git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Akash Goel <akash.goel@arm.com>
	Mon, 13 Apr 2026 08:02:53 +0000 (09:02 +0100)
committer	Steven Price <steven.price@arm.com>
	Thu, 7 May 2026 13:16:44 +0000 (14:16 +0100)
commit	aa33054b314e3c78e082dcd58895c2cb64c9f2c7
tree	085605290f7d115b0a56b160e5c40855409fe537	tree \| snapshot
parent	921578cf373981eba92774a27f7644a11282cf89	commit \| diff

drm/panthor: Avoid potential UAF due to memory reclaim

Recent changes to add shrinker support introduced a use after free
vulnerability.
When a BO is evicted from the shrinker callback, all its CPU and GPU
mappings are invalidated. It can happen that another GPU mapping is
created for the BO after the eviction. Because of the new GPU mapping,
BO will be added back to one of the reclaim list but the state of
corresponding vm_bo will not be changed.
If vm_bo remains in evicted state and shrinker callback is invoked
again then the new GPU mapping won't be invalidated. As a result the
backing pages, which were acquired on the creation of new GPU mapping,
can get reclaimed and reused whilst they are still mapped to the GPU.

To prevent the use after free possibility, this commit removes the
evicted check for vm_bo so that all GPU mappings are checked for
invalidation.

v2:
- Update comment and add a newline in
panthor_vm_evict_bo_mappings_locked().

Fixes: fb42964e2a76 ("drm/panthor: Add a GEM shrinker")
Suggested-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Akash Goel <akash.goel@arm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Steven Price <steven.price@arm.com>
Link: https://patch.msgid.link/20260413080253.1288157-1-akash.goel@arm.com