In the linux kernel, the following vulnerability has been resolveddrm/vmwgfx unmap the surface before resetting it on a plane state switchto a new plane state requires unreferencing of all held surfaces. in thework required for mob cursors the mapped surfaces started being cached butthe variable indicating whether the surface is currently mapped was notbeing reset. this leads to crashes as the duplicated state, incorrectly,indicates the that surface is mapped even when no surface is present.that's because after unreferencing the surface it's perfectly possible forthe plane to be backed by a bo instead of a surface. reset the surfacemapped flag when unreferencing the plane state surface to fix null derefsin cleanup. fixes crashes in kde kwin 6.0 on wayland oops 0000 [#1]preempt smp pti cpu 4 pid 2533 comm kwin_wayland not tainted6.7.0-rc3-vmwgfx #2 hardware name vmware, inc. vmware virtualplatform/440bx desktop reference platform, bios 6.00 11/12/2020 rip0010vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx] code 00 00 00 753a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f> rsp0018ffffb6b98216fa80 eflags 00010246 rax 0000000000000000 rbxffff969d84cdcb00 rcx 0000000000000027 rdx 0000000000000000 rsi0000000000000001 rdi ffff969e75f21600 rbp ffff969d4143dc50 r080000000000000000 r09 ffffb6b98216f920 r10 0000000000000003 r11ffff969e7feb3b10 r12 0000000000000000 r13 0000000000000000 r14000000000000027b r15 ffff969d49c9fc00 fs 00007f1e8f1b4180(0000)gsffff969e75f00000(0000) knlgs0000000000000000 cs 0010 ds 0000 es 0000cr0 0000000080050033 cr2 0000000000000028 cr3 0000000104006004 cr400000000003706f0 call trace <task> ? __die+0x23/0x70 ?page_fault_oops+0x171/0x4e0 ? exc_page_fault+0x7f/0x180 ?asm_exc_page_fault+0x26/0x30 ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140[vmwgfx] drm_atomic_helper_cleanup_planes+0x9b/0xc0 commit_tail+0xd1/0x130drm_atomic_helper_commit+0x11a/0x140 drm_atomic_commit+0x97/0xd0 ?__pfx___drm_printfn_info+0x10/0x10drm_atomic_helper_update_plane+0xf5/0x160drm_mode_cursor_universal+0x10e/0x270 drm_mode_cursor_common+0x102/0x230 ?__pfx_drm_mode_cursor2_ioctl+0x10/0x10 drm_ioctl_kernel+0xb2/0x110drm_ioctl+0x26d/0x4b0 ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10 ?__pfx_drm_ioctl+0x10/0x10 vmw_generic_ioctl+0xa4/0x110 [vmwgfx]__x64_sys_ioctl+0x94/0xd0 do_syscall_64+0x61/0xe0 ?__x64_sys_ioctl+0xaf/0xd0 ? syscall_exit_to_user_mode+0x2b/0x40 ?do_syscall_64+0x70/0xe0 ? __x64_sys_ioctl+0xaf/0xd0 ?syscall_exit_to_user_mode+0x2b/0x40 ? do_syscall_64+0x70/0xe0 ?exc_page_fault+0x7f/0x180 entry_syscall_64_after_hwframe+0x6e/0x76 rip00330x7f1e93f279ed code 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f05 <89> c2 3d 00 f0 ff f> rsp 002b00007ffca0faf600 eflags 00000246orig_rax 0000000000000010 rax ffffffffffffffda rbx 000055db876ed2c0 rcx00007f1e93f279ed rdx 00007ffca0faf6c0 rsi 00000000c02464bb rdi0000000000000015 rbp 00007ffca0faf650 r08 000055db87184010 r090000000000000007 r10 000055db886471a0 r11 0000000000000246 r1200007ffca0faf6c0 r13 00000000c02464bb r14 0000000000000015 r1500007ffca0faf790 </task> modules linked in snd_seq_dummy snd_hrtimernf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4nft_fib_ipv6 nft_fib nft_reject_ine> cr2 0000000000000028 ---[ end trace0000000000000000 ]--- rip 0010vmw_du_cursor_plane_cleanup_fb+0x124/0x140[vmwgfx] code 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a800 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b78 28 e8 e3 f> rsp 0018ffffb6b98216fa80 eflags 00010246 rax0000000000000000 rbx ffff969d84cdcb00 rcx 0000000000000027 rdx0000000000000000 rsi 0000000000000001 rdi ffff969e75f21600 rbpffff969d4143 ---truncated---