As reported by Chia-I [1], a race exists between drm_gem_lru_remove() and drm_gem_lru_scan(), causing a UAF on a stack-allocated object.
This first patch fixes the problem at the panthor level by making sure we never use drm_gem_lru_remove(). The second one fixes an undetected race between drm_gem_lru_scan() and drm_gem_object_release(), and the last one kills drm_gem_lru_remove() so no one else relying on the drm_gem_lru infra gets bitten by this race again. Adding the MSM maintainers to the loop, since it's the only other driver relying on drm_gem_lru. [1]https://gitlab.freedesktop.org/panfrost/linux/-/work_items/86 --- Boris Brezillon (3): drm/panthor: Don't use the racy drm_gem_lru_remove() helper drm/gem: Fix a race between drm_gem_lru_scan() and drm_gem_object_release() drm/gem: Stop exposing the racy/unsafe drm_gem_lru_remove() helper drivers/gpu/drm/drm_gem.c | 63 ++++++++++++++------------------ drivers/gpu/drm/panthor/panthor_device.h | 10 +++++ drivers/gpu/drm/panthor/panthor_gem.c | 5 ++- include/drm/drm_gem.h | 1 - 4 files changed, 41 insertions(+), 38 deletions(-) --- base-commit: 57f68ed1f08cd10f51a9091645fd5dfcc369a885 change-id: 20260506-panthor-shrinker-fixes-58c1f45cfc41 Best regards, -- Boris Brezillon <[email protected]>
