CVE-2025-40096

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-40096
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40096.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-40096
Downstream
Published
2025-10-30T09:48:03Z
Modified
2025-10-30T21:41:39.170517Z
Summary
drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/sched: Fix potential double free in drmschedjobaddresv_dependencies

When adding dependencies with drmschedjobadddependency(), that function consumes the fence reference both on success and failure, so in the latter case the dmafenceput() on the error path (xarray failed to expand) is a double free.

Interestingly this bug appears to have been present ever since commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the code back then looked like this:

drmschedjobaddimplicitdependencies(): ... for (i = 0; i < fencecount; i++) { ret = drmschedjobadddependency(job, fences[i]); if (ret) break; }

   for (; i < fence_count; i++)
           dma_fence_put(fences[i]);

Which means for the failing 'i' the dmafenceput was already a double free. Possibly there were no users at that time, or the test cases were insufficient to hit it.

The bug was then only noticed and fixed after commit 9c2ba265352a ("drm/scheduler: use new iterator in drmschedjobaddimplicitdependencies v2") landed, with its fixup of commit 4eaf02d6076c ("drm/scheduler: fix drmschedjobaddimplicitdependencies").

At that point it was a slightly different flavour of a double free, which commit 963d0b356935 ("drm/scheduler: fix drmschedjobaddimplicit_dependencies harder") noticed and attempted to fix.

But it only moved the double free from happening inside the drmschedjobadddependency(), when releasing the reference not yet obtained, to the caller, when releasing the reference already released by the former in the failure case.

As such it is not easy to identify the right target for the fixes tag so lets keep it simple and just continue the chain.

While fixing we also improve the comment and explain the reason for taking the reference and not dropping it.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
963d0b3569354230f6e2c36a286ef270a8901878
Fixed
4c38a63ae12ecc9370a7678077bde2d61aa80e9c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
963d0b3569354230f6e2c36a286ef270a8901878
Fixed
57239762aa90ad768dac055021f27705dae73344
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
963d0b3569354230f6e2c36a286ef270a8901878
Fixed
e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
963d0b3569354230f6e2c36a286ef270a8901878
Fixed
fdfb47e85af1e11ec822c82739dde2dd8dff5115
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
963d0b3569354230f6e2c36a286ef270a8901878
Fixed
5801e65206b065b0b2af032f7f1eef222aa2fd83

