CVE-2026-23463
Description
In the Linux kernel, the following vulnerability has been resolved:
soc: fsl: qbman: fix race condition in qman_destroy_fq
When QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between fq_table[fq->idx] state and freeing/allocating from the pool and WARN_ON(fq_table[fq->idx]) in qman_create_fq() gets triggered.
Indeed, we can have: Thread A Thread B qman_destroy_fq() qman_create_fq() qman_release_fqid() qman_shutdown_fq() gen_pool_free() -- At this point, the fqid is available again -- qman_alloc_fqid() -- so, we can get the just-freed fqid in thread B -- fq->fqid = fqid; fq->idx = fqid * 2; WARN_ON(fq_table[fq->idx]); fq_table[fq->idx] = fq; fq_table[fq->idx] = NULL;
And adding some logs between qman_release_fqid() and fq_table[fq->idx] = NULL makes the WARN_ON() trigger a lot more.
To prevent that, ensure that fq_table[fq->idx] is set to NULL before gen_pool_free() is called by using smp_wmb().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's QMan driver can cause a use-after-free or WARN_ON when destroying and creating FQ objects concurrently.
In the Linux kernel's QMan driver for Freescale DPAA devices, a race condition exists between qman_destroy_fq() and qman_create_fq() when QMAN_FQ_FLAG_DYNAMIC_FQID is set. The issue arises because the frame queue ID (fqid) is released to a pool before the corresponding fq_table entry is cleared, allowing a concurrent qman_create_fq() to allocate the same fqid and overwrite the table entry while the destroy function still expects it to be valid.
An attacker with local access and the ability to trigger concurrent creation and destruction of frame queues (e.g., via specific device operations) could exploit this race. No authentication is required beyond normal user access to the QMan subsystem. The race window is narrow, but can be widened by adding delays, making the WARN_ON() in qman_create_fq() more likely to trigger.
If successful, an attacker could cause a kernel panic (due to the WARN_ON or subsequent use-after-free conditions) leading to a denial of service. In some scenarios, the race may also lead to memory corruption or other undefined behavior, impacting system stability and availability.
The vulnerability is fixed in stable kernel commits [1]. Users should apply the latest kernel updates to ensure the race condition is mitigated via proper memory barriers (smp_wmb()) that order the fq_table update before the pool release.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2nvdPatch
- git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5nvdPatch
- git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835nvdPatch
- git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50fnvdPatch
- git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fanvdPatch
- git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8nvdPatch
- git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4nvdPatch
- git.kernel.org/stable/c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210nvdPatch
News mentions
0No linked articles in our index yet.