In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: avoid double drmexecfini() in userq validate
When newaddition is true, amdgpuuserqvmvalidate() calls drmexecfini(&exec) before iterating over the collected HMM ranges and calling amdgputtmttgetuser_pages().
If amdgputtmttgetuserpages() fails in that path, the code jumps to unlockall and calls drmexecfini(&exec) a second time on the same exec object. drmexecfini() is not idempotent: it frees exec->objects and may also drop exec->contended and finalize the ww acquire context.
Route that error path directly to the range cleanup once exec has already been finalized.
Issue found using a prototype static analysis tool and confirmed by code review.
(cherry picked from commit 2802952e4a07306da6ebe813ff1acacc5691851a)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52987.json",
"cna_assigner": "Linux"
}