CVE-2026-23463

Summary

In the Linux kernel, the following vulnerability has been resolved:

soc: fsl: qbman: fix race condition in qman_destroy_fq

When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.

Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() – At this point, the fqid is available again – qman_alloc_fqid() – so, we can get the just-freed fqid in thread B – fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL;

And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.

To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < 66442cf9989bd4489fa80d9f37637d58ab016835affected
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210affected
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < 9e3d47904b8153c8c3ad2f9b66d5008aad677aa8affected
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < d21923a8059fa896bfef016f55dd769299335cb4affected
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < 751f60bd48edaf03f9d84ab09e5ce6705757d50faffected
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < 85dbbf7dc88b0a54f2e334daedf6f3f31fd004faaffected
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < 265e56714635c5dd1e5964bfd97fa6e73f62cde5affected
LinuxLinuxc535e923bb97a4b361e89a6383693482057f8b0c < 014077044e874e270ec480515edbc1cadb976cf2affected
LinuxLinux4.9affected
LinuxLinux0 < 4.9unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.78 <= 6.12.*unaffected
LinuxLinux6.18.20 <= 6.18.*unaffected
LinuxLinux6.19.10 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References