Bug 2396434 (CVE-2023-53378)

Summary: CVE-2023-53378 kernel: drm/i915/dpt: Treat the DPT BO as a framebuffer
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-09-18 14:04:56 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/i915/dpt: Treat the DPT BO as a framebuffer

Currently i915_gem_object_is_framebuffer() doesn't treat the
BO containing the framebuffer's DPT as a framebuffer itself.
This means eg. that the shrinker can evict the DPT BO while
leaving the actual FB BO bound, when the DPT is allocated
from regular shmem.

That causes an immediate oops during hibernate as we
try to rewrite the PTEs inside the already evicted
DPT obj.

TODO: presumably this might also be the reason for the
DPT related display faults under heavy memory pressure,
but I'm still not sure how that would happen as the object
should be pinned by intel_dpt_pin() while in active use by
the display engine...

(cherry picked from commit 779cb5ba64ec7df80675a956c9022929514f517a)
Comment 1 Keith Grant 2025-09-18 16:36:24 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091856-CVE-2023-53378-3d98@gregkh/T