CVE-2025-40096

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies<br /> <br /> When adding dependencies with drm_sched_job_add_dependency(), that<br /> function consumes the fence reference both on success and failure, so in<br /> the latter case the dma_fence_put() on the error path (xarray failed to<br /> expand) is a double free.<br /> <br /> Interestingly this bug appears to have been present ever since<br /> commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code<br /> back then looked like this:<br /> <br /> drm_sched_job_add_implicit_dependencies():<br /> ...<br /> for (i = 0; i