PT-2026-30165 · Linux · Linux

Published

2026-04-03

·

Updated

2026-04-03

·

CVE-2026-23471

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
drm: Fix use-after-free on framebuffers and property blobs when calling drm dev unplug
When trying to do a rather aggressive test of igt's "xe module load --r reload" with a full desktop environment and game running I noticed a few OOPSes when dereferencing freed pointers, related to framebuffers and property blobs after the compositor exits.
Solve this by guarding the freeing in drm file with drm dev enter/exit, and immediately put the references from struct drm file objects during drm dev unplug().
Related warnings for framebuffers on the subtest: [ 739.713076] ------------[ cut here ]------------ WARN ON(!list empty(&dev->mode config.fb list)) [ 739.713079] WARNING: drivers/gpu/drm/drm mode config.c:584 at drm mode config cleanup+0x30b/0x320 [drm], CPU#12: xe module load/13145 .... [ 739.713328] Call Trace: [ 739.713330] [ 739.713335] ? intel pmdemand destroy state+0x11/0x20 [xe] [ 739.713574] ? intel atomic global obj cleanup+0xe4/0x1a0 [xe] [ 739.713794] intel display driver remove noirq+0x51/0xb0 [xe] [ 739.714041] xe display fini early+0x33/0x50 [xe] [ 739.714284] devm action release+0xf/0x20 [ 739.714294] devres release all+0xad/0xf0 [ 739.714301] device unbind cleanup+0x12/0xa0 [ 739.714305] device release driver internal+0x1b7/0x210 [ 739.714311] device driver detach+0x14/0x20 [ 739.714315] unbind store+0xa6/0xb0 [ 739.714319] drv attr store+0x21/0x30 [ 739.714322] sysfs kf write+0x48/0x60 [ 739.714328] kernfs fop write iter+0x16b/0x240 [ 739.714333] vfs write+0x266/0x520 [ 739.714341] ksys write+0x72/0xe0 [ 739.714345] x64 sys write+0x19/0x20 [ 739.714347] x64 sys call+0xa15/0xa30 [ 739.714355] do syscall 64+0xd8/0xab0 [ 739.714361] entry SYSCALL 64 after hwframe+0x4b/0x53
and
[ 739.714459] ------------[ cut here ]------------ [ 739.714461] xe 0000:67:00.0: [drm] drm WARN ON(!list empty(&fb->filp head)) [ 739.714464] WARNING: drivers/gpu/drm/drm framebuffer.c:833 at drm framebuffer free+0x6c/0x90 [drm], CPU#12: xe module load/13145 [ 739.714715] RIP: 0010:drm framebuffer free+0x7a/0x90 [drm] ... [ 739.714869] Call Trace: [ 739.714871] [ 739.714876] drm mode config cleanup+0x26a/0x320 [drm] [ 739.714998] ? drm printfn seq file+0x20/0x20 [drm] [ 739.715115] ? drm mode config cleanup+0x207/0x320 [drm] [ 739.715235] intel display driver remove noirq+0x51/0xb0 [xe] [ 739.715576] xe display fini early+0x33/0x50 [xe] [ 739.715821] devm action release+0xf/0x20 [ 739.715828] devres release all+0xad/0xf0 [ 739.715843] device unbind cleanup+0x12/0xa0 [ 739.715850] device release driver internal+0x1b7/0x210 [ 739.715856] device driver detach+0x14/0x20 [ 739.715860] unbind store+0xa6/0xb0 [ 739.715865] drv attr store+0x21/0x30 [ 739.715868] sysfs kf write+0x48/0x60 [ 739.715873] kernfs fop write iter+0x16b/0x240 [ 739.715878] vfs write+0x266/0x520 [ 739.715886] ksys write+0x72/0xe0 [ 739.715890] x64 sys write+0x19/0x20 [ 739.715893] x64 sys call+0xa15/0xa30 [ 739.715900] do syscall 64+0xd8/0xab0 [ 739.715905] entry SYSCALL 64 after hwframe+0x4b/0x53
and then finally file close blows up:
[ 743.186530] Oops: general protection fault, probably for non-canonical address 0xdead000000000122: 0000 [#1] SMP [ 743.186535] CPU: 3 UID: 1000 PID: 3453 Comm: kwin wayland Tainted: G W 7.0.0-rc1-valkyria+ #110 PREEMPT {RT,(lazy)} [ 743.186537] Tainted: [W]=WARN [ 743.186538] Hardware name: Gigabyte Technology Co., Ltd. X299 AORUS Gaming 3/X299 AORUS Gaming 3-CF, BIOS F8n 12/06/2021 [ 743.186539] RIP: 0010:drm framebuffer cleanup+0x55/0xc0 [drm] [ 743.186588] Code: d8 72 73 0f b6 42 05 ff c3 39 c3 72 e8 49 8d bd 50 07 00 00 31 f6 e8 3a 80 d3 e1 49 8b 44 24 10 49 8d 7c 24 08 49 8b 54 24 08 <48> 3b 38 0f 85 95 7f 02 00 48 3b 7a 08 0f 85 8b 7f 02 00 48 89 42 [ 743.186589] RSP: 0018:ffffc900085e3cf8 EFLAGS: 00 ---truncated---

Related Identifiers

CVE-2026-23471

Affected Products

Linux