AMDGPU_VA_RESERVED_TRAP_SIZE' to 64KB and adjusting the 'KFD_CWSR_TBA_TMA_SIZE' to match the AMDGPU page size. Users should update to the latest version of the Linux kernel where this patch is applied.