The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in vgem_gem_dumb_create) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.
CPE | Name | Operator | Version |
---|---|---|---|
debian_linux | eq | 10.0 | |
linux_kernel | lt | 5.6 | |
linux_kernel | eq | 5.6 rc1 | |
linux_kernel | eq | 5.6 |