CVE-2026-43128

In ibumemdmabufgetpinnedwithdmadevice(), the call to ibumemdmabufmappages() can fail. If this occurs, the dmabuf is immediately unpinned but the umemdmabuf->pinned flag is still set. Then, when ibumemrelease() is called, it calls ibumemdmabufrevoke() which will call dmabuf_unpin() again.

Fix this by removing the immediate unpin upon failure and just let the ibumemrelease/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabufmappages call happened to fail due to dmaresvwaittimeout (and therefore has a non-NULL umemdmabuf->sgt).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43128.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1e4df4a21c5ac722df1099eee30cad9246c889b5

Fixed

70542b69abff34d24b11ae0bb200cc7a766d18df

Fixed

b324327ff6f48d8065dca67eb3b91357e72726bd

Fixed

ba3bf0f1bf1d5d0404678485e872980532fcc2c4

Fixed

d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf

Fixed

40126bcbefa79ea86672e05dae608596bab38319

Fixed

104016eb671e19709721c1b0048dd912dc2e96be

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43128.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.165

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.128

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.75

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.16

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43128.json"