FKIE_CVE-2026-23034

Vulnerability from fkie_nvd - Published: 2026-01-31 12:16 - Updated: 2026-02-03 16:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference. Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers This is visible during driver unload as: BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free(). This makes sure the fence reference is released and the slab cache is empty when the module exits. v2: Update to only release userq->last_fence with dma_fence_put() (Christian) (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Fix fence reference leak on queue teardown v2\n\nThe user mode queue keeps a pointer to the most recent fence in\nuserq-\u003elast_fence. This pointer holds an extra dma_fence reference.\n\nWhen the queue is destroyed, we free the fence driver and its xarray,\nbut we forgot to drop the last_fence reference.\n\nBecause of the missing dma_fence_put(), the last fence object can stay\nalive when the driver unloads. This leaves an allocated object in the\namdgpu_userq_fence slab cache and triggers\n\nThis is visible during driver unload as:\n\n  BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()\n  kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects\n  Call Trace:\n    kmem_cache_destroy\n    amdgpu_userq_fence_slab_fini\n    amdgpu_exit\n    __do_sys_delete_module\n\nFix this by putting userq-\u003elast_fence and clearing the pointer during\namdgpu_userq_fence_driver_free().\n\nThis makes sure the fence reference is released and the slab cache is\nempty when the module exits.\n\nv2: Update to only release userq-\u003elast_fence with dma_fence_put()\n    (Christian)\n\n(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/amdgpu/userq: Soluci\u00f3n a la fuga de referencia de \u0027fence\u0027 durante el desmontaje de la cola v2\n\nLa cola en modo usuario mantiene un puntero al \u0027fence\u0027 m\u00e1s reciente en userq-\u0026gt;last_fence. Este puntero mantiene una referencia extra de dma_fence.\n\nCuando la cola es destruida, liberamos el controlador de \u0027fence\u0027 y su xarray, pero olvidamos liberar la referencia de last_fence.\n\nDebido a la ausencia de dma_fence_put(), el \u00faltimo objeto \u0027fence\u0027 puede permanecer activo cuando el controlador se descarga. Esto deja un objeto asignado en la cach\u00e9 de \u0027slab\u0027 amdgpu_userq_fence y desencadena\n\nEsto es visible durante la descarga del controlador como:\n\n  BUG amdgpu_userq_fence: Objetos restantes en __kmem_cache_shutdown()\n  kmem_cache_destroy amdgpu_userq_fence: La cach\u00e9 de \u0027slab\u0027 todav\u00eda tiene objetos\n  Traza de Llamada:\n    kmem_cache_destroy\n    amdgpu_userq_fence_slab_fini\n    amdgpu_exit\n    __do_sys_delete_module\n\nSolucione esto liberando userq-\u0026gt;last_fence y limpiando el puntero durante amdgpu_userq_fence_driver_free().\n\nEsto asegura que la referencia de \u0027fence\u0027 sea liberada y que la cach\u00e9 de \u0027slab\u0027 est\u00e9 vac\u00eda cuando el m\u00f3dulo sale.\n\nv2: Actualizaci\u00f3n para liberar solo userq-\u0026gt;last_fence con dma_fence_put() (Christian)\n\n(seleccionado del commit 8e051e38a8d45caf6a866d4ff842105b577953bb)"
    }
  ],
  "id": "CVE-2026-23034",
  "lastModified": "2026-02-03T16:44:36.630",
  "metrics": {},
  "published": "2026-01-31T12:16:06.710",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.