* [PATCH v2] drm/panthor: Avoid potential UAF due to memory reclaim
@ 2026-04-13 8:02 Akash Goel
2026-04-13 11:13 ` Steven Price
2026-04-13 14:53 ` Liviu Dudau
0 siblings, 2 replies; 3+ messages in thread
From: Akash Goel @ 2026-04-13 8:02 UTC (permalink / raw)
To: boris.brezillon, liviu.dudau, steven.price
Cc: dri-devel, linux-kernel, maarten.lankhorst, mripard, tzimmermann,
airlied, daniel, nd, Akash Goel
Recent changes to add shrinker support introduced a use after free
vulnerability.
When a BO is evicted from the shrinker callback, all its CPU and GPU
mappings are invalidated. It can happen that another GPU mapping is
created for the BO after the eviction. Because of the new GPU mapping,
BO will be added back to one of the reclaim list but the state of
corresponding vm_bo will not be changed.
If vm_bo remains in evicted state and shrinker callback is invoked
again then the new GPU mapping won't be invalidated. As a result the
backing pages, which were acquired on the creation of new GPU mapping,
can get reclaimed and reused whilst they are still mapped to the GPU.
To prevent the use after free possibility, this commit removes the
evicted check for vm_bo so that all GPU mappings are checked for
invalidation.
v2:
- Update comment and add a newline in
panthor_vm_evict_bo_mappings_locked().
Fixes: fb42964e2a76 ("drm/panthor: Add a GEM shrinker")
Suggested-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Akash Goel <akash.goel@arm.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
---
drivers/gpu/drm/panthor/panthor_mmu.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
index fa8b31df85c9..592a6829bee6 100644
--- a/drivers/gpu/drm/panthor/panthor_mmu.c
+++ b/drivers/gpu/drm/panthor/panthor_mmu.c
@@ -2350,14 +2350,20 @@ int panthor_vm_evict_bo_mappings_locked(struct panthor_gem_object *bo)
struct panthor_vm *vm = container_of(vm_bo->vm, struct panthor_vm, base);
struct drm_gpuva *va;
- /* Skip already evicted GPU mappings. */
- if (vm_bo->evicted)
- continue;
-
if (!mutex_trylock(&vm->op_lock))
return -EDEADLK;
- drm_gpuvm_bo_evict(vm_bo, true);
+ /* It can be that the vm_bo was already evicted but a new
+ * mapping pointing to this BO got created in the meantime,
+ * thus turning the vm_bo in partially evicted state. In that case
+ * we don't call drm_gpuvm_bo_evict() again because this would
+ * mess up with the internal gpuvm lists, but we do walk the
+ * VAs on this vm_bo to make sure the non-evicted ones are
+ * torn down.
+ */
+ if (!vm_bo->evicted)
+ drm_gpuvm_bo_evict(vm_bo, true);
+
drm_gpuvm_bo_for_each_va(va, vm_bo) {
struct panthor_vma *vma = container_of(va, struct panthor_vma, base);
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v2] drm/panthor: Avoid potential UAF due to memory reclaim
2026-04-13 8:02 [PATCH v2] drm/panthor: Avoid potential UAF due to memory reclaim Akash Goel
@ 2026-04-13 11:13 ` Steven Price
2026-04-13 14:53 ` Liviu Dudau
1 sibling, 0 replies; 3+ messages in thread
From: Steven Price @ 2026-04-13 11:13 UTC (permalink / raw)
To: Akash Goel, boris.brezillon, liviu.dudau
Cc: dri-devel, linux-kernel, maarten.lankhorst, mripard, tzimmermann,
airlied, daniel, nd
On 13/04/2026 09:02, Akash Goel wrote:
> Recent changes to add shrinker support introduced a use after free
> vulnerability.
> When a BO is evicted from the shrinker callback, all its CPU and GPU
> mappings are invalidated. It can happen that another GPU mapping is
> created for the BO after the eviction. Because of the new GPU mapping,
> BO will be added back to one of the reclaim list but the state of
> corresponding vm_bo will not be changed.
> If vm_bo remains in evicted state and shrinker callback is invoked
> again then the new GPU mapping won't be invalidated. As a result the
> backing pages, which were acquired on the creation of new GPU mapping,
> can get reclaimed and reused whilst they are still mapped to the GPU.
>
> To prevent the use after free possibility, this commit removes the
> evicted check for vm_bo so that all GPU mappings are checked for
> invalidation.
>
> v2:
> - Update comment and add a newline in
> panthor_vm_evict_bo_mappings_locked().
