CVE-2026-23162

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/nvm: Fix double-free on aux add failure

After a successful auxiliary_device_init(), aux_dev->dev.release (xe_nvm_release_dev()) is responsible for the kfree(nvm). When there is failure with auxiliary_device_add(), driver will call auxiliary_device_uninit(), which call put_device(). So that the .release callback will be triggered to free the memory associated with the auxiliary_device.

Move the kfree(nvm) into the auxiliary_device_init() failure path and remove the err goto path to fix below error.

" [ 13.232905] ================================================================== [ 13.232911] BUG: KASAN: double-free in xe_nvm_init+0x751/0xf10 [xe] [ 13.233112] Free of addr ffff888120635000 by task systemd-udevd/273

[ 13.233120] CPU: 8 UID: 0 PID: 273 Comm: systemd-udevd Not tainted 6.19.0-rc2-lgci-xe-kernel+ #225 PREEMPT(voluntary) … [ 13.233125] Call Trace: [ 13.233126] <TASK> [ 13.233127] dump_stack_lvl+0x7f/0xc0 [ 13.233132] print_report+0xce/0x610 [ 13.233136] ? kasan_complete_mode_report_info+0x5d/0x1e0 [ 13.233139] ? xe_nvm_init+0x751/0xf10 [xe] … "

v2: drop err goto path. (Alexander)

(cherry picked from commit a3187c0c2bbd947ffff97f90d077ac88f9c2a215)

Affected Software

VendorProductVersion RangeStatus
LinuxLinux7926ba2143d8fef40bb940232818c7363e33598c < 32887d8e4bc0696b3cb6c5915a42b39cfd3434f4affected
LinuxLinux7926ba2143d8fef40bb940232818c7363e33598c < 8a44241b0b83a6047c5448da1fff03fcc29496b5affected
LinuxLinux6.17affected
LinuxLinux0 < 6.17unaffected
LinuxLinux6.18.9 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References