HIGH
drm/xe ExecQueue Resource Leak
CVE-2026-23350
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe/queue: Call fini on exec queue creation fail Every call to queue init should have a corresponding fini call. Skipping this would mean skipping removal of the queue from GuC list (which is part of guc_id allocation). A damaged queue stored in exec_queue_lookup list would lead to invalid memory reference, sooner or later. Call fini to free guc_id. This must be done before any internal LRCs are freed. Since the finalization with this extra call became very similar to __xe_exec_queue_fini(), reuse that. To make this reuse possible, alter xe_lrc_put() so it can survive NULL parameters, like other similar functions. v2: Reuse _xe_exec_queue_fini(). Make xe_lrc_put() aware of NULLs. (cherry picked from commit 393e5fea6f7d7054abc2c3d97a4cfe8306cd6079)
02KernelScan AI Analysis
Risk summary
A resource leak vulnerability in the Intel Xe GPU driver that occurs when execution queue creation fails partway through initialization. This can lead to memory leaks and corrupted internal tracking structures, potentially causing system instability or denial of service over time as resources accumulate without being properly freed.
Vulnerability analysis
Root Cause: The original code failed to properly clean up execution queue resources when LRC (Logical Ring Context) creation failed during queue initialization. Specifically, when __xe_exec_queue_init() failed after calling q->ops->init() but before completing LRC setup, the code would return without calling the corresponding q->ops->fini(), leaving the queue registered in GuC tracking lists and causing resource leaks.
Attack Surface: This vulnerability affects local users with access to the DRM subsystem who can trigger execution queue creation operations. The bug is triggered through normal GPU operations that fail during queue setup, making it accessible to any process with GPU access permissions.
Fix Mechanism: The patch restructures the cleanup path by moving __xe_exec_queue_fini() definition before __xe_exec_queue_init() and calling it in the error path to ensure proper resource cleanup. It also makes xe_lrc_put() NULL-safe to handle cases where LRC pointers might be NULL during partial initialization failures. This ensures that every queue init has a corresponding fini call, properly removing queues from GuC lists and preventing memory leaks.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.7 | fae65b8a4449 |
| mainline | 7.0 | 99f9b5343cae |