CVE-2025-71099

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()<br /> <br /> In xe_oa_add_config_ioctl(), we accessed oa_config-&gt;id after dropping<br /> metrics_lock. Since this lock protects the lifetime of oa_config, an<br /> attacker could guess the id and call xe_oa_remove_config_ioctl() with<br /> perfect timing, freeing oa_config before we dereference it, leading to<br /> a potential use-after-free.<br /> <br /> Fix this by caching the id in a local variable while holding the lock.<br /> <br /> v2: (Matt A)<br /> - Dropped mutex_unlock(&amp;oa-&gt;metrics_lock) ordering change from<br /> xe_oa_remove_config_ioctl()<br /> <br /> (cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)