From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BDD13EBFD0F for ; Mon, 13 Apr 2026 08:04:09 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 3537F10E361; Mon, 13 Apr 2026 08:04:09 +0000 (UTC) Authentication-Results: gabe.freedesktop.org; dkim=pass (1024-bit key; unprotected) header.d=arm.com header.i=@arm.com header.b="JxFsJXOQ"; dkim=pass (1024-bit key) header.d=arm.com header.i=@arm.com header.b="JxFsJXOQ"; dkim-atps=neutral Received: from DB3PR0202CU003.outbound.protection.outlook.com (mail-northeuropeazon11010002.outbound.protection.outlook.com [52.101.84.2]) by gabe.freedesktop.org (Postfix) with ESMTPS id 4687010E361 for ; Mon, 13 Apr 2026 08:04:07 +0000 (UTC) ARC-Seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=Bf+Y+J95Bki6RhwrvAcnd87PXLJwNZqXhucE7yXYD10GdGy6gviAEFkyGBzAJoIrMuRtjVyTLktPelQNzSa/y9+MkJpgwGhMHn+mpx4V0XrirICljnbLx28qar8ylgYRV/T+U+FKAhZGmz9/k/XPeunvNpCBJbR6Lz4ECrzdADUhEwxRrw7zoX+TfHHgNxvGaLOfoIBHsTAlVssfd8w3iR8auroJT9Ra1VFF1+luosDaAk9I1lwYhX4elgo4gRl4djise8u0PEfL2LIzX4tNM9CRw8/CaMyc+rbSe5t3cK6PoyhMDXVDjKLmJUiEma+u5540v7/+0J5miO4hpGM+mg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Pl5GG8Ask3z2Zrkb+Pv5dJXx4CohOZZMfxJAky/QZcU=; b=YkN+1JCA5zYfCkivzhCbKN7bhYVrfkYAvae4tOeZ0zsXm8BLyNdyKBDTRL6/giB8R89N4J1vNuKfmwIs56V5ES+A8irpFp3kNJrvk2n/iuzQUUfWDl4SVyXvunuU+JvvU2CsmE53tU25h5lhUm+FLYx/VprK4+qhJxSl7PSs1n3iZl57Ldp/S8sicONFpb2J6Fo5I4B0u3o6fU58HGPv/zwobjNysnAy5v693QxR3ldlK5W2Wy+JKLHBlJGMuosQMiGrlb4dHc0d6fEJIeCdTJjYsRhQcQUsA72kmAy761AJkhEI2l643jBjWTVM2vIdGXuXzkJsJh2FlDKt/z5PDw== ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=collabora.com smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com]) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arm.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pl5GG8Ask3z2Zrkb+Pv5dJXx4CohOZZMfxJAky/QZcU=; b=JxFsJXOQqQ/9sIN0JiPCKfhEji94yiNOVz3bWSBeSKysNNY+cu0mlNqRg7ZyFdaZfSJ4CrOOboakMeemoEKc9U8a9Y4CD7IO8UT+CRH/fGm00oSHyq3Jiev2g0RJj/JVf24d/9ZwiczNthlFbuWdVLz6sGF4JOE8JFVidYe+Z4I= Received: from AM8P190CA0011.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:219::16) by AM9PR08MB6017.eurprd08.prod.outlook.com (2603:10a6:20b:2dc::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.48; Mon, 13 Apr 2026 08:04:01 +0000 Received: from AMS1EPF00000090.eurprd05.prod.outlook.com (2603:10a6:20b:219:cafe::93) by AM8P190CA0011.outlook.office365.com (2603:10a6:20b:219::16) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.48 via Frontend Transport; Mon, 13 Apr 2026 08:04:01 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 4.158.2.129) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=arm.