soc: fsl: qbman: fix race condition in qman_destroy_fq
Summary
| CVE | CVE-2026-23463 |
|---|
| State | PUBLISHED |
|---|
| Assigner | Linux |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2026-04-03 16:16:33 UTC |
|---|
| Updated | 2026-04-03 16:16:33 UTC |
|---|
| Description | In the Linux kernel, the following vulnerability has been resolved:
soc: fsl: qbman: fix race condition in qman_destroy_fq
When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
fq_table[fq->idx] state and freeing/allocating from the pool and
WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
Indeed, we can have:
Thread A Thread B
qman_destroy_fq() qman_create_fq()
qman_release_fqid()
qman_shutdown_fq()
gen_pool_free()
-- At this point, the fqid is available again --
qman_alloc_fqid()
-- so, we can get the just-freed fqid in thread B --
fq->fqid = fqid;
fq->idx = fqid * 2;
WARN_ON(fq_table[fq->idx]);
fq_table[fq->idx] = fq;
fq_table[fq->idx] = NULL;
And adding some logs between qman_release_fqid() and
fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
To prevent that, ensure that fq_table[fq->idx] is set to NULL before
gen_pool_free() is called by using smp_wmb(). |
|---|
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|
| CNA |
Linux |
Linux |
affected c535e923bb97a4b361e89a6383693482057f8b0c 9e3d47904b8153c8c3ad2f9b66d5008aad677aa8 git |
Not specified |
| CNA |
Linux |
Linux |
affected c535e923bb97a4b361e89a6383693482057f8b0c d21923a8059fa896bfef016f55dd769299335cb4 git |
Not specified |
| CNA |
Linux |
Linux |
affected c535e923bb97a4b361e89a6383693482057f8b0c 751f60bd48edaf03f9d84ab09e5ce6705757d50f git |
Not specified |
| CNA |
Linux |
Linux |
affected c535e923bb97a4b361e89a6383693482057f8b0c 85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa git |
Not specified |
| CNA |
Linux |
Linux |
affected c535e923bb97a4b361e89a6383693482057f8b0c 265e56714635c5dd1e5964bfd97fa6e73f62cde5 git |
Not specified |
| CNA |
Linux |
Linux |
affected c535e923bb97a4b361e89a6383693482057f8b0c 014077044e874e270ec480515edbc1cadb976cf2 git |
Not specified |
| CNA |
Linux |
Linux |
affected 4.9 |
Not specified |
| CNA |
Linux |
Linux |
unaffected 4.9 semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.1.167 6.1.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.6.130 6.6.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.12.78 6.12.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.18.20 6.18.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 6.19.10 6.19.* semver |
Not specified |
| CNA |
Linux |
Linux |
unaffected 7.0-rc5 * original_commit_for_fix |
Not specified |
References
| Reference | Source | Link | Tags |
|---|
| git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4 |
416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
git.kernel.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.
