2467144 – (CVE-2026-43128) CVE-2026-43128 kernel: RDMA/umem: Fix double dma_buf_unpin in failure path

Bug 2467144 (CVE-2026-43128) - CVE-2026-43128 kernel: RDMA/umem: Fix double dma_buf_unpin in failure path

Summary: CVE-2026-43128 kernel: RDMA/umem: Fix double dma_buf_unpin in failure path

Keywords:
Status:	NEW
Alias:	CVE-2026-43128
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-06 13:06 UTC by OSIDB Bzimport
Modified:	2026-05-06 17:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-06 13:06:45 UTC

In the Linux kernel, the following vulnerability has been resolved:

RDMA/umem: Fix double dma_buf_unpin in failure path

In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to
ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf
is immediately unpinned but the umem_dmabuf->pinned flag is still
set. Then, when ib_umem_release() is called, it calls
ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let
the ib_umem_release/revoke path handle it. This also ensures the
proper unmap-unpin unwind ordering if the dmabuf_map_pages call
happened to fail due to dma_resv_wait_timeout (and therefore has
a non-NULL umem_dmabuf->sgt).

Comment 1 Keith Grant 2026-05-06 17:53:26 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050620-CVE-2026-43128-5ff4@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.