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 4.158.2.129 as permitted sender) receiver=protection.outlook.com; client-ip=4.158.2.129; helo=outbound-uk1.az.dlp.m.darktrace.com; pr=C Received: from outbound-uk1.az.dlp.m.darktrace.com (4.158.2.129) by AMS1EPF00000090.mail.protection.outlook.com (10.167.242.87) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.17 via Frontend Transport; Mon, 13 Apr 2026 08:04:01 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YxC6p1zCC3lRQSoFfv4L2d8Pe/6bt6lHOouYA2UrK5+DOxdwnMuJiEWzXopvWDCS5Jk1jbzow/RITROK06ynjDJ0azLpOdCytYsQfjtkr2+lHf6LfPx7kh/F2puD8VV+HGi+kkz3MWQBVWw9FpTzH57ddxyBsRzN3FDMaiBTqQN/9NgAFTkwSKCx0zlgD7oosre/nNoBbUMYQE7P12iMJ3oHAadf3NcVNlbUPj/7MQYixboQy1Y+CwICCkUoaP3+jarCT++9uKl2h1/S+RMiKbInF/Q0cZW+ybmxHt4yJX0mu1mQqWtRO/P3px0rCaPXEzhSEqnr6xo43Qj+h/gaSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Pl5GG8Ask3z2Zrkb+Pv5dJXx4CohOZZMfxJAky/QZcU=; b=NWSU02+IiBQ/fKhFetz6p56dxgh9NCsZIXGtwNqmj0utjbnDE67Z8RhYx+PhAnbmZkyAk71zzikqdei71GmJVLmx1MQIkFSxsExjnAj7Eqlg8R2KOF4MsDv3CwKREpDTqrKE+dMvyCPBX25/DOFmFDsCXnJjeuStMR4kRS7NWpOWokeQuLoTRCLhe6IGfbo22DtIlxg6jHN6p/a360J3A8ZIJiQEl4Qp+u3KlT2hwdSihlrlR3PV429c//NGACym6ObaI8O7nJoGqLP0+OPhBK51yJ8QZrrhODzvSzls2qLHDeVA8gOzQGQygvavihyiIAcDffb75p4AdRKSkcNPxg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arm.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pl5GG8Ask3z2Zrkb+Pv5dJXx4CohOZZMfxJAky/QZcU=; b=JxFsJXOQqQ/9sIN0JiPCKfhEji94yiNOVz3bWSBeSKysNNY+cu0mlNqRg7ZyFdaZfSJ4CrOOboakMeemoEKc9U8a9Y4CD7IO8UT+CRH/fGm00oSHyq3Jiev2g0RJj/JVf24d/9ZwiczNthlFbuWdVLz6sGF4JOE8JFVidYe+Z4I= Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; Received: from AM9PR08MB6982.eurprd08.prod.outlook.com (2603:10a6:20b:415::16) by DU0PR08MB9108.eurprd08.prod.outlook.com (2603:10a6:10:47a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.48; Mon, 13 Apr 2026 08:02:56 +0000 Received: from AM9PR08MB6982.eurprd08.prod.outlook.com ([fe80::65b:44e2:e002:6499]) by AM9PR08MB6982.eurprd08.prod.outlook.com ([fe80::65b:44e2:e002:6499%4]) with mapi id 15.20.9769.046; Mon, 13 Apr 2026 08:02:56 +0000 From: Akash Goel To: boris.brezillon@collabora.com, liviu.dudau@arm.com, steven.price@arm.com Cc: dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, airlied@gmail.com, daniel@ffwll.ch, nd@arm.com, Akash Goel Subject: [PATCH v2] drm/panthor: Avoid potential UAF due to memory reclaim Date: Mon, 13 Apr 2026 09:02:53 +0100 Message-Id: <20260413080253.1288157-1-akash.goel@arm.com> X-Mailer: git-send-email 2.25.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: LO4P123CA0641.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:296::7) To AM9PR08MB6982.eurprd08.prod.outlook.com (2603:10a6:20b:415::16) MIME-Version: 1.0 X-MS-TrafficTypeDiagnostic: AM9PR08MB6982:EE_|DU0PR08MB9108:EE_|AMS1EPF00000090:EE_|AM9PR08MB6017:EE_ X-MS-Office365-Filtering-Correlation-Id: 811f85b6-3b70-4718-2e01-08de99333954 X-LD-Processed: f34e5979-57d9-4aaa-ad4d-b122a662184d,ExtAddr,ExtAddr x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; ARA:13230040|366016|1800799024|376014|18002099003|56012099003; X-Microsoft-Antispam-Message-Info-Original: