From: Boris Brezillon boris.brezillon@collabora.com
[ Upstream commit 576c930e5e7dcb937648490611a83f1bf0171048 ]
The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.
Fixes: 8a1cc07578bf ("drm/panthor: Add GEM logical block") Signed-off-by: Boris Brezillon boris.brezillon@collabora.com Reviewed-by: Steven Price steven.price@arm.com Reviewed-by: Liviu Dudau liviu.dudau@arm.com Signed-off-by: Steven Price steven.price@arm.com Link: https://patch.msgid.link/20251107171214.1186299-1-boris.brezillon@collabora.... (cherry picked from commit 576c930e5e7dcb937648490611a83f1bf0171048) [Harshit: Resolve conflicts due to missing commit: fe69a3918084 ("drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code") in 6.12.y] Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com --- drivers/gpu/drm/panthor/panthor_gem.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/panthor/panthor_gem.c index 0438b80a6434..09b318fb8e7c 100644 --- a/drivers/gpu/drm/panthor/panthor_gem.c +++ b/drivers/gpu/drm/panthor/panthor_gem.c @@ -214,6 +214,23 @@ panthor_gem_create_with_handle(struct drm_file *file, bo->base.base.resv = bo->exclusive_vm_root_gem->resv; }
+ /* If this is a write-combine mapping, we query the sgt to force a CPU + * cache flush (dma_map_sgtable() is called when the sgt is created). + * This ensures the zero-ing is visible to any uncached mapping created + * by vmap/mmap. + * FIXME: Ideally this should be done when pages are allocated, not at + * BO creation time. + */ + if (shmem->map_wc) { + struct sg_table *sgt; + + sgt = drm_gem_shmem_get_pages_sgt(shmem); + if (IS_ERR(sgt)) { + ret = PTR_ERR(sgt); + goto out_put_gem; + } + } + /* * Allocate an id of idr table where the obj is registered * and handle has the id what user can see. @@ -222,6 +239,7 @@ panthor_gem_create_with_handle(struct drm_file *file, if (!ret) *size = bo->base.base.size;
+out_put_gem: /* drop reference from allocate - handle holds it now. */ drm_gem_object_put(&shmem->base);