CVE-2026-23463
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/04/2026
Last modified:
03/04/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
soc: fsl: qbman: fix race condition in qman_destroy_fq<br />
<br />
When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there&#39;s a race condition between<br />
fq_table[fq->idx] state and freeing/allocating from the pool and<br />
WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.<br />
<br />
Indeed, we can have:<br />
Thread A Thread B<br />
qman_destroy_fq() qman_create_fq()<br />
qman_release_fqid()<br />
qman_shutdown_fq()<br />
gen_pool_free()<br />
-- At this point, the fqid is available again --<br />
qman_alloc_fqid()<br />
-- so, we can get the just-freed fqid in thread B --<br />
fq->fqid = fqid;<br />
fq->idx = fqid * 2;<br />
WARN_ON(fq_table[fq->idx]);<br />
fq_table[fq->idx] = fq;<br />
fq_table[fq->idx] = NULL;<br />
<br />
And adding some logs between qman_release_fqid() and<br />
fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.<br />
<br />
To prevent that, ensure that fq_table[fq->idx] is set to NULL before<br />
gen_pool_free() is called by using smp_wmb().
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2
- https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5
- https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f
- https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
- https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
- https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4