drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib_CVE-2026-31566

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib

amdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence
from amdgpu_ib_schedule(). This fence is used to wait for job
completion.

Currently, the code drops the fence reference using dma_fence_put()
before calling dma_fence_wait().

If dma_fence_put() releases the last reference, the fence may be
freed before dma_fence_wait() is called. This can lead to a
use-after-free.

Fix this by waiting on the fence first and releasing the reference
only after dma_fence_wait() completes.

Fixes the below:
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)

(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)

Basic Information

ID CVE-2026-31566

Source Linux

Published Apr 24, 2026 at 14:35

Modified Apr 27, 2026 at 14:04

Affected Product

Vendor Linux

Product Linux

Version 9ae55f030dc523fc4dc6069557e4a887ea815453

Affected Versions Linux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453
Linux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453
Linux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453
Linux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453
Linux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453
Linux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453
Linux Linux 6.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib\n\namdgpu_amdkfd_submit_ib() submits a GPU job and gets a fence\nfrom amdgpu_ib_schedule(). This fence is used to wait for job\ncompletion.\n\nCurrently, the code drops the fence reference using dma_fence_put()\nbefore calling dma_fence_wait().\n\nIf dma_fence_put() releases the last reference, the fence may be\nfreed before dma_fence_wait() is called. This can lead to a\nuse-after-free.\n\nFix this by waiting on the fence first and releasing the reference\nonly after dma_fence_wait() completes.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c:697 amdgpu_amdkfd_submit_ib() warn: passing freed memory 'f' (line 696)\n\n(cherry picked from commit 8b9e5259adc385b61a6590a13b82ae0ac2bd3482)",
    "published": "2026-04-24T14:35:46.740Z",
    "modified": "2026-04-27T14:04:06.894Z",
    "type": "cve",
    "title": "drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/bc7760c107dc08ef3e231d72c492e67b0a86848b\nhttps://git.kernel.org/stable/c/e23602eb0779760544314ed3905fa6a89a4e4070\nhttps://git.kernel.org/stable/c/138e42be35ff2ce6572ae744de851ea286cf3c69\nhttps://git.kernel.org/stable/c/39820864eacd886f1a6f817414fb8f9ea3e9a2b4\nhttps://git.kernel.org/stable/c/42d248726a0837640452b71c5a202ca3d35239ec\nhttps://git.kernel.org/stable/c/7150850146ebfa4ca998f653f264b8df6f7f85be",
    "id": "CVE-2026-31566",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453\nLinux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453\nLinux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453\nLinux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453\nLinux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453\nLinux Linux 9ae55f030dc523fc4dc6069557e4a887ea815453\nLinux Linux 6.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "9ae55f030dc523fc4dc6069557e4a887ea815453",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply