diff options
| author | Akash Goel <akash.goel@arm.com> | 2026-04-13 11:02:53 +0300 |
|---|---|---|
| committer | Steven Price <steven.price@arm.com> | 2026-05-07 16:16:44 +0300 |
| commit | aa33054b314e3c78e082dcd58895c2cb64c9f2c7 (patch) | |
| tree | 085605290f7d115b0a56b160e5c40855409fe537 /include | |
| parent | 921578cf373981eba92774a27f7644a11282cf89 (diff) | |
| download | linux-aa33054b314e3c78e082dcd58895c2cb64c9f2c7.tar.xz | |
drm/panthor: Avoid potential UAF due to memory reclaim
Recent changes to add shrinker support introduced a use after free
vulnerability.
When a BO is evicted from the shrinker callback, all its CPU and GPU
mappings are invalidated. It can happen that another GPU mapping is
created for the BO after the eviction. Because of the new GPU mapping,
BO will be added back to one of the reclaim list but the state of
corresponding vm_bo will not be changed.
If vm_bo remains in evicted state and shrinker callback is invoked
again then the new GPU mapping won't be invalidated. As a result the
backing pages, which were acquired on the creation of new GPU mapping,
can get reclaimed and reused whilst they are still mapped to the GPU.
To prevent the use after free possibility, this commit removes the
evicted check for vm_bo so that all GPU mappings are checked for
invalidation.
v2:
- Update comment and add a newline in
panthor_vm_evict_bo_mappings_locked().
Fixes: fb42964e2a76 ("drm/panthor: Add a GEM shrinker")
Suggested-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Akash Goel <akash.goel@arm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Steven Price <steven.price@arm.com>
Link: https://patch.msgid.link/20260413080253.1288157-1-akash.goel@arm.com
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions