{"id":"CVE-2026-23463","summary":"soc: fsl: qbman: fix race condition in qman_destroy_fq","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: fix race condition in qman_destroy_fq\n\nWhen QMAN_FQ_FLAG_DYNAMIC_FQID is set, there's a race condition between\nfq_table[fq-\u003eidx] state and freeing/allocating from the pool and\nWARN_ON(fq_table[fq-\u003eidx]) in qman_create_fq() gets triggered.\n\nIndeed, we can have:\n         Thread A                             Thread B\n    qman_destroy_fq()                    qman_create_fq()\n      qman_release_fqid()\n        qman_shutdown_fq()\n        gen_pool_free()\n           -- At this point, the fqid is available again --\n                                           qman_alloc_fqid()\n           -- so, we can get the just-freed fqid in thread B --\n                                           fq-\u003efqid = fqid;\n                                           fq-\u003eidx = fqid * 2;\n                                           WARN_ON(fq_table[fq-\u003eidx]);\n                                           fq_table[fq-\u003eidx] = fq;\n     fq_table[fq-\u003eidx] = NULL;\n\nAnd adding some logs between qman_release_fqid() and\nfq_table[fq-\u003eidx] = NULL makes the WARN_ON() trigger a lot more.\n\nTo prevent that, ensure that fq_table[fq-\u003eidx] is set to NULL before\ngen_pool_free() is called by using smp_wmb().","modified":"2026-06-04T09:14:19.437934381Z","published":"2026-04-03T15:15:42.411Z","related":["SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","openSUSE-SU-2026:20826-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23463.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/014077044e874e270ec480515edbc1cadb976cf2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/265e56714635c5dd1e5964bfd97fa6e73f62cde5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/66442cf9989bd4489fa80d9f37637d58ab016835"},{"type":"WEB","url":"https://git.kernel.org/stable/c/751f60bd48edaf03f9d84ab09e5ce6705757d50f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9e3d47904b8153c8c3ad2f9b66d5008aad677aa8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d21923a8059fa896bfef016f55dd769299335cb4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23463.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23463"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c535e923bb97a4b361e89a6383693482057f8b0c"},{"fixed":"66442cf9989bd4489fa80d9f37637d58ab016835"},{"fixed":"d288fbe652ef43b7128e4bc0c0c2ef6bd03a2210"},{"fixed":"9e3d47904b8153c8c3ad2f9b66d5008aad677aa8"},{"fixed":"d21923a8059fa896bfef016f55dd769299335cb4"},{"fixed":"751f60bd48edaf03f9d84ab09e5ce6705757d50f"},{"fixed":"85dbbf7dc88b0a54f2e334daedf6f3f31fd004fa"},{"fixed":"265e56714635c5dd1e5964bfd97fa6e73f62cde5"},{"fixed":"014077044e874e270ec480515edbc1cadb976cf2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23463.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.9.0"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.167"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.130"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.20"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23463.json"}}],"schema_version":"1.7.5"}