CVE-2026-23463
EUVD-2026-1872603.04.2026, 16:16
In the Linux kernel, the following vulnerability has been resolved:
soc: fsl: qbman: fix race condition in qman_destroy_fq
When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
fq_table[fq->idx] state and freeing/allocating from the pool and
WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
Indeed, we can have:
Thread A Thread B
qman_destroy_fq() qman_create_fq()
qman_release_fqid()
qman_shutdown_fq()
gen_pool_free()
-- At this point, the fqid is available again --
qman_alloc_fqid()
-- so, we can get the just-freed fqid in thread B --
fq->fqid = fqid;
fq->idx = fqid * 2;
WARN_ON(fq_table[fq->idx]);
fq_table[fq->idx] = fq;
fq_table[fq->idx] = NULL;
And adding some logs between qman_release_fqid() and
fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
To prevent that, ensure that fq_table[fq->idx] is set to NULL before
gen_pool_free() is called by using smp_wmb().Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 4.9 ≤ 𝑥 < 5.10.253 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.203 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.167 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.130 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.78 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.20 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 6.19.10 |
| linux | linux_kernel | 7.0:rc1 |
| linux | linux_kernel | 7.0:rc2 |
| linux | linux_kernel | 7.0:rc3 |
| linux | linux_kernel | 7.0:rc4 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||
|---|---|---|---|---|---|---|---|
| kernel-64kb |
| ||||||
| kernel-azure |
| ||||||
| kernel-default |
| ||||||
| kernel-default-base |
| ||||||
| kernel-obs-build |
| ||||||
| kernel-source |
| ||||||
| kernel-zfcpdump |
|
Vulnerability Media Exposure
References