bhLEbPyh0vTaICJDkSMGK7nX96C4LaSG38Y5IUWhYZ6wfpfm/WI08e964NO93UotOPCOwSFB8Tc/9vtsKUNy1Ar7MV4ZyLVoa9laZTmDKE8kEgAUQlOdmla64m2pAW673SMhBsSRjNYVGkuRU5LJ3WdLsFhasoB0M0IkEqn4OX90mHb0xt2gUq5igOLIb5p46JINPEzkfg41NGsJUqg/WsHAfcgHMDOhRRUnGv765Y1jojqwJ8R/9BLBeYLh6flkQizE36ie7RhVTI1kc8RqVHdzbAqaIS567204pQHGArYqWQpZp7Zqobfk+fhScTjpKejkxqnJzgpQek1bVyW7VQwtYlRVuBxbglhDldniUg68UWSehTov6ZooSJkYKo+l1dP2QrSe+0lbIoNerXV8X5oIQ5TSLJwsw9EGpYw9me3NRsicvslXCN/D1h1qUOVJwX8QUVoTjwHf5dPMpQgaBvSIH5uR66hElbn8vw/wUwiA/nGiQ5tixc1OlzhkAhVPtNMmHuQVxGIyZY+hK1nKUNfGRqOELitKXy+wjHohJ0V53Dr7f8RGBVmcs2R0AMh4g/hViSFGyEnu5BrJAcJlnndYZLu89fh03iHRaGZEHjv7+DRFGmMi7C4u74d7CrY0pTPlx/e5YMAOjHWcLTNR2/xaBSpD/YbKxMJpGWTacpS/t5o0HJaeFxXnrop7t09sZ+TKCyhTNg/cfB2yQMs3sI98s1QW7vUW1Nuf4yWA17E= X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM9PR08MB6982.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230040)(366016)(1800799024)(376014)(18002099003)(56012099003); DIR:OUT; SFP:1101; X-Exchange-RoutingPolicyChecked: NvMEDcds5wuCBLWzCsotOIZt8JdRaSFKB8cmUwKo815x3Mbk5f29JDiRtgGZubLhuTbiUjsOUVDFf8uuynbgokSSrfBXyen/aR56JCVmu9siSJSgBkNWNr0gHvIV8u7uAW3y+WTnxeCvIT4zu5FMYlM/i46jkyM61uIMq6MeNamMwc+DtHL+2WEmLiV0S5WkmvOsXy4+2ilOMxO/yWbrL+ISH7FQntnjvCi1kPvAdieByINX1J2xYGtkGE4UuVfPcYIx6r6WE4a00eKykagmPif591ro16v8F1TY+8OcdPOdo2OfrJ02dKbhwgJ5NZqH0eIfybb2Sx7+2eSt2lu0Yw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR08MB9108 X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AMS1EPF00000090.eurprd05.prod.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: 3dac7483-f4cb-425a-d60a-08de99331227 X-Microsoft-Antispam: BCL:0; ARA:13230040|14060799003|376014|1800799024|36860700016|82310400026|35042699022|18002099003|56012099003; X-Microsoft-Antispam-Message-Info: VESDXJGDX7VnEhr/pLjuiVVc1wSZSrweqRXUKjL0oBRsxwB+XYDCLBw53p4nJpyhP+6pTsgWMZnktBGVAaGD+H2xz/pxTnmf9eMjj7odbUqne07qrRanMmVFpFOWiLUFRB3IKonOHaQPuJK4nhmsvUOM9Etrd4aTokK3hAEEqfUgi3E2kUhWgGoXVCSs5iJNWQBHm5CrcQk9Ch5Xx1JnEdFqk0fPOQSBIxyq2+WdFwmH6pvxDAU2YRc0aF0Hg+VY1rwcAak2HOsYLCb6XwCKuJTRJIgFVZ4SwX/ZCVe2rzw9Pyk9LzzFn3ClZqLQesoql1s2te727sKGr1DxVvP3FrYIvU1SwsdJ+frlJ57x+d3oXtH7f6BAmx7zOtbPVnpBoB5wG5nlPy0hro76vEVGTktsYpKHu9Xp6PzEL2mGczFfPlgegT8KN8dFX3JbslgK9XGawLHlcdL/YPQj2p+kP8tSqpW7CDhoD4TzxtYGT6XWefrzHBOKcD5PfVlszZb4gQEXcrImcs0RqEsoOoPvYtLxsgcXSqAqVTPRNr1AIRqT/9vDKCEYae1+RB6NhbfZLA90RFCVxXSjI51Qtvcz8pmQUXAdvoPShzw6+DWB27laIXJvDaYOktJjEJ0REaQ+LzhZJJYui4BSvyBQlmdoccPSNq5dHK2xEwTNFrrZ/yEqC1Hc3b/Eu+Wnjs9/b3kNDnHMuv8Rot7pxyfDUwA65ow1aQ9yhx9XOSyYSRuRTZsNDfTqbo6OhELjMhwSbAE2QBdZ3JTk1ZWmpRl1qgsXXQ== X-Forefront-Antispam-Report: CIP:4.158.2.129; CTRY:GB; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:outbound-uk1.az.dlp.m.darktrace.