CVE-2026-23463
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
soc: fsl: qbman: fix race condition in qman_destroy_fq
When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() – At this point, the fqid is available again – qman_alloc_fqid() – so, we can get the just-freed fqid in thread B – fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL;
And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < 66442cf9989bd4489fa80d9f37637d58ab016835 | affected |
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210 | affected |
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < 9e3d47904b8153c8c3ad2f9b66d5008aad677aa8 | affected |
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < d21923a8059fa896bfef016f55dd769299335cb4 | affected |
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < 751f60bd48edaf03f9d84ab09e5ce6705757d50f | affected |
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < 85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa | affected |
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < 265e56714635c5dd1e5964bfd97fa6e73f62cde5 | affected |
| Linux | Linux | c535e923bb97a4b361e89a6383693482057f8b0c < 014077044e874e270ec480515edbc1cadb976cf2 | affected |
| Linux | Linux | 4.9 | affected |
| Linux | Linux | 0 < 4.9 | unaffected |
| Linux | Linux | 5.10.253 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.203 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.167 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.130 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.78 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.20 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.10 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835
- https://git.kernel.org/stable/c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210
- https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
- https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4
- https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f
- https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
- https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5
- https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.