CVE-2026-23034

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/userq: Fix fence reference leak on queue teardown v2<br /> <br /> The user mode queue keeps a pointer to the most recent fence in<br /> userq-&gt;last_fence. This pointer holds an extra dma_fence reference.<br /> <br /> When the queue is destroyed, we free the fence driver and its xarray,<br /> but we forgot to drop the last_fence reference.<br /> <br /> Because of the missing dma_fence_put(), the last fence object can stay<br /> alive when the driver unloads. This leaves an allocated object in the<br /> amdgpu_userq_fence slab cache and triggers<br /> <br /> This is visible during driver unload as:<br /> <br /> BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()<br /> kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects<br /> Call Trace:<br /> kmem_cache_destroy<br /> amdgpu_userq_fence_slab_fini<br /> amdgpu_exit<br /> __do_sys_delete_module<br /> <br /> Fix this by putting userq-&gt;last_fence and clearing the pointer during<br /> amdgpu_userq_fence_driver_free().<br /> <br /> This makes sure the fence reference is released and the slab cache is<br /> empty when the module exits.<br /> <br /> v2: Update to only release userq-&gt;last_fence with dma_fence_put()<br /> (Christian)<br /> <br /> (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)