DEBIAN-CVE-2026-23034
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-23034
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23034.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-23034
- Upstream
- Published
- 2026-01-31T12:16:06.710Z
- Modified
- 2026-02-13T04:01:31.048050Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->lastfence. This pointer holds an extra dmafence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the lastfence reference. Because of the missing dmafenceput(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpuuserqfence slab cache and triggers This is visible during driver unload as: BUG amdgpuuserq_fence: Objects remaining on __kmemcacheshutdown() kmemcachedestroy amdgpuuserqfence: Slab cache still has objects Call Trace: kmemcachedestroy amdgpuuserqfenceslabfini amdgpu_exit _dosysdeletemodule Fix this by putting userq->lastfence and clearing the pointer during amdgpuuserqfencedriverfree(). This makes sure the fence reference is released and the slab cache is empty when the module exits. v2: Update to only release userq->lastfence with dmafenceput() (Christian) (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
- References
Affected packages
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.18.8-1