CVE-2026-46201
Description
In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it.
(cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's drm/xe driver when handling DMA-buf imports can lead to resource exhaustion, exploited via crafted GPU buffer sharing.
Vulnerability
The Linux kernel's drm/xe driver contains a memory leak vulnerability in the xe_gem_prime_import() function. When xe_dma_buf_init_obj() fails, the attachment obtained from dma_buf_dynamic_attach() is not properly detached before returning the error. This leak occurs in all versions up to and including those containing the fix commit a828eb185aac41800df8eae4b60501ccc0dbbe51. The code path is triggered during DMA-buf import operations.
Exploitation
An attacker requires local access to the system and the ability to initiate a DMA-buf import operation that triggers xe_gem_prime_import(). The failure scenario depends on xe_dma_buf_init_obj() returning an error, which can be induced by memory pressure or crafted parameters. No user interaction beyond standard GPU operations is needed.
Impact
Successful exploitation results in a memory leak of DMA-buf attachments, leading to gradual resource exhaustion. Over time, this can deplete kernel memory and cause denial-of-service (DoS) conditions. There is no information disclosure or privilege escalation; the impact is limited to availability.
Mitigation
The fix was included in Linux kernel commit a828eb185aac41800df8eae4b60501ccc0dbbe51, which adds the missing dma_buf_detach() call before error return [1]. Users should update to a kernel version containing this commit. No workarounds are available for unpatched kernels.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
90afa8b1ef582drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index f9fe7ca32f6178..4cef02ff145186 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -347,12 +347,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
eea1e10f8d99drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index 43d1e01c801264..19a8aba33085ec 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -358,12 +358,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
d394669e1949drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index ac8738da4a64cb..cedb5c911238fc 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -299,12 +299,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
111ab678471bdrm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index c0937c090d33c3..b9828da1589723 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -378,12 +378,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
a828eb185aacdrm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −4
drivers/gpu/drm/xe/xe_dma_buf.c+7 −4 modified@@ -378,12 +378,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj;
d394669e1949drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index ac8738da4a64cb..cedb5c911238fc 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -299,12 +299,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
0afa8b1ef582drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index f9fe7ca32f6178..4cef02ff145186 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -347,12 +347,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
111ab678471bdrm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index c0937c090d33c3..b9828da1589723 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -378,12 +378,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
eea1e10f8d99drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
1 file changed · +7 −5
drivers/gpu/drm/xe/xe_dma_buf.c+7 −5 modifieddiff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index 43d1e01c801264..19a8aba33085ec 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -358,12 +358,15 @@ struct drm_gem_object *xe_gem_prime_import(struct drm_device *dev, goto out_err; } - /* Errors here will take care of freeing the bo. */ + /* + * xe_dma_buf_init_obj() takes ownership of bo on both success + * and failure, so we must not touch bo after this call. + */ obj = xe_dma_buf_init_obj(dev, bo, dma_buf); - if (IS_ERR(obj)) + if (IS_ERR(obj)) { + dma_buf_detach(dma_buf, attach); return obj; - - + } get_dma_buf(dma_buf); obj->import_attach = attach; return obj; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing dma_buf_detach() call on the error path of xe_gem_prime_import() when xe_dma_buf_init_obj() fails, causing the dma-buf attachment to leak."
Attack vector
An attacker triggers the bug by importing a dma-buf via xe_gem_prime_import() such that dma_buf_dynamic_attach() succeeds but the subsequent xe_dma_buf_init_obj() call fails. When xe_dma_buf_init_obj() returns an error pointer, the function returns immediately without calling dma_buf_detach(), leaking the attachment. This is a local attack that requires the ability to submit a dma-buf import operation that causes initialization failure in the xe driver.
Affected code
The vulnerability is in the xe_gem_prime_import() function in drivers/gpu/drm/xe/xe_dma_buf.c [patch_id=2897804]. The error path after a successful dma_buf_dynamic_attach() call did not detach the attachment when xe_dma_buf_init_obj() failed.
What the fix does
The patch adds a dma_buf_detach(dma_buf, attach) call inside the IS_ERR(obj) error branch before returning the error pointer [patch_id=2897804]. The commit message explains that a simple goto out_err cannot be used because xe_dma_buf_init_obj() already frees the bo on failure, and out_err would double-free it. The patch also updates the comment to clarify that xe_dma_buf_init_obj() takes ownership of bo on both success and failure.
Preconditions
- inputThe attacker must be able to trigger a dma-buf import operation that causes xe_dma_buf_init_obj() to fail after dma_buf_dynamic_attach() succeeds.
- authThe attacker needs local access to the system to submit the dma-buf import operation.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.