Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver

/ nvDevice::SetAppSupportBits is external method 0x107 of the nvAccelerator IOService. It calls taskdeallocate without locking. Two threads can race calling this external method to drop two task references when only one is held. Note that the repro forks a child which give the nvAccelerator a...