CVE-2026-23463
Published: Apr 3, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: soc: fsl: qbman: fix race condition in qman_destroy_fq When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered. Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL; And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more. To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected c535e923bb97a4b361e89a6383693482057f8b0c - < 66442cf9989bd4489fa80d9f37637d58ab016835affected c535e923bb97a4b361e89a6383693482057f8b0c - < d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210affected c535e923bb97a4b361e89a6383693482057f8b0c - < 9e3d47904b8153c8c3ad2f9b66d5008aad677aa8affected c535e923bb97a4b361e89a6383693482057f8b0c - < d21923a8059fa896bfef016f55dd769299335cb4affected c535e923bb97a4b361e89a6383693482057f8b0c - < 751f60bd48edaf03f9d84ab09e5ce6705757d50f+3 more versions |
Linux | Linux | affected 4.9unaffected 0 - < 4.9unaffected 5.10.253 - <= 5.10.*unaffected 5.15.203 - <= 5.15.*unaffected 6.1.167 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now