| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025103016-CVE-2025-40096-09cc@gregkh>
Date: Thu, 30 Oct 2025 10:48:23 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-40096: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
When adding dependencies with drm_sched_job_add_dependency(), that
function consumes the fence reference both on success and failure, so in
the latter case the dma_fence_put() on the error path (xarray failed to
expand) is a double free.
Interestingly this bug appears to have been present ever since
commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code
back then looked like this:
drm_sched_job_add_implicit_dependencies():
...
for (i = 0; i < fence_count; i++) {
ret = drm_sched_job_add_dependency(job, fences[i]);
if (ret)
break;
}
for (; i < fence_count; i++)
dma_fence_put(fences[i]);
Which means for the failing 'i' the dma_fence_put was already a double
free. Possibly there were no users at that time, or the test cases were
insufficient to hit it.
The bug was then only noticed and fixed after
commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2")
landed, with its fixup of
commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies").
At that point it was a slightly different flavour of a double free, which
commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder")
noticed and attempted to fix.
But it only moved the double free from happening inside the
drm_sched_job_add_dependency(), when releasing the reference not yet
obtained, to the caller, when releasing the reference already released by
the former in the failure case.
As such it is not easy to identify the right target for the fixes tag so
lets keep it simple and just continue the chain.
While fixing we also improve the comment and explain the reason for taking
the reference and not dropping it.
The Linux kernel CVE team has assigned CVE-2025-40096 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.16 with commit 963d0b3569354230f6e2c36a286ef270a8901878 and fixed in 6.1.158 with commit 4c38a63ae12ecc9370a7678077bde2d61aa80e9c
Issue introduced in 5.16 with commit 963d0b3569354230f6e2c36a286ef270a8901878 and fixed in 6.6.114 with commit 57239762aa90ad768dac055021f27705dae73344
Issue introduced in 5.16 with commit 963d0b3569354230f6e2c36a286ef270a8901878 and fixed in 6.12.55 with commit e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11
Issue introduced in 5.16 with commit 963d0b3569354230f6e2c36a286ef270a8901878 and fixed in 6.17.5 with commit fdfb47e85af1e11ec822c82739dde2dd8dff5115
Issue introduced in 5.16 with commit 963d0b3569354230f6e2c36a286ef270a8901878 and fixed in 6.18-rc2 with commit 5801e65206b065b0b2af032f7f1eef222aa2fd83
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-40096
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/gpu/drm/scheduler/sched_main.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/4c38a63ae12ecc9370a7678077bde2d61aa80e9c
https://git.kernel.org/stable/c/57239762aa90ad768dac055021f27705dae73344
https://git.kernel.org/stable/c/e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11
https://git.kernel.org/stable/c/fdfb47e85af1e11ec822c82739dde2dd8dff5115
https://git.kernel.org/stable/c/5801e65206b065b0b2af032f7f1eef222aa2fd83
Powered by blists - more mailing lists