The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object *(created in *vgem_gem_dumb_create*) concurrently, and *vgem_gem_dumb_create *will access the freed drm_vgem_gem_object.Referenceshttps://bugzilla.redhat.com/show_bug.cgi?id=2077560https://www.debian.org/security/2022/dsa-5173
