In the Linux kernel, the following vulnerability has been resolved:
drm/msm: Fix a fence leak in submit error path
In error paths, we could unref the submit without calling drmschedentitypushjob(), so msmjobfree() will never get called. Since drmschedjobcleanup() will NULL out the sfence, we can use that to detect this case.
Patchwork: https://patchwork.freedesktop.org/patch/653584/