The root cause of this vulnerability is that the ioctl$DRMIOCTLMODEDESTROYDUMB can decrease refcount of drm_vgem_gem_object *(created in *vgem_gem_dumb_create) concurrently, and *vgemgemdumbcreate *will access the freed drmvgemgemobject.
{ "urgency": "not yet assigned" }