{ "public_date" : "2026-04-03T00:00:00Z", "bugzilla" : { "description" : "kernel: drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug", "id" : "2454808", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454808" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ndrm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug\nWhen trying to do a rather aggressive test of igt's \"xe_module_load\n--r reload\" with a full desktop environment and game running I noticed\na few OOPSes when dereferencing freed pointers, related to\nframebuffers and property blobs after the compositor exits.\nSolve this by guarding the freeing in drm_file with drm_dev_enter/exit,\nand immediately put the references from struct drm_file objects during\ndrm_dev_unplug().\nRelated warnings for framebuffers on the subtest:\n[ 739.713076] ------------[ cut here ]------------\nWARN_ON(!list_empty(&dev->mode_config.fb_list))\n[ 739.713079] WARNING: drivers/gpu/drm/drm_mode_config.c:584 at drm_mode_config_cleanup+0x30b/0x320 [drm], CPU#12: xe_module_load/13145\n....\n[ 739.713328] Call Trace:\n[ 739.713330] \n[ 739.713335] ? intel_pmdemand_destroy_state+0x11/0x20 [xe]\n[ 739.713574] ? intel_atomic_global_obj_cleanup+0xe4/0x1a0 [xe]\n[ 739.713794] intel_display_driver_remove_noirq+0x51/0xb0 [xe]\n[ 739.714041] xe_display_fini_early+0x33/0x50 [xe]\n[ 739.714284] devm_action_release+0xf/0x20\n[ 739.714294] devres_release_all+0xad/0xf0\n[ 739.714301] device_unbind_cleanup+0x12/0xa0\n[ 739.714305] device_release_driver_internal+0x1b7/0x210\n[ 739.714311] device_driver_detach+0x14/0x20\n[ 739.714315] unbind_store+0xa6/0xb0\n[ 739.714319] drv_attr_store+0x21/0x30\n[ 739.714322] sysfs_kf_write+0x48/0x60\n[ 739.714328] kernfs_fop_write_iter+0x16b/0x240\n[ 739.714333] vfs_write+0x266/0x520\n[ 739.714341] ksys_write+0x72/0xe0\n[ 739.714345] __x64_sys_write+0x19/0x20\n[ 739.714347] x64_sys_call+0xa15/0xa30\n[ 739.714355] do_syscall_64+0xd8/0xab0\n[ 739.714361] entry_SYSCALL_64_after_hwframe+0x4b/0x53\nand\n[ 739.714459] ------------[ cut here ]------------\n[ 739.714461] xe 0000:67:00.0: [drm] drm_WARN_ON(!list_empty(&fb->filp_head))\n[ 739.714464] WARNING: drivers/gpu/drm/drm_framebuffer.c:833 at drm_framebuffer_free+0x6c/0x90 [drm], CPU#12: xe_module_load/13145\n[ 739.714715] RIP: 0010:drm_framebuffer_free+0x7a/0x90 [drm]\n...\n[ 739.714869] Call Trace:\n[ 739.714871] \n[ 739.714876] drm_mode_config_cleanup+0x26a/0x320 [drm]\n[ 739.714998] ? __drm_printfn_seq_file+0x20/0x20 [drm]\n[ 739.715115] ? drm_mode_config_cleanup+0x207/0x320 [drm]\n[ 739.715235] intel_display_driver_remove_noirq+0x51/0xb0 [xe]\n[ 739.715576] xe_display_fini_early+0x33/0x50 [xe]\n[ 739.715821] devm_action_release+0xf/0x20\n[ 739.715828] devres_release_all+0xad/0xf0\n[ 739.715843] device_unbind_cleanup+0x12/0xa0\n[ 739.715850] device_release_driver_internal+0x1b7/0x210\n[ 739.715856] device_driver_detach+0x14/0x20\n[ 739.715860] unbind_store+0xa6/0xb0\n[ 739.715865] drv_attr_store+0x21/0x30\n[ 739.715868] sysfs_kf_write+0x48/0x60\n[ 739.715873] kernfs_fop_write_iter+0x16b/0x240\n[ 739.715878] vfs_write+0x266/0x520\n[ 739.715886] ksys_write+0x72/0xe0\n[ 739.715890] __x64_sys_write+0x19/0x20\n[ 739.715893] x64_sys_call+0xa15/0xa30\n[ 739.715900] do_syscall_64+0xd8/0xab0\n[ 739.715905] entry_SYSCALL_64_after_hwframe+0x4b/0x53\nand then finally file close blows up:\n[ 743.186530] Oops: general protection fault, probably for non-canonical address 0xdead000000000122: 0000 [#1] SMP\n[ 743.186535] CPU: 3 UID: 1000 PID: 3453 Comm: kwin_wayland Tainted: G W 7.0.0-rc1-valkyria+ #110 PREEMPT_{RT,(lazy)}\n[ 743.186537] Tainted: [W]=WARN\n[ 743.186538] Hardware name: Gigabyte Technology Co., Ltd. X299 AORUS Gaming 3/X299 AORUS Gaming 3-CF, BIOS F8n 12/06/2021\n[ 743.186539] RIP: 0010:drm_framebuffer_cleanup+0x55/0xc0 [drm]\n[ 743.186588] Code: d8 72 73 0f b6 42 05 ff c3 39 c3 72 e8 49 8d bd 50 07 00 00 31 f6 e8 3a 80 d3 e1 49 8b 44 24 10 49 8d 7c 24 08 49 8b 54 24 08 <48> 3b 38 0f 85 95 7f 02 00 48 3b 7a 08 0f 85 8b 7f 02 00 48 89 42\n[ 743.186589] RSP: 0018:ffffc900085e3cf8 EFLAGS: 00\n---truncated---" ], "statement" : "This CVE has been marked as Rejected by the assigning CNA.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23471\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23471\nhttps://lore.kernel.org/linux-cve-announce/2026040322-CVE-2026-23471-f1bc@gregkh/T" ], "name" : "CVE-2026-23471", "csaw" : false }