CVE-2023-52486

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm: Don&amp;#39;t unref the same fb many times by mistake due to deadlock handling<br /> <br /> If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl()<br /> we proceed to unref the fb and then retry the whole thing from the top.<br /> But we forget to reset the fb pointer back to NULL, and so if we then<br /> get another error during the retry, before the fb lookup, we proceed<br /> the unref the same fb again without having gotten another reference.<br /> The end result is that the fb will (eventually) end up being freed<br /> while it&amp;#39;s still in use.<br /> <br /> Reset fb to NULL once we&amp;#39;ve unreffed it to avoid doing it again<br /> until we&amp;#39;ve done another fb lookup.<br /> <br /> This turned out to be pretty easy to hit on a DG2 when doing async<br /> flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I<br /> saw that drm_closefb() simply got stuck in a busy loop while walking<br /> the framebuffer list. Fortunately I was able to convince it to oops<br /> instead, and from there it was easier to track down the culprit.