>
> Fixes: fb42964e2a76 ("drm/panthor: Add a GEM shrinker")
> Suggested-by: Boris Brezillon <boris.brezillon@collabora.com>
> Signed-off-by: Akash Goel <akash.goel@arm.com>
> Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
> ---
> drivers/gpu/drm/panthor/panthor_mmu.c | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
> index fa8b31df85c9..592a6829bee6 100644
> --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
> @@ -2350,14 +2350,20 @@ int panthor_vm_evict_bo_mappings_locked(struct panthor_gem_object *bo)
> struct panthor_vm *vm = container_of(vm_bo->vm, struct panthor_vm, base);
> struct drm_gpuva *va;
>
> - /* Skip already evicted GPU mappings. */
> - if (vm_bo->evicted)
> - continue;
> -
> if (!mutex_trylock(&vm->op_lock))
> return -EDEADLK;
>
> - drm_gpuvm_bo_evict(vm_bo, true);
> + /* It can be that the vm_bo was already evicted but a new
> + * mapping pointing to this BO got created in the meantime,
> + * thus turning the vm_bo in partially evicted state. In that case
> + * we don't call drm_gpuvm_bo_evict() again because this would
> + * mess up with the internal gpuvm lists, but we do walk the
> + * VAs on this vm_bo to make sure the non-evicted ones are
> + * torn down.
> + */
> + if (!vm_bo->evicted)
> + drm_gpuvm_bo_evict(vm_bo, true);
> +
> drm_gpuvm_bo_for_each_va(va, vm_bo) {
> struct panthor_vma *vma = container_of(va, struct panthor_vma, base);
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v2] drm/panthor: Avoid potential UAF due to memory reclaim
2026-04-13 8:02 [PATCH v2] drm/panthor: Avoid potential UAF due to memory reclaim Akash Goel
2026-04-13 11:13 ` Steven Price
@ 2026-04-13 14:53 ` Liviu Dudau
1 sibling, 0 replies; 3+ messages in thread
From: Liviu Dudau @ 2026-04-13 14:53 UTC (permalink / raw)
To: Akash Goel
Cc: boris.brezillon, steven.price, dri-devel, linux-kernel,
maarten.lankhorst, mripard, tzimmermann, airlied, daniel, nd
On Mon, Apr 13, 2026 at 09:02:53AM +0100, Akash Goel wrote:
> Recent changes to add shrinker support introduced a use after free
> vulnerability.
> When a BO is evicted from the shrinker callback, all its CPU and GPU
> mappings are invalidated. It can happen that another GPU mapping is
> created for the BO after the eviction. Because of the new GPU mapping,
> BO will be added back to one of the reclaim list but the state of
> corresponding vm_bo will not be changed.
> If vm_bo remains in evicted state and shrinker callback is invoked
> again then the new GPU mapping won't be invalidated. As a result the
> backing pages, which were acquired on the creation of new GPU mapping,
> can get reclaimed and reused whilst they are still mapped to the GPU.
>
> To prevent the use after free possibility, this commit removes the
> evicted check for vm_bo so that all GPU mappings are checked for
> invalidation.
>
> v2:
> - Update comment and add a newline in
> panthor_vm_evict_bo_mappings_locked().
>
> Fixes: fb42964e2a76 ("drm/panthor: Add a GEM shrinker")
> Suggested-by: Boris Brezillon <boris.brezillon@collabora.com>
> Signed-off-by: Akash Goel <akash.goel@arm.com>
> Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
I seem to have some email delivery delays, I've seen v2 after I've replied to v1:
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Best regards,
Liviu
> ---
> drivers/gpu/drm/panthor/panthor_mmu.c | 16 +++++++++++-----
> 1 file changed, 11 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
> index fa8b31df85c9..592a6829bee6 100644
> --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
> @@ -2350,14 +2350,20 @@ int panthor_vm_evict_bo_mappings_locked(struct panthor_gem_object *bo)
> struct panthor_vm *vm = container_of(vm_bo->vm, struct panthor_vm, base);
> struct drm_gpuva *va;
>
> - /* Skip already evicted GPU mappings. */
> - if (vm_bo->evicted)
> - continue;
> -
> if (!mutex_trylock(&vm->op_lock))
> return -EDEADLK;
>
> - drm_gpuvm_bo_evict(vm_bo, true);
> + /* It can be that the vm_bo was already evicted but a new
> + * mapping pointing to this BO got created in the meantime,
> + * thus turning the vm_bo in partially evicted state. In that case
> + * we don't call drm_gpuvm_bo_evict() again because this would
> + * mess up with the internal gpuvm lists, but we do walk the
> + * VAs on this vm_bo to make sure the non-evicted ones are
> + * torn down.
> + */
> + if (!vm_bo->evicted)
> + drm_gpuvm_bo_evict(vm_bo, true);
> +
> drm_gpuvm_bo_for_each_va(va, vm_bo) {
> struct panthor_vma *vma = container_of(va, struct panthor_vma, base);
>
> --
> 2.25.1
>
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-13 14:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 8:02 [PATCH v2] drm/panthor: Avoid potential UAF due to memory reclaim Akash Goel
2026-04-13 11:13 ` Steven Price
2026-04-13 14:53 ` Liviu Dudau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox