From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/panthor: Avoid potential UAF due to memory reclaim Date: Sun, 12 Apr 2026 09:28:38 +1000 Message-ID: In-Reply-To: <20260410195050.687201-1-akash.goel@arm.com> References: <20260410195050.687201-1-akash.goel@arm.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: drm/panthor: Avoid potential UAF due to memory reclaim Author: Akash Goel Patches: 1 Reviewed: 2026-04-12T09:28:38.331168 --- This is a single-patch fix for a real use-after-free vulnerability in the p= anthor GPU driver's shrinker path. The bug was introduced by `fb42964e2a76 = ("drm/panthor: Add a GEM shrinker")`. The scenario is: 1. Shrinker evicts a BO, invalidating all GPU mappings and setting `vm_bo->= evicted =3D true`. 2. A new GPU mapping is subsequently created for that BO (adding a VA to th= e same vm_bo). 3. The BO goes back onto a reclaim list due to the new mapping. 4. Shrinker fires again =E2=80=94 but the old code's `if (vm_bo->evicted) c= ontinue` skips the entire vm_bo, **including** the VA walk that would tear = down the new mapping. 5. Backing pages are freed while still GPU-mapped =E2=86=92 UAF. The fix is correct and well-targeted: it removes the early `continue` and i= nstead only gates the `drm_gpuvm_bo_evict()` call on the evicted flag, whil= e always running the VA invalidation loop. **Verdict: The patch is correct and fixes a real vulnerability. One minor c= omment accuracy issue noted below.** --- --- Generated by Claude Code Patch Reviewer