CVE-2026-23034

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/userq: Fix fence reference leak on queue teardown v2

The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference.

When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference.

Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers

This is visible during driver unload as:

BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module

Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free().

This makes sure the fence reference is released and the slab cache is empty when the module exits.

v2: Update to only release userq->last_fence with dma_fence_put() (Christian)

(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxedc762a51c7181d6fe1e0837e2eb69afb406f98e < e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175affected
LinuxLinuxedc762a51c7181d6fe1e0837e2eb69afb406f98e < b2426a211dba6432e32a2e70e9183c6e134475c6affected
LinuxLinux6.16affected
LinuxLinux0 < 6.16unaffected
LinuxLinux6.18.7 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References