Linux Kernel Double Free Vulnerability in DRM Scheduler Dependency Management

A double free vulnerability has been identified in the Linux kernel's Direct Rendering Manager (DRM) scheduler. This issue arises in the 'drm_sched_job_add_resv_dependencies' function, where the 'drm_sched_job_add_dependency' call consumes the fence reference regardless of success or failure. When the function fails, the subsequent 'dma_fence_put' call leads to a double free. This vulnerability has existed since the introduction of dependency tracking in a previous commit. The issue was only recognized and addressed after a later commit modified the dependency handling, but the fix inadvertently transferred the double free to a different part of the code.

Impact

Exploitation of this vulnerability can lead to memory corruption issues, specifically a double free condition, which can potentially be exploited to execute arbitrary code or cause a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by adding a reserved dependency in the DRM scheduler without properly managing the fence reference. This can be done by calling 'drm_sched_job_add_resv_dependencies' with a job that has dependencies that will cause the 'drm_sched_job_add_dependency' function to fail, thereby triggering the double free when the 'dma_fence_put' is called on the already released reference.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version can be found in the Linux kernel documentation.