CVE-2026-53144

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: fix NULL dereference in get queue ids()

When usr queue id array is NULL and num queues is non-zero, get queue ids() returns NULL. The callers check only IS ERR() on the return value; since IS ERR(NULL) == false the check passes, and suspend queues() calls q array invalidate() which immediately dereferences NULL while iterating num queues times.

Userspace can trigger this via kfd ioctl set debug trap() by supplying num queues > 0 with a zero queue array ptr, causing a kernel panic.

A NULL usr queue id array with num queues == 0 is a legitimate no-op (q array invalidate never executes, and resume queues already guards all queue ids dereferences behind a NULL check). Return ERR PTR(-EINVAL) only when num queues is non-zero and the pointer is absent; both callers already propagate IS ERR() returns correctly to userspace.

(cherry picked from commit f165a82cdf503884bb1797771c61b2fcc72113d4)