In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Fix invalid reads in fence signaled events
Correctly set the length of the drm_event to the size of the structure that's actually used.
The length of the drmevent was set to the parent structure instead of to the drmvmweventfence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads.