GHSA-HV59-HH7H-7H9R
Vulnerability from github – Published: 2026-01-31 12:30 – Updated: 2026-01-31 12:30In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference.
When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference.
Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers
This is visible during driver unload as:
BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module
Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free().
This makes sure the fence reference is released and the slab cache is empty when the module exits.
v2: Update to only release userq->last_fence with dma_fence_put() (Christian)
(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
{
"affected": [],
"aliases": [
"CVE-2026-23034"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-31T12:16:06Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Fix fence reference leak on queue teardown v2\n\nThe user mode queue keeps a pointer to the most recent fence in\nuserq-\u003elast_fence. This pointer holds an extra dma_fence reference.\n\nWhen the queue is destroyed, we free the fence driver and its xarray,\nbut we forgot to drop the last_fence reference.\n\nBecause of the missing dma_fence_put(), the last fence object can stay\nalive when the driver unloads. This leaves an allocated object in the\namdgpu_userq_fence slab cache and triggers\n\nThis is visible during driver unload as:\n\n BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()\n kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects\n Call Trace:\n kmem_cache_destroy\n amdgpu_userq_fence_slab_fini\n amdgpu_exit\n __do_sys_delete_module\n\nFix this by putting userq-\u003elast_fence and clearing the pointer during\namdgpu_userq_fence_driver_free().\n\nThis makes sure the fence reference is released and the slab cache is\nempty when the module exits.\n\nv2: Update to only release userq-\u003elast_fence with dma_fence_put()\n (Christian)\n\n(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)",
"id": "GHSA-hv59-hh7h-7h9r",
"modified": "2026-01-31T12:30:12Z",
"published": "2026-01-31T12:30:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23034"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.