Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies[EOL][EOL]When adding dependencies with drm_sched_job_add_dependency(), that[EOL]function consumes the fence reference both on success and failure, so in[EOL]the latter case the dma_fence_put() on the error path (xarray failed to[EOL]expand) is a double free.[EOL][EOL]Interestingly this bug appears to have been present ever since[EOL]commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code[EOL]back then looked like this:[EOL][EOL]drm_sched_job_add_implicit_dependencies():[EOL]...[EOL]       for (i = 0; i < fence_count; i++) {[EOL]               ret = drm_sched_job_add_dependency(job, fences[i]);[EOL]               if (ret)[EOL]                       break;[EOL]       }[EOL][EOL]       for (; i < fence_count; i++)[EOL]               dma_fence_put(fences[i]);[EOL][EOL]Which means for the failing 'i' the dma_fence_put was already a double[EOL]free. Possibly there were no users at that time, or the test cases were[EOL]insufficient to hit it.[EOL][EOL]The bug was then only noticed and fixed after[EOL]commit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2")[EOL]landed, with its fixup of[EOL]commit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies").[EOL][EOL]At that point it was a slightly different flavour of a double free, which[EOL]commit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder")[EOL]noticed and attempted to fix.[EOL][EOL]But it only moved the double free from happening inside the[EOL]drm_sched_job_add_dependency(), when releasing the reference not yet[EOL]obtained, to the caller, when releasing the reference already released by[EOL]the former in the failure case.[EOL][EOL]As such it is not easy to identify the right target for the fixes tag so[EOL]lets keep it simple and just continue the chain.[EOL][EOL]While fixing we also improve the comment and explain the reason for taking[EOL]the reference and not dropping it.