2396434 – (CVE-2023-53378) CVE-2023-53378 kernel: drm/i915/dpt: Treat the DPT BO as a framebuffer

Bug 2396434 (CVE-2023-53378) - CVE-2023-53378 kernel: drm/i915/dpt: Treat the DPT BO as a framebuffer

Summary: CVE-2023-53378 kernel: drm/i915/dpt: Treat the DPT BO as a framebuffer

Keywords:
Status:	NEW
Alias:	CVE-2023-53378
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-18 14:04 UTC by OSIDB Bzimport
Modified:	2025-09-18 16:39 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-18 14:04:56 UTC

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/dpt: Treat the DPT BO as a framebuffer

Currently i915_gem_object_is_framebuffer() doesn't treat the
BO containing the framebuffer's DPT as a framebuffer itself.
This means eg. that the shrinker can evict the DPT BO while
leaving the actual FB BO bound, when the DPT is allocated
from regular shmem.

That causes an immediate oops during hibernate as we
try to rewrite the PTEs inside the already evicted
DPT obj.

TODO: presumably this might also be the reason for the
DPT related display faults under heavy memory pressure,
but I'm still not sure how that would happen as the object
should be pinned by intel_dpt_pin() while in active use by
the display engine...

(cherry picked from commit 779cb5ba64ec7df80675a956c9022929514f517a)

Comment 1 Keith Grant 2025-09-18 16:36:24 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091856-CVE-2023-53378-3d98@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.