CVE-2026-23034: 
Linux Debian vulnerability analysis and mitigation

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu/userq: Fix fence reference leak on queue teardown v2

The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference.

When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference.

Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers

This is visible during driver unload as:

BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module

Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free().

This makes sure the fence reference is released and the slab cache is empty when the module exits.

v2: Update to only release userq->last_fence with dma_fence_put() (Christian)

(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)