CVE-2026-45878

In the Linux kernel, the following vulnerability has been resolved:

drm/amdkfd: Fix watch id bounds checking in debug address watch v2

The address watch clear code receives watch id as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watch id.

If a very large watch id is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watch points array.

drm/amdkfd: Fix watch id bounds checking in debug address watch v2

Fix this by checking that watch id is within MAX WATCH ADDRESSES before using it. Also use BIT(watch id) to test and clear bits safely.

This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones.

Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd debug.c:448 kfd dbg trap clear dev address watch() error: buffer overflow 'pdd->watch points' 4 <= u32max user rl='0-3,2147483648-u32max' uncapped

drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd debug.c 433 int kfd dbg trap clear dev address watch(struct kfd process device *pdd, 434 uint32 t watch id) 435 { 436 int r; 437 438 if (!kfd dbg owns dev watch id(pdd, watch id))

kfd dbg owns dev watch id() doesn't check for negative values so if watch id is larger than INT MAX it leads to a buffer overflow. (Negative shifts are undefined).

439 return -EINVAL; 440 441 if (!pdd->dev->kfd->shared resources.enable mes) { 442 r = debug lock and unmap(pdd->dev->dqm); 443 if (r) 444 return r; 445 } 446 447 amdgpu gfx off ctrl(pdd->dev->adev, false); --> 448 pdd->watch points[watch id] = pdd->dev->kfd2kgd->clear address watch( 449 pdd->dev->adev, 450 watch id);

v2: (as per, Jonathan Kim)