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(13230040)(14060799003)(376014)(1800799024)(36860700016)(82310400026)(35042699022)(18002099003)(56012099003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: b4U3qk2L7D6iYM/thHPPe6SXCoDD6nvNPgaDRyYaTeAzlaQMknVvJ/7l+JAIFkTYRaOphk/yBUPxpUXgxNgnb1OtcRfSJveL7pk4OQcIvkn2uAqzWlsKHAc+AsBdWQ1jEiTmXREXT3qWPrNm8/bYOV6HHjtye40NXrDPjQ9g4yQvruF0lPCAhrSvTYIvn5aOqXz4ME0BjDdt8q7FGPurXmpgEnaPSFE0eZSNWcQYb2vNYAPxP/yUZhYNl4LlehYpitu0O92RyfYu+VB5zO8Wr0bccI1THLc3/vC2grjQa43XUVX+ZXaSKPhMTI53ibeODyxctPjOB3vvX1XpybawhtXkCMqpQ97cabLPN1OeodmM0rcs01lcrq6xxWVqEq5IPNknL0/fVYOt+s4PCSjP79YlHwbFHNurCOc5UaFyRUhfud9LmKCVTCT35hjtWmbs X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Apr 2026 08:04:01.6476 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 811f85b6-3b70-4718-2e01-08de99333954 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[4.158.2.129]; Helo=[outbound-uk1.az.dlp.m.darktrace.com] X-MS-Exchange-CrossTenant-AuthSource: AMS1EPF00000090.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR08MB6017 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" Recent changes to add shrinker support introduced a use after free vulnerability. When a BO is evicted from the shrinker callback, all its CPU and GPU mappings are invalidated. It can happen that another GPU mapping is created for the BO after the eviction. Because of the new GPU mapping, BO will be added back to one of the reclaim list but the state of corresponding vm_bo will not be changed. If vm_bo remains in evicted state and shrinker callback is invoked again then the new GPU mapping won't be invalidated. As a result the backing pages, which were acquired on the creation of new GPU mapping, can get reclaimed and reused whilst they are still mapped to the GPU. To prevent the use after free possibility, this commit removes the evicted check for vm_bo so that all GPU mappings are checked for invalidation. v2: - Update comment and add a newline in panthor_vm_evict_bo_mappings_locked(). Fixes: fb42964e2a76 ("drm/panthor: Add a GEM shrinker") Suggested-by: Boris Brezillon Signed-off-by: Akash Goel Reviewed-by: Boris Brezillon --- drivers/gpu/drm/panthor/panthor_mmu.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c index fa8b31df85c9..592a6829bee6 100644 --- a/drivers/gpu/drm/panthor/panthor_mmu.c +++ b/drivers/gpu/drm/panthor/panthor_mmu.c @@ -2350,14 +2350,20 @@ int panthor_vm_evict_bo_mappings_locked(struct panthor_gem_object *bo) struct panthor_vm *vm = container_of(vm_bo->vm, struct panthor_vm, base); struct drm_gpuva *va; - /* Skip already evicted GPU mappings. */ - if (vm_bo->evicted) - continue; - if (!mutex_trylock(&vm->op_lock)) return -EDEADLK; - drm_gpuvm_bo_evict(vm_bo, true); + /* It can be that the vm_bo was already evicted but a new + * mapping pointing to this BO got created in the meantime, + * thus turning the vm_bo in partially evicted state. In that case + * we don't call drm_gpuvm_bo_evict() again because this would + * mess up with the internal gpuvm lists, but we do walk the + * VAs on this vm_bo to make sure the non-evicted ones are + * torn down. + */ + if (!vm_bo->evicted) + drm_gpuvm_bo_evict(vm_bo, true); + drm_gpuvm_bo_for_each_va(va, vm_bo) { struct panthor_vma *vma = container_of(va, struct panthor_vma, base); -- 2.25.1