Re: [PATCH v1 1/4] drm/panthor: Fix UAF on kernel BO VA nodes

Mon, 03 Nov 2025 03:10:56 -0800 

On Fri, Oct 31, 2025 at 04:48:15PM +0100, Boris Brezillon wrote:
> If the MMU is down, panthor_vm_unmap_range() might return an error.
> We expect the page table to be updated still, and if the MMU is blocked,
> the rest of the GPU should be blocked too, so no risk of accessing
> physical memory returned to the system (which the current code doesn't
> cover for anyway).
> 
> Proceed with the rest of the cleanup instead of bailing out and leaving
> the va_node inserted in the drm_mm, which leads to UAF when other
> adjacent nodes are removed from the drm_mm tree.
> 
> Reported-by: Lars-Ivar Hesselberg Simonsen <[email protected]>
> Closes: https://gitlab.freedesktop.org/panfrost/linux/-/issues/57
> Fixes: 8a1cc07578bf ("drm/panthor: Add GEM logical block")
> Signed-off-by: Boris Brezillon <[email protected]>

Reviewed-by: Liviu Dudau <[email protected]>

Best regards,
Liviu

> ---
>  drivers/gpu/drm/panthor/panthor_gem.c | 14 +++-----------
>  1 file changed, 3 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/gpu/drm/panthor/panthor_gem.c 
> b/drivers/gpu/drm/panthor/panthor_gem.c
> index 7e7d2f223cfa..f369cc3e2a5f 100644
> --- a/drivers/gpu/drm/panthor/panthor_gem.c
> +++ b/drivers/gpu/drm/panthor/panthor_gem.c
> @@ -87,7 +87,6 @@ static void panthor_gem_free_object(struct drm_gem_object 
> *obj)
>  void panthor_kernel_bo_destroy(struct panthor_kernel_bo *bo)
>  {
>       struct panthor_vm *vm;
> -     int ret;
>  
>       if (IS_ERR_OR_NULL(bo))
>               return;
> @@ -95,18 +94,11 @@ void panthor_kernel_bo_destroy(struct panthor_kernel_bo 
> *bo)
>       vm = bo->vm;
>       panthor_kernel_bo_vunmap(bo);
>  
> -     if (drm_WARN_ON(bo->obj->dev,
> -                     to_panthor_bo(bo->obj)->exclusive_vm_root_gem != 
> panthor_vm_root_gem(vm)))
> -             goto out_free_bo;
> -
> -     ret = panthor_vm_unmap_range(vm, bo->va_node.start, bo->va_node.size);
> -     if (ret)
> -             goto out_free_bo;
> -
> +     drm_WARN_ON(bo->obj->dev,
> +                 to_panthor_bo(bo->obj)->exclusive_vm_root_gem != 
> panthor_vm_root_gem(vm));
> +     panthor_vm_unmap_range(vm, bo->va_node.start, bo->va_node.size);
>       panthor_vm_free_va(vm, &bo->va_node);
>       drm_gem_object_put(bo->obj);
> -
> -out_free_bo:
>       panthor_vm_put(vm);
>       kfree(bo);
>  }
> -- 
> 2.51.0
> 

-- 
====================
| I would like to |
| fix the world,  |
| but they're not |
| giving me the   |
 \ source code!  /
  ---------------
    ¯\_(ツ)_/¯

Reply via email to