In the Linux kernel, the following vulnerability has been resolved:
fbdev: hyperv_fb: Allow graceful removal of framebuffer
When a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to release the framebuffer forcefully. If this framebuffer is in use it produce the following WARN and hence this framebuffer is never released.
[ 44.111220] WARNING: CPU: 35 PID: 1882 at drivers/video/fbdev/core/fbinfo.c:70 framebufferrelease+0x2c/0x40 < snip > [ 44.111289] Call Trace: [ 44.111290] <TASK> [ 44.111291] ? showregs+0x6c/0x80 [ 44.111295] ? _warn+0x8d/0x150 [ 44.111298] ? framebufferrelease+0x2c/0x40 [ 44.111300] ? reportbug+0x182/0x1b0 [ 44.111303] ? handlebug+0x6e/0xb0 [ 44.111306] ? excinvalidop+0x18/0x80 [ 44.111308] ? asmexcinvalidop+0x1b/0x20 [ 44.111311] ? framebufferrelease+0x2c/0x40 [ 44.111313] ? hvfbremove+0x86/0xa0 [hypervfb] [ 44.111315] vmbusremove+0x24/0x40 [hvvmbus] [ 44.111323] deviceremove+0x40/0x80 [ 44.111325] devicereleasedriverinternal+0x20b/0x270 [ 44.111327] ? busfind_device+0xb3/0xf0
Fix this by moving the release of framebuffer and assosiated memory to fbops.fbdestroy function, so that framebuffer framework handles it gracefully.
While we fix this, also replace manual registrations/unregistration of framebuffer with devmregisterframebuffer.