CVE-2026-23463

Published: Apr 03, 2026 Last Modified: Apr 03, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

In the Linux kernel, the following vulnerability has been resolved:

soc: fsl: qbman: fix race condition in qman_destroy_fq

When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between
fq_table[fq->idx] state and freeing/allocating from the pool and
WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.

Indeed, we can have:
Thread A Thread B
qman_destroy_fq() qman_create_fq()
qman_release_fqid()
qman_shutdown_fq()
gen_pool_free()
-- At this point, the fqid is available again --
qman_alloc_fqid()
-- so, we can get the just-freed fqid in thread B --
fq->fqid = fqid;
fq->idx = fqid * 2;
WARN_ON(fq_table[fq->idx]);
fq_table[fq->idx] = fq;
fq_table[fq->idx] = NULL;

And adding some logs between qman_release_fqid() and
fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.

To prevent that, ensure that fq_table[fq->idx] is set to NULL before
gen_pool_free() is called by using smp_wmb().

https://git.kernel.org/stable/c/014077044e874e270ec480515ed…
https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2
https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97…
https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5
https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5…
https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f
https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf…
https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa
https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d…
https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8
https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55d…
https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4