CVE-2026-23034
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference.
When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference.
Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers
This is visible during driver unload as:
BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module
Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free().
This makes sure the fence reference is released and the slab cache is empty when the module exits.
v2: Update to only release userq->last_fence with dma_fence_put() (Christian)
(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | edc762a51c7181d6fe1e0837e2eb69afb406f98e < e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175 | affected |
| Linux | Linux | edc762a51c7181d6fe1e0837e2eb69afb406f98e < b2426a211dba6432e32a2e70e9183c6e134475c6 | affected |
| Linux | Linux | 6.16 | affected |
| Linux | Linux | 0 < 6.16 | unaffected |
| Linux | Linux | 6.18.7 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175
- https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.