ghsa-xpm8-g6rj-74pw
Vulnerability from github
Published
2025-10-30 12:31
Modified
2025-10-30 12:31
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies

When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free.

Interestingly this bug appears to have been present ever since commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code back then looked like this:

drm_sched_job_add_implicit_dependencies(): ... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; }

   for (; i < fence_count; i++)
           dma_fence_put(fences[i]);

Which means for the failing 'i' the dma_fence_put was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it.

The bug was then only noticed and fixed after commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2") landed, with its fixup of commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies").

At that point it was a slightly different flavour of a double free, which commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder") noticed and attempted to fix.

But it only moved the double free from happening inside the drm_sched_job_add_dependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case.

As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain.

While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40096"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T10:15:34Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies\n\nWhen adding dependencies with drm_sched_job_add_dependency(), that\nfunction consumes the fence reference both on success and failure, so in\nthe latter case the dma_fence_put() on the error path (xarray failed to\nexpand) is a double free.\n\nInterestingly this bug appears to have been present ever since\ncommit ebd5f74255b9 (\"drm/sched: Add dependency tracking\"), since the code\nback then looked like this:\n\ndrm_sched_job_add_implicit_dependencies():\n...\n       for (i = 0; i \u003c fence_count; i++) {\n               ret = drm_sched_job_add_dependency(job, fences[i]);\n               if (ret)\n                       break;\n       }\n\n       for (; i \u003c fence_count; i++)\n               dma_fence_put(fences[i]);\n\nWhich means for the failing \u0027i\u0027 the dma_fence_put was already a double\nfree. Possibly there were no users at that time, or the test cases were\ninsufficient to hit it.\n\nThe bug was then only noticed and fixed after\ncommit 9c2ba265352a (\"drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2\")\nlanded, with its fixup of\ncommit 4eaf02d6076c (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies\").\n\nAt that point it was a slightly different flavour of a double free, which\ncommit 963d0b356935 (\"drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder\")\nnoticed and attempted to fix.\n\nBut it only moved the double free from happening inside the\ndrm_sched_job_add_dependency(), when releasing the reference not yet\nobtained, to the caller, when releasing the reference already released by\nthe former in the failure case.\n\nAs such it is not easy to identify the right target for the fixes tag so\nlets keep it simple and just continue the chain.\n\nWhile fixing we also improve the comment and explain the reason for taking\nthe reference and not dropping it.",
  "id": "GHSA-xpm8-g6rj-74pw",
  "modified": "2025-10-30T12:31:10Z",
  "published": "2025-10-30T12:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40096"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c38a63ae12ecc9370a7678077bde2d61aa80e9c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57239762aa90ad768dac055021f27705dae73344"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5801e65206b065b0b2af032f7f1eef222aa2fd83"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fdfb47e85af1e11ec822c82739dde2dd8dff5115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.