Affected versions

v5.*

v5.16
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.100
v6.1.101
v6.1.102
v6.1.103
v6.1.104
v6.1.105
v6.1.106
v6.1.107
v6.1.108
v6.1.109
v6.1.11
v6.1.110
v6.1.111
v6.1.112
v6.1.113
v6.1.114
v6.1.115
v6.1.116
v6.1.117
v6.1.118
v6.1.119
v6.1.12
v6.1.120
v6.1.121
v6.1.122
v6.1.123
v6.1.124
v6.1.125
v6.1.126
v6.1.127
v6.1.128
v6.1.129
v6.1.13
v6.1.130
v6.1.131
v6.1.132
v6.1.133
v6.1.134
v6.1.135
v6.1.136
v6.1.137
v6.1.138
v6.1.139
v6.1.14
v6.1.140
v6.1.141
v6.1.142
v6.1.143
v6.1.144
v6.1.145
v6.1.146
v6.1.147
v6.1.148
v6.1.149
v6.1.15
v6.1.150
v6.1.151
v6.1.152
v6.1.153
v6.1.154
v6.1.155
v6.1.156
v6.1.157
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.88
v6.1.89
v6.1.9
v6.1.90
v6.1.91
v6.1.92
v6.1.93
v6.1.94
v6.1.95
v6.1.96
v6.1.97
v6.1.98
v6.1.99
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.53
v6.12.54
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.2
v6.17.3
v6.17.4
v6.18-rc1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.100
v6.6.101
v6.6.102
v6.6.103
v6.6.104
v6.6.105
v6.6.106
v6.6.107
v6.6.108
v6.6.109
v6.6.11
v6.6.110
v6.6.111
v6.6.112
v6.6.113
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.54
v6.6.55
v6.6.56
v6.6.57
v6.6.58
v6.6.59
v6.6.6
v6.6.60
v6.6.61
v6.6.62
v6.6.63
v6.6.64
v6.6.65
v6.6.66
v6.6.67
v6.6.68
v6.6.69
v6.6.7
v6.6.70
v6.6.71
v6.6.72
v6.6.73
v6.6.74
v6.6.75
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.8
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87
v6.6.88
v6.6.89
v6.6.9
v6.6.90
v6.6.91
v6.6.92
v6.6.93
v6.6.94
v6.6.95
v6.6.96
v6.6.97
v6.6.98
v6.6.99
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-40096-097b2c81",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "124332128071171532838491121495757867807",
            "length": 295.0
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c",
            "function": "drm_sched_job_add_resv_dependencies"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5801e65206b065b0b2af032f7f1eef222aa2fd83"
    },
    {
        "id": "CVE-2025-40096-10677b9a",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "124332128071171532838491121495757867807",
            "length": 295.0
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c",
            "function": "drm_sched_job_add_resv_dependencies"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fdfb47e85af1e11ec822c82739dde2dd8dff5115"
    },
    {
        "id": "CVE-2025-40096-30e0e5ce",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "171491934571889931821886355705122164299",
                "37845142039159436150087031346119044784",
                "82091325732321433836189918865037613878",
                "219320648386948165730877109118143772710",
                "294265690253738939371370070963617176731",
                "85117110226747646078837358247129536007",
                "122956577945259073651913775534788527843",
                "264457927584748018710462603936151592342",
                "267868390585593816517915983992887850017"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fdfb47e85af1e11ec822c82739dde2dd8dff5115"
    },
    {
        "id": "CVE-2025-40096-3eb898d7",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "171491934571889931821886355705122164299",
                "37845142039159436150087031346119044784",
                "82091325732321433836189918865037613878",
                "219320648386948165730877109118143772710",
                "294265690253738939371370070963617176731",
                "85117110226747646078837358247129536007",
                "122956577945259073651913775534788527843",
                "264457927584748018710462603936151592342",
                "267868390585593816517915983992887850017"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5801e65206b065b0b2af032f7f1eef222aa2fd83"
    },
    {
        "id": "CVE-2025-40096-40401b87",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "171491934571889931821886355705122164299",
                "37845142039159436150087031346119044784",
                "82091325732321433836189918865037613878",
                "219320648386948165730877109118143772710",
                "294265690253738939371370070963617176731",
                "85117110226747646078837358247129536007",
                "122956577945259073651913775534788527843",
                "264457927584748018710462603936151592342",
                "267868390585593816517915983992887850017"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@57239762aa90ad768dac055021f27705dae73344"
    },
    {
        "id": "CVE-2025-40096-97b32e9d",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "124332128071171532838491121495757867807",
            "length": 295.0
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c",
            "function": "drm_sched_job_add_resv_dependencies"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@57239762aa90ad768dac055021f27705dae73344"
    },
    {
        "id": "CVE-2025-40096-adc3799e",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "124332128071171532838491121495757867807",
            "length": 295.0
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c",
            "function": "drm_sched_job_add_resv_dependencies"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11"
    },
    {
        "id": "CVE-2025-40096-cbaa5036",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "171491934571889931821886355705122164299",
                "37845142039159436150087031346119044784",
                "82091325732321433836189918865037613878",
                "219320648386948165730877109118143772710",
                "294265690253738939371370070963617176731",
                "85117110226747646078837358247129536007",
                "122956577945259073651913775534788527843",
                "264457927584748018710462603936151592342",
                "267868390585593816517915983992887850017"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e5e3eb2aff92994ee81ce633f1c4e73bd4b87e11"
    },
    {
        "id": "CVE-2025-40096-d8159f3e",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "187128006220926991708341084338978136881",
            "length": 333.0
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c",
            "function": "drm_sched_job_add_implicit_dependencies"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c38a63ae12ecc9370a7678077bde2d61aa80e9c"
    },
    {
        "id": "CVE-2025-40096-dbbdf7a9",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "134440189725675510885092992167010972419",
                "13552162000980582041852808559819410484",
                "37064847653518880023300058528500835004",
                "219320648386948165730877109118143772710",
                "294265690253738939371370070963617176731",
                "85117110226747646078837358247129536007",
                "122956577945259073651913775534788527843",
                "264457927584748018710462603936151592342",
                "267868390585593816517915983992887850017"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/scheduler/sched_main.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c38a63ae12ecc9370a7678077bde2d61aa80e9c"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.158
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.114
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.55
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.17.5