[PATCH 0/3] drm/panthor: Fix a race in the shrinker logic

Next message: John Ogness: "[PATCH tty v4 6/6] serial: 8250: Add support for console flow control"
Previous message: John Ogness: "[PATCH tty v4 5/6] serial: 8250: Check LSR timeout on console flow control"
Next in thread: Boris Brezillon: "[PATCH 3/3] drm/gem: Stop exposing the racy/unsafe drm_gem_lru_remove() helper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Boris Brezillon

Date: Wed May 06 2026 - 08:17:30 EST

As reported by Chia-I [1], a race exists between drm_gem_lru_remove()
and drm_gem_lru_scan(), causing a UAF on a stack-allocated object.

This first patch fixes the problem at the panthor level by making
sure we never use drm_gem_lru_remove(). The second one fixes an
undetected race between drm_gem_lru_scan() and
drm_gem_object_release(), and the last one kills drm_gem_lru_remove()
so no one else relying on the drm_gem_lru infra gets bitten by this
race again.

Adding the MSM maintainers to the loop, since it's the only other
driver relying on drm_gem_lru.

[1]https://gitlab.freedesktop.org/panfrost/linux/-/work_items/86

---
Boris Brezillon (3):
drm/panthor: Don't use the racy drm_gem_lru_remove() helper
drm/gem: Fix a race between drm_gem_lru_scan() and drm_gem_object_release()
drm/gem: Stop exposing the racy/unsafe drm_gem_lru_remove() helper

drivers/gpu/drm/drm_gem.c | 63 ++++++++++++++------------------
drivers/gpu/drm/panthor/panthor_device.h | 10 +++++
drivers/gpu/drm/panthor/panthor_gem.c | 5 ++-
include/drm/drm_gem.h | 1 -
4 files changed, 41 insertions(+), 38 deletions(-)
---
base-commit: 57f68ed1f08cd10f51a9091645fd5dfcc369a885
change-id: 20260506-panthor-shrinker-fixes-58c1f45cfc41

Best regards,
--
Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx>