{"id":"CVE-2026-31566","summary":"drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib\n\namdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence\nfrom amdgpu_ib_schedule(). This fence is used to wait for job\ncompletion.\n\nCurrently, the code drops the fence reference using dma_fence_put()\nbefore calling dma_fence_wait().\n\nIf dma_fence_put() releases the last reference, the fence may be\nfreed before dma_fence_wait() is called. This can lead to a\nuse-after-free.\n\nFix this by waiting on the fence first and releasing the reference\nonly after dma_fence_wait() completes.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)\n\n(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)","modified":"2026-07-08T08:00:04.307736960Z","published":"2026-04-24T14:35:46.740Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31566.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/138e42be35ff2ce6572ae744de851ea286cf3c69"},{"type":"WEB","url":"https://git.kernel.org/stable/c/39820864eacd886f1a6f817414fb8f9ea3e9a2b4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42d248726a0837640452b71c5a202ca3d35239ec"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7150850146ebfa4ca998f653f264b8df6f7f85be"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc7760c107dc08ef3e231d72c492e67b0a86848b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e23602eb0779760544314ed3905fa6a89a4e4070"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31566.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31566"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9ae55f030dc523fc4dc6069557e4a887ea815453"},{"fixed":"bc7760c107dc08ef3e231d72c492e67b0a86848b"},{"fixed":"e23602eb0779760544314ed3905fa6a89a4e4070"},{"fixed":"138e42be35ff2ce6572ae744de851ea286cf3c69"},{"fixed":"39820864eacd886f1a6f817414fb8f9ea3e9a2b4"},{"fixed":"42d248726a0837640452b71c5a202ca3d35239ec"},{"fixed":"7150850146ebfa4ca998f653f264b8df6f7f85be"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31566.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.0.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.131"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31566.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}