The array ppsPMR in DEVMEMXINT_RESERVATION holds references to PMR structures (using PMRRefPMR2()), intending to prevent the PMRs' physical memory from being released. However, PMRs with PVRSRV_MEMALLOCFLAG_NO_OSPAGES_ON_ALLOC (which for OSMem PMRs internally translates to FLAG_ONDEMAND) can release their backing physical pages while references to the PMR still exist; PMRLockSysPhysAddresses() must be used to prevent a PMR's backing pages from disappearing, like in DevmemIntMapPMR2(). Therefore, it is currently possible to free a PMR's backing pages while the PMR is mapped into a DEVMEMXINT_RESERVATION, leading to physical page use-after-free.
cc6e11ae0dee934a94a29ebded0e52e70690ca998d7efe6c5f0ffe85ffda4eba
Qualcomm KGSL has an issue where reclaimed / in-reclaim objects can still be mapped into VBOs.
1428075df507c623a1bd9ac4565539be37fad3bf60c27a111608fd1f90e9a845
An LSM can prevent the fcntl/close race cleanup path in fcntl_setlk() from working, leading to use-after-free read in lock_get_status() when reading /proc/locks.
be3debe6c62f6ce4ba3fee414d1fb7b202ab4839dec89a3b6e8e94e90eaac790
PowerVR suffers from a use-after-free vulnerability in DevmemIntChangeSparse2() on a PMRGetUID() call.
995fc11455439b600de3444c34a92fcad3e63b940610a057e80033a2a169d793
Linux has an issue where landlock can be disabled thanks to a missing cred_transfer hook.
a12bdeb84032ca0a10a49441e34ac1148d44ca6ae128dfe4fd56120c8dbf3c24
Two security issues have been identified in PowerVR during patch review.
cdf2436c82b9dc3dd355eb1bdda7e1b097e169a71d8db78713cba518bf056306
Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This is a proof of concept exploit produced by Google.
ad1315873367c17209fa30fde20446a3d19e938e62e5ccfbfbe5f855fc3a83c4
Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.
ea7aa640ea9bb86fe73ddf82c6205724499ae72e163dd9ad1ae1c987416c0d29
PowerVR has an issue where wrapping addition in _DevmemXReservationPageAddress() causes an MMU operation at the wrong address.
8cf4775aa2d6620274690594068ebd5446a26435ff99535d37ef3d64af38db87
PowerVR has integer overflows in DevmemXIntMapPages() and DevmemXIntUnmapPages(), exploitable as dangling GPU page table entries.
607faad30ec56959223ff39f5065ae4bc346c6c969c93404b728ab4ed243fc1a
PowerVR PMR allows physical memory to be freed before GPU TLB invalidation.
48938b3e44dc2ae24749118301fe7c8b943bd6b5bb5f57034378aa0f41845d6f
PowerVR has an issue with missing tracking of multiple sparse mappings in DevmemIntChangeSparse2() that leads to a dangling page table entry.
426fb16d93d8096a50bbd9d26c9fe783fb082dc59ace42d221957b371d7eaae7
The PowerVR driver does not sanitize ZS-Buffer / MSAA scratch firmware addresses.
c2daa30504b0e8c789700f2b12ba70633fcac40fa494865c6f36f0fc4494835b
PowerVR suffers from an out-of-bounds write of firmware addresses in PVRSRVRGXKickTA3DKM().
bf643f590254db32f40863c345eaa6faa2bb814e2aa4cfd56828c8a49a38c33a
PowerVR suffers from an uninitialized memory disclosure and crash due to out-of-bounds reads in hwperf_host_%d stream.
21afd37aba8ffcfc6bd66ce8187be897144f972c8efddd7b417e5044e23024a8
PowerVR suffers from an issue where DevmemXIntMapPages() allows mapping sDevZeroPage/sDummyPage without holding reference.
a872ec3e6ff34c9730a9e040bcfef2da822351bb1bc1c1b8c09c8adf411bf0bd
PowerVR suffers from a wrong order of operations in DevmemIntChangeSparse2() that leads to a temporarily dangling page table entry.
c60d53fd594988ae874f9172ca988e0a08a60b03ec48452203f70a979e6d922e
PowerVR suffers from a use-after-free vulnerability in _UnrefAndMaybeDestroy().
62d48fec6da2920518cfbf331f251078d85c51ab0a1e30e21ab38e0edd6f3b51
Arm Mali versions since r45p0 suffer from a broken KBASE_USER_BUF_STATE_* state machine for userspace mappings that can lead to a use-after-free condition.
6886ec45419b22efaa4183177ef852a685bb4e3e8f20fe513a25b84dccef3243
In mmu_insert_pages_no_flush(), when a HUGE_HEAD page is mapped to a 2M aligned GPU address, this is done by creating an Address Translation Entry (ATE) at MIDGARD_MMU_LEVEL(2) (in other words, an ATE covering 2M of memory is created). This is wrong because it assumes that at least 2M of memory should be mapped. mmu_insert_pages_no_flush() can be called in cases where less than that should be mapped, for example when creating a short alias of a big native allocation. Later, when kbase_mmu_teardown_pgd_pages() tries to tear down this region, it will detect that unmapping a subsection of a 2M ATE is not possible and write a log message complaining about this, but then proceed as if everything was fine while leaving the ATE intact. This means the higher-level code will proceed to free the referenced physical memory while the ATE still points to it.
02b7002e9ef87f42111b8b994ec26a71eab28f5f71c23d3899c25a6cc7a85c92
PowerVR has a security issue where a writability check in PMRMMapPMR() does not clear VM_MAYWRITE.
3c6be466dbc5e6f19541750720a0f82bfbd11613fafa5557f44c1df26aa893b2
PowerVR has an issue where DevmemIntUnexportCtx destroys export before unlinking it, leading to a use-after-free condition.
6f9202099fe090be7419d76b62ea9327f8db8be77898b1207baaaa4a3a3cd10e
Linux versions starting with 6.5 suffer from a read-after-type-change of folio in cachestat() that leads to a kernel pointer leak.
9ed32c7cf46a882e510759c307e0ac2758225c4d00df31c8c83be548a01fd482
PowerVR has an issue where the RGXCreateZSBufferKM2 error path frees object while on list.
b77c7757a3ce5ef36d49453304cff99bfbbd56c1ff428ecdf3cd2b4c3033e628
Chrome has an issue where the chrome.pageCapture.saveAsMHTML() extension API can be used on blocked origins due to a racy access check.
c081d9b3a89b0a80ccfbb9fc08c3373284b83957b305d8759f551dfbed038c66