{"id":"CVE-2026-23034","summary":"drm/amdgpu/userq: Fix fence reference leak on queue teardown v2","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/userq: Fix fence reference leak on queue teardown v2\n\nThe user mode queue keeps a pointer to the most recent fence in\nuserq-\u003elast_fence. This pointer holds an extra dma_fence reference.\n\nWhen the queue is destroyed, we free the fence driver and its xarray,\nbut we forgot to drop the last_fence reference.\n\nBecause of the missing dma_fence_put(), the last fence object can stay\nalive when the driver unloads. This leaves an allocated object in the\namdgpu_userq_fence slab cache and triggers\n\nThis is visible during driver unload as:\n\n  BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()\n  kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects\n  Call Trace:\n    kmem_cache_destroy\n    amdgpu_userq_fence_slab_fini\n    amdgpu_exit\n    __do_sys_delete_module\n\nFix this by putting userq-\u003elast_fence and clearing the pointer during\namdgpu_userq_fence_driver_free().\n\nThis makes sure the fence reference is released and the slab cache is\nempty when the module exits.\n\nv2: Update to only release userq-\u003elast_fence with dma_fence_put()\n    (Christian)\n\n(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)","modified":"2026-04-02T13:11:49.224917Z","published":"2026-01-31T11:42:29.137Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23034.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23034.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23034"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"edc762a51c7181d6fe1e0837e2eb69afb406f98e"},{"fixed":"e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175"},{"fixed":"b2426a211dba6432e32a2e70e9183c6e134475c6"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23034.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.16.0"},{"fixed":"6.18.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23034.json"}}],"schema_version":"1.